Page 1 of 1

Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 1:22 am
by Rick4747
A couple of hours *after* I terminated all programs, and deleted all files, from Sandboxie (icon solid yellow), a Norton Internet Security popup said it had identified low-risk security threat PUA.JScoinminer (a JavaScript cryptocurrency miner, per Norton). The suspect file Norton cited was an htm Internet Explorer 11 cache file, but within the sandbox (i.e., file location began with c:\Sandbox). I double-checked to ensure that Sandboxie still reported that the sandbox was empty. Norton says it "removed" the threat (presumably meaning it deleted the file?).

How could this happen when I had deleted all files from the Sandbox at least two hours earlier?

Windows 7, Sandboxie 5.18 64-bit. Thanks.

Re: Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 2:04 am
by bo.elam
Perhaps the sandbox was not deleted and you thought it was. (icon solid yellow) means no programs are running in the sandbox. A red X means the sandbox is deleted. Did you see a red X when you closed the browser?

Also. I think is possible when your AV flags something, as you close the sandboxed program, programs get terminated but without the sandbox getting deleted.

Bo

Re: Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 8:19 am
by bjm
FWIW ~ look for PUA event thru Norton History e.g., in Norton Quarantine or Norton Resolved Security Risks. Norton may have quarantined (pulled) sample from sandbox and was analyzing sample. You may have deleted sandbox but, sample was under Norton control. BTW, perhaps update your Sandboxie 5.18 to 5.22.

Re: Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 2:25 pm
by Rick4747
bo.elam wrote:
Tue Nov 14, 2017 2:04 am
Perhaps the sandbox was not deleted and you thought it was. (icon solid yellow) means no programs are running in the sandbox. A red X means the sandbox is deleted. Did you see a red X when you closed the browser?
Yes, I did see the red X. When I choose Terminate All programs, a Sandboxie dialog counts and lists the number of files that are in the sandbox, and gives me the option to delete them. I did, and then -- as usual after doing this -- got the red X followed by the solid yellow icon.

I should point out -- as perhaps this has some relevance -- that I was not directly in IE. I was using a downloading program that I have used for years, which has browsers integrated into it, including IE. Yet, even though I have seen Norton flagging and blocking/removing malware before while using this program , it was never after terminating all programs, and deleting all files, in Sandboxie.
bo.elam wrote:
Tue Nov 14, 2017 2:04 am
Also. I think is possible when your AV flags something, as you close the sandboxed program, programs get terminated but without the sandbox getting deleted.
Again, unless I am misunderstanding your point, the sandbox was deleted.

Re: Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 2:28 pm
by Rick4747
bjm wrote:
Tue Nov 14, 2017 8:19 am
FWIW ~ look for PUA event thru Norton History e.g., in Norton Quarantine or Norton Resolved Security Risks. Norton may have quarantined (pulled) sample from sandbox and was analyzing sample. You may have deleted sandbox but, sample was under Norton control. BTW, perhaps update your Sandboxie 5.18 to 5.22.
I checked quarantine, nothing there, though there was the expected record of Resolved Risk in Norton history.

Yes, maybe the issue is that it took Norton a few hours to "research" the file (possibly heuristic review) -- interesting point. In fact, maybe it had already been removed (by my clearing the Sandbox), but Norton continued to research? And then said the problem had been resolved, NOT because it removed the file, but because it found the file was already gone? This kind of scenario may be supported by the fact that Norton's "File Insight" page for this detection indicated that there have been no previously reported detections of the file in their database. (I attempted to attach a screenshot, but it failed with the message "board attachment quota reached.").

And yes, I suppose I should update Sandboxie. I hesitated because things were working well, and none of the new features looked relevant to my particular usage, especially in 5.20. But it looks like there have been a lot of fixes in 5.22.

NOTE: Edited multiple times to add new info.

Re: Norton detects malware in sandbox hours after I cleared it

Posted: Tue Nov 14, 2017 8:18 pm
by bo.elam
Rick4747 wrote:
Tue Nov 14, 2017 2:25 pm
Again, unless I am misunderstanding your point, the sandbox was deleted.
According to what you described, the sandbox did get deleted.

Bo

Re: Norton detects malware in sandbox hours after I deleted it

Posted: Tue Nov 14, 2017 10:46 pm
by Rick4747
bo.elam wrote:
Tue Nov 14, 2017 8:18 pm
Rick4747 wrote:
Tue Nov 14, 2017 2:25 pm
Again, unless I am misunderstanding your point, the sandbox was deleted.
According to what you described, the sandbox did get deleted.

Bo
Starting with this post, I've changed the subject from "Norton detects malware in sandbox hours after I cleared it" to the more-appropriate "Norton detects malware in sandbox hours after I *deleted* it."