Does SandboxIE protect against the .wmf vulnerability?

[Unknown_User_262]

http://www.us-cert.gov/current/current_activity.html

If Sandboxing is an effective precaution the word should be spread.

[TNT]

http://www.us-cert.gov/current/current_activity.html

If Sandboxing is an effective precaution the word should be spread.

As far as I know, Sandboxies does protect you. Note that the trojan WILL be executed if you encounter the exploit, but the trojan process and all its "friends" will be sandboxed so you can easily avoid the thing being written permanently to disk: in case you encounter an exploit while browsing, you can terminate all sandboxed processes and delete the contents of the sandbox, and you'll be back to normal. I personally used Sandboxie to hunt for trojans using this exploit in the wild and Sandboxie did protect with all the instances I encountered (I sent a few undetected samples to Kaspersky and Ewido). So I did test it on field.

However, and this must be noted, the trojan WILL be able read from files and communicate with the remote servers. What it won't be able to do is install kernel drivers/services or deleting, overwriting or writing to your actual system; so caution is advised when using it on a computer containing important data. Just encrypt any important data you have (which is a thing to do in the first place anyway).

Personally, I use Sandboxie while surfing these days and Diamondcs Process Guard to alert me whenever something strange tries to execute. I also have Deep Freeze on this machine so this exploit hardly bothers me that much; but Sandboxie alone does protect your machine, at least while surfing.

If you use sandboxie for downloading and reading e-mail, DO NOT forget to use the option "leave mail on remote server" on your e-mail program, or all your mail will be lost when you empty the sandbox: if you notice an exploit/trojan in your e-mail while reading it sandboxed, you can do this:

- close the e-mail reader and empty the sandbox.
- do "telnet 'your-pop-server.com' 110" and use the pop3 commands to find the message; do "dele 'number'" to delete the message on the remote pop.

That's it.

[Unknown_User_262]

Thanks for the response. Just the ability to surf and check webmail safely will be handy for folks without non-Windows machines.

[tkc]

I can also confirm that it protects against the wmf vulnerability, however, it is advisable to close and empty your sandbox immediately after you get infected since it is possible for a worm that is downloaded by the vulnerability to spread to others. There is also an unofficial patch available here: http://www.hexblog.com/2005/12/wmf_vuln.html

[Oneder]

Great to see Sandboxie protects against the latest exploit.

I use outlook express as my email client.Found this nifty little software,Palmail, that checks,shows and can delete incoming emails at the servers end.

http://www.mirwoj.opus.chelm.pl/winfree ... lmail.html

[greg10963]

Some of you may find this thread of interest concerning whether SandboxIE will protect you or not from the WMF exploit. http://www.dslreports.com/forum/remark,15170345 Best to stick with the temporary patch already posted about here and when M$ finally gets off their @$$es and releases the official patch next Tuesday you should get that instead.

[Guest]

Some of you may find this thread of interest concerning whether SandboxIE will protect you or not from the WMF exploit.

It seems to me that the user complaining doesn't really know how Sanboxie works, actually.