Sandboxie leaks pictures - [SOLVED]

If it doesn't fit elsewhere, it goes here
Post Reply
rodalsa
Posts: 12
Joined: Tue Apr 08, 2014 7:59 am

Sandboxie leaks pictures - [SOLVED]

Post by rodalsa » Mon Jan 09, 2017 2:01 pm

Here is a copy of a Word 2010 file that details how I proved Sandboxie leaks pictures ...

USING PIRIFORM’S RECUVA IN THUMBNAIL VIEW, I SCANNED EACH OF THE FOLDERS IN MY C:\ DRIVE.
This scan was performed outside of Sandboxie. I was looking for any pictures (*.jpg|*.png|*.raw|*.gif|*.jpeg|*.bmp|*.tif) in Recuva’s parlance that were produced on screen while operating under the supervision of Sandboxie while cruising the Internet. These pictures, that I did not expect to find outside of Sandboxie after Sandboxie’s files were deleted, appeared in Recuva’s scans
I refer to these pictures as my “the watch criteria” below. None of the watch criteria files were user saved. They were only displayed within the Sandboxie "enclosed" browser (Firefox in my case).

The computer used for this work has only one hard drive naturally named the C:\ drive. This drive (C:\) contained many folders. I scanned each of these folders separately using Recuva. The results of these scans produced only six files as matching my watch criteria. Here they are as Filename and Path. The duplicate was indeed a duplicate.

Scanning C:\Users\*
Found 1,638 files 3 of which satisfy the watch criteria.

Filename: tree_view[1].jpg
Path: C:\Users\Rodger A Sanders\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5UVIAZV
Filename: B7FB31AD0A4575EADE23D14B226DEFA97951E145
Path: C:\Users\Rodger A Sanders\AppData\Local\Mozilla\Firefox\Profiles\86nikl3x.default-1444703085006\cache2\entries
Filename: B7FB31AD0A4575EADE23D14B226DEFA97951E145
Path: C:\Users\Rodger A Sanders\AppData\Local\Mozilla\Firefox\Profiles\86nikl3x.default-1444703085006\cache2\entries
==============================================================================
Scanning C:\Program Data\*
Found 44 files 2 of which satisfy the watch criteria.

Filename: {CCFFD13D-C418-4AFB-83FA-E9CEACE148BC}
Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource
Filename: {3264B22E-2E72-4134-9FCA-D0F263D9F448}
Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource
==============================================================================
Scanning C:\Program Files\*
Found 120 files 1 of which satisfies the watch criteria.

Filename: CrtCheck.exe
Path: C:\Program Files\AVAST Software\Avast\x64
==============================================================================
==============================================================================
Having scanned EACH of the folders in C:\, the above are the only files that fit the watch criteria.

I then scanned the complete C:\ “folder” as reported below…
==============================================================================
Scanning C:\*
Found 11030 files 756 of which satisfies the watch criteria.
Which means that 756 – 6 = 750 lay outside of the subdirectories on the C:\ folder.
==============================================================================
I selected all of the 11030 files and requested that Piriform Recuva secure overwrite them all.
Recuva overwrote 5825 files in 10 minutes 36 seconds. File types not overwritten were…
File is resident in the MFT
File is already overwritten by existing files(s)
As reported by Recuva. I then ran a scan on C:\ to verify the result of the overwrite. It bombed.
==============================================================================
Scanning C:\*
Found 10995 files of which a large number satisfies the watch criteria many of which were recognizable from the scan of C:\* prior to the secure overwrite. I did not count each hit on my watch criteria. Piriform – you are not doing what you claim.

I am running Eraser on unused space on C:\* to see if that program will get the job that Sandboxie should have been doing done. Eraser completed in 3 hrs. 7 min. with warnings. What warnings? Here is the entire log…

Session: Monday, January 09, 2017 7:01:26 AM
Monday, January 09, 2017 7:01:26 AM Information Session started
Monday, January 09, 2017 7:01:27 AM Warning This computer has had System Restore or Volume Shadow Copies enabled. This may allow copies of files stored on the disk to be recovered and pose a security concern.
Monday, January 09, 2017 11:08:49 AM Information Session ended

I then ran Recuva on C:\ again to see if Erase had done its job. It did.

Running Recuva on C:\ after the erase. 1/9/2017 11:36 AM.
This scan found 1419 files of which 0 satisfied the watch criteria.
I searched the 1419 files found for each of the file names found earlier….
Filename: tree_view[1].jpg
Filename: B7FB31AD0A4575EADE23D14B226DEFA97951E145
Filename: B7FB31AD0A4575EADE23D14B226DEFA97951E145
Filename: {CCFFD13D-C418-4AFB-83FA-E9CEACE148BC}
Filename: {3264B22E-2E72-4134-9FCA-D0F263D9F448}
Filename: CrtCheck.exe
Yes, there were two identical files (names) found. None of these files were found.
NOTE: The filenames did not represent the content of the six files.

Bottom Line: Sandboxie leaks pictures that Recuva can find and restore. I did not restore any of the files. If you are serious about using Sandboxie as a privacy program for photographic content – FORGET IT. After you “delete” Sandboxie’s files, run Eraser on all drives that Sandboxie can touch to finish the job.

I did not test for the other file types that Recuva can find BUT as far as Sandboxie’s privacy claims go – be careful.

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1638
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandboxie leaks pictures

Post by Curt@invincea » Mon Jan 09, 2017 3:21 pm

We get these "Sandboxie leaks files" claims every now and then. They are usually the result of not understanding how Sandboxie works, or accidentally running browsers outside Sandboxie (even though people are usually "positive" they never did).

First off, Sandboxie is not a "privacy app". See https://www.sandboxie.com/index.php?PrivacyConcerns. Your c:\sandbox folder is completely visible to anything running on your host. That includes backup software, Recuva, A/V, etc. You can use Explorer on your host and copy files manually out of the sandbox, if you so desire. That is not considered a "leak".

Secondly, users sometimes accidentally run browsers outside of Sandboxie. This is especially a problem with Firefox because, by default, it does not have a title bar -- and hence no "# #" is displayed. You can confirm apps are running in Sbie by looking at the list in SbieCtrl, or moving the mouse over the top of the window to see the yellow border.

If you want to prove to yourself that Sandboxie is not leaking FF cache files, open Explorer and go to your C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profilename> folder. Check the timestamps on the cache sub-folders. Now start FF sandboxed. Unless you have opened your FF profile inside Sbie, you will not see the timestamps change on these folders while running Sbie.

And I am not clear on what some of your results are supposed to mean. For example, does this one mean that Sbie supposedly leaked C:\Program Files\AVAST Software\Avast\x64\CrtCheck.exe? How did CrtCheck.exe get into the sandbox in the first place?
==============================================================================
Scanning C:\Program Files\*
Found 120 files 1 of which satisfies the watch criteria.

Filename: CrtCheck.exe
Path: C:\Program Files\AVAST Software\Avast\x64

rodalsa
Posts: 12
Joined: Tue Apr 08, 2014 7:59 am

Re: Sandboxie leaks pictures

Post by rodalsa » Wed Jan 18, 2017 8:41 pm

Thanks for the response Curt.
1. Firefox was running within Sandboxie. Evidenced by the yellow border.
2. The generation of the watch criteria pictures was done under the conditions of 1 above.
3. The default sandbox was used.
4. Post generation of the pictures, Sandboxie was either closed with or without subsequent deletion of content and reopened later with additional generation of watch criteria pictures displayed.
5. The last Sandboxie activity before running Recuva was to delete the content of the default sandbox.
6. The above processes 1. to 5. were repeated several times with Eraser providing a wipe of free space between iterations.
7. None of the watch criteria file names reported by Recuva reflect the content of the pictures nor were they typical of the source file names.
8. No watch criteria files were found after Eraser's free space runs.
9. No watch criteria files were copied from within Sandboxie to any source reachable by the physical computing system. Internet to Firefox running under Sandboxie was the only data transmission path used.

All of this seems to me so far to tie down loose ends. Pictures presented on the monitor while running Firefox within / under Sandboxie's supervision were presented on the monitor outside of Sandboxie after Sandboxie had been closed (the default Sandboxie files deleted).

Rod

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie leaks pictures

Post by Barb@Invincea » Thu Jan 19, 2017 12:26 pm

Hello rodalsa,

Please take a look at this entry which covers the Sandboxie deletion process:

https://www.sandboxie.com/index.php?SecureDeleteSandbox

Regards,
Barb.-

rodalsa
Posts: 12
Joined: Tue Apr 08, 2014 7:59 am

Re: Sandboxie leaks pictures

Post by rodalsa » Wed Jan 25, 2017 9:23 am

Thanks Barb.

Spot on. I did not realize that Sandboxie allowed modification of its default behaviour to do what I had done with Eraser.
I've used the *.ini files in the deep past but seemed to forget about them in this instance. I'm 82.
Once again the community excels.

You indexing my mind should solve the problem.

Rod

rodalsa
Posts: 12
Joined: Tue Apr 08, 2014 7:59 am

Re: Sandboxie leaks pictures - [SOLVED]

Post by rodalsa » Wed Jan 25, 2017 10:29 pm

Well, I used Sandboxie 6.2.0.2979 to generate the command...
"C:\Program Files\Eraser\Eraser.exe" addtask --quiet --method=ecbf4998-0b4f-445c-9a06-23627659e419 --schedule=now --dir="%SANDBOX\\%"
With it ending in "%SANDBOX\\%" and all references to this parameter that I have observed being "%SANDBOX%", I was unsure things would work as planned.

They did not. After the erase I counted 57 instances of my watch criteria present as reported by Recuva.

What does the "....\\..." do the the "dir=" specification?

Also, Eraser, as I assume, is being told to erase the content of some portion(or all) of the folder "Sandbox". I found pairs of my watch criteria located per Recuva's Info report located outside of Sandbox. In the specific case that I checked a file named "J0287645.JPG" was reported at...
"Path: C:\Program Files(86)\Microsoft Office\CLIPART\PUB60COR\"
a place where my watch criteria would not appear.

If the "fact" that the files were located outside of "SANDBOX", then how did they get where they were "reportedly" found since they were accessed from within Sandboxie's instance of Firefox? Here I am back to my claim that Sandboxie "Leaks".

One instance of this file was marked "Unrecoverable". The other "Excellent". Both displayed a "Preview". That a Recuva problem. Both were reported located in the same Path.

From the above it may be a bit premature to label this thread as SOLVED.

I pause all attempts to "crack this nut" until my concerns gain a deeper insight into their cause. I will freely use my system. Eraser and Recuva rest. Some of these watch criteria files may be overwritten. Should I enter this problem again, Eraser on C:\ Freespace will be my next move unless the "deeper insight" that opens the door to re-entry dictate otherwise.

I appreciate the help that has us this far down the road. Thank You.

Rod

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie leaks pictures - [SOLVED]

Post by Barb@Invincea » Thu Jan 26, 2017 10:15 am

Hi rodalsa,

"Path: C:\Program Files(86)\Microsoft Office\CLIPART\PUB60COR\" --> That path is for Microsoft Publisher, not Firefox. Any chance that this is what you are seeing? :
https://forum.piriform.com/?showtopic=38261

Have you tested what Curt suggested before? What were the results? :
If you want to prove to yourself that Sandboxie is not leaking FF cache files, open Explorer and go to your C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profilename> folder. Check the timestamps on the cache sub-folders. Now start FF sandboxed. Unless you have opened your FF profile inside Sbie, you will not see the timestamps change on these folders while running Sbie.
Here's a thread with exact examples that you can try for Eraser, hope this helps :
http://forums.sandboxie.com/phpBB3/view ... er#p107643

Regards,
Barb.-

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1638
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandboxie leaks pictures - [SOLVED]

Post by Curt@invincea » Thu Mar 15, 2018 6:01 pm

rodalsa wrote:
Wed Mar 14, 2018 9:59 pm
I have on multiple Recuva runs encountered photos that I recognize as having been on screen while Sandboxie was running my browser.

I tested this specifically by choosing helicopter photos for my search while running Sandboxie(Firefox). During my normal usage of my computer, I have never used the word "helicopter" for my search criteria either inside or outside of Sandboxie giving the test run a form of purity. Nor have I searched for anything that would remotely imply helicopters. I tried "Aardvark" photos also. Same comments and results.

After my test run and fully expecting not to see any helicopter photos, I ran Recuva. They were found and Recuva gave their folder specification as "C:/?". Ditto with Aardvark photos.

How is that possible?

Rod

For me to believe is insufficient for you to know - rodalsa
Rod, Recuva recovers deleted files. When Sandboxie deletes the sandbox, it uses the normal Windows file delete. So Recuva will be able to see/recover everything in the deleted sandbox. If you want to permanently delete the sandbox, you need to use a tool like Eraser, as Barb links to above.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests