[REQUEST YOUR THOUGHTS]|Ransomware & SBIE

[Craig@Invincea]

Hi everyone:
Given the seemingly daily news about companies and users being struck with Ransomware, We are asking for your assistance and input. Don't worry, SBIE is safe/secure and awesome as usual.

Anup (Invincea CEO) has tasked me and has specifically asked for the Forum to kindly share thoughts, ideas, sharing off SBIE configuration, etc and how you and SBIE deal with Ransomware.

Anup knows that our forum users are a vast wealth of knowledge, and so these ideas will go into documentation, videos, templates and most likely updates into SBIE.

We're getting a lot of interest in SBIE, as Management sees that, now is the time we can use to build SBIE even stronger. It's a Win, Win.

So, here is what we are in need of:
SBIE Configuration, specific to ransomware. Do you do anything different?
How do you use SBIE when going online? Opening email attachments? Recovering and saving files? (Office2016/Office36 can be included, that is being released ASAP.)
How do you deal with forcing / not forcing web browsers? Or any program?
IM clients?
How do you eliminate it? (besides deleting your sandbox) do you do anything other than that?
What would you suggest, a fix? and update? And update too...? that would make SBIE even better to protect against ransomware - malware? (By default, you're protected) but we're looking more of refinements or changes we've missed or not considered or you've wondered about...

I want to thank everyone in advance! I'll make sure users with fantastic info/ideas/etc get a thank you of sorts in return..either swag and or a lifetime license...

Don't be afraid to post anything you think that might be of help, use..etc.

[bo.elam]

I protect myself against ransomware and malware in general by using Sandboxie as much as possible. It is rare when I run something unsandboxed. So, most files in my computers run sandboxed from the day they get created in the PC till the day they are deleted. I get this done by forcing programs and folders and using the sandboxed Windows explorer for specific situations. So, no matter what kind of file it is or where the file is located in the PC, if its gonna run in my computer, its gonna run sandboxed. Basically, the only time something runs unsandboxed in my PC, is when I am going to install something in the host. My computers are static, I don't do that often so it is rare for me to run anything out of the sandbox.

And then to make sandboxes stronger, I create dedicated sandboxes for each program that I run in an everyday basis. By doing this, programs in my computers run isolated not only from the system but from other programs as well. And I tailor each sandbox according to the program or purpose I created it for, always looking for the perfect balance between security and convenience. So, I restrict it as much as possible but never losing usability. The result is always the same, my sandboxes are as restricted as possible and convenient.

For security, I have nothing but Sandboxie but some of the credit for keeping me clean belongs to NoScript. This addon, if used well, goes a long way. I used it for as long as Sandboxie, and to this day, I never seen anything that looks like malware while browsing. Never seen a fake scanner or some strange looking pop up telling me that I am infected or anything like what ransomware displays in the users screen. In my opinion, this addon, even though is only an addon, does more for browsing security than most if not all security suits or programs that claim to protect against a million viruses. Anyway, I wouldn't trade NoScript for nothing but Sandboxie. It works great with SBIE, never a conflict. This two programs really work well for keeping me safe. In my view, while browsing, NoScript blocks and Sandboxie contain.

And Delete the sandbox. I delete the sandbox all the time all day long. I think this is important.

Bo

[Peter2150]

Hi everyone:


Anup (Invincea CEO) has tasked me and has specifically asked for the Forum to kindly share thoughts, ideas, sharing off SBIE configuration, etc and how you and SBIE deal with Ransomware.



Don't be afraid to post anything you think that might be of help, use..etc.

Hi Craig

First a huge thanks to Anup for taking on Sandboxie, and supporting the way Invincea has. Outstanding!

I run Sandboxie a bit differently then Bo, but with similarites. I've created a Sandbox for each of my browsers only allowing what is needed to run, and only allowing internet access where it is needed. Each sandbox is tailored to how I use that browser. My default box is a bit different. I allow anything to run, but no internet access. This way I can always test a document or some other data file without worrying about phone homes. All access to personal data areas is restricted in all sandboxes.

Also I've been selective about other security software so it all works with Sandboxie

My personal email is web based so it is covered by my browser setup. I don't Sandbox Outlook, as it is so intertwined with other business software, that a lot of things break. For example I use Micosoft Maps, which is accessed thru Outlook. I also use Quickbooks, which sends emails thru Outlook. Additionally I use two Outlook addons, which all together is just too complex.

Craig as you know I did ask questions re Petya, but at this point, I am comfortable that Sandboxie has my back re ransomware.

To you,Curt, and Anup, Well Done!

Pete

[henryg]

My sandboxes are generally drop-rights and maintained in a ram drive, and with auto-delete on closing. But equally or even more important for ransomware protection is, in my case, using Crashplan which provides offsite backup with versioning and "point in time" restore.

It bothers me a lot that Sandboxie cannot run Office 365 sandboxed.

[Craig@Invincea]

My sandboxes are generally drop-rights and maintained in a ram drive, and with auto-delete on closing. But equally or even more important for ransomware protection is, in my case, using Crashplan which provides offsite backup with versioning and "point in time" restore.

It bothers me a lot that Sandboxie cannot run Office 365 sandboxed.

That's because of MS Click2Run service. Not the fault of SBIE..We have to reverse engineer that service, etc to make it work.

There is a thread detailing what a user would need to do to stop the service, then restart it with SBIE code injected. When the beta is released with the C2R code, it'll be updated. It'll be released very very soon.

It wasn't a simple thing to sort out. It took a lot of Dev time. This applies to late Office 2013 and Office 2016.
http://forums.sandboxie.com/phpBB3/view ... 11&t=22645

[Craig@Invincea]

Thanks everyone..keep it coming. Yes, SBIE is very important for individual users small and large businesses, and Very important for Invincea.

Invincea has such advanced stuff coming out regarding Endpoint(s) soon and so much was focused on that, that I'm glad Anup sees just how important SBIE is still to Invincea. He recognizes how dedicated everyone here is. I certainly appreciate that, as does Curt and Tom.

I think it was a Twitter mention that came through to @SandboxieHelp then mentioned how fantastic SBIE is regarding the malware wave. I posted that mention on our internal chat (attached), and well..That prompted a Saturday morning email from Anup.

By default, SBIE does an excellent job of preventing everything from getting out of the SB. It's communicating that, showing how that works, and what else can be down to lock you down further (ahem, Mr. Steve Gibson.)

So thanks everyone so far!

The SBIE beta with C2R should be dropping soon. In all of my testing the only thing that didn't work, was Skype4Business. (and you have to do that Services step..) but other than that, good stuff.

[RedBonnet]

If management's objective is to land corporate accounts by showing SBIE's value, I think you would get great bang-to-buck ratio by posting on YouTube, a ransomware infection from without Sandboxie; show the damage, including damage to networked computers. Then record the same infection within Sandboxie. If the video is well produced, the software will sell itself.

The infection vector would be a phishing email attachment to reflect what companies are deathly worried about. The challenge would be demonstrating that employees can be taught how to extract the legitimate docs from the sandbox easily enough that compliance would be high if SBIE were adopted.

[Craig@Invincea]

Not necessarily directed at Corp accounts. But out of the several million users, a great many are small to large businesses.

Invincea has the industry leading Endpoint product that uses machine learning among other cutting edge tech, with a massive game changing release upcoming...which handles commercial and specifically Gov't and Enterprise clients.

SBIE is geared more towards the home user, small business, but SBIE is used by major clients as well. I think the niche is home and small biz.

But your point(s) are very valid!!

[henryg]

It bothers me a lot that Sandboxie cannot run Office 365 sandboxed.

That's because of MS Click2Run service. Not the fault of SBIE..We have to reverse engineer that service, etc to make it work.

I wasn't blaming Invincea, just saying it as it is.

[Craig@Invincea]

It bothers me a lot that Sandboxie cannot run Office 365 sandboxed.

That's because of MS Click2Run service. Not the fault of SBIE..We have to reverse engineer that service, etc to make it work.

I wasn't blaming Invincea, just saying it as it is.

Non taken, we're blaming MS

[Craig@Invincea]

Here's a typical scenario:

"But I already use X to protect my machine, Why do I need to use SBIE?"

"....I'm going to continue to use X, it'll protect me, I update it daily...."

The most difficult thing, for me...it's having people understand that SBIE isn't AV, it's a fence. A wall. SBIE won't detect malware, malware can run..but it's kinda like all the ghost's back at the firehouse in the containment field. They're having fun, but only in there (minus the power switched..) but even then, SBIE is better than that

Thoughts? Rebuttal to those answers?

[bo.elam]

The most difficult thing, for me...it's having people understand that SBIE isn't AV, it's a fence. A wall. SBIE won't detect malware, malware can run..but it's kinda like all the ghost's back at the firehouse in the containment field. They're having fun, but only in there (minus the power switched..) but even then, SBIE is better than that

Thoughts? Rebuttal to those answers?

Why did I (Bo) start using Sandboxie?

The answer to that question might give you some clues on how to get people to understand the benefits of using Sandboxie and why using something like SBIE is better than traditional antiviruses. I ll try to make it short so my message doesn't get lost.

Last time I got infected was at the end of 2008, it was a rootkit. For some reason, to clean that infection for the first time ever I didn't look for help to clean the PC. I did it myself and made it like a game doing it. So, I read and read about rootkits, cleaning the infection was a back and forth thing. I cleaned it and the next day it would come back and finally after a couple of weeks, the machine was cleaned.

Cleaning my computer of this infection waked me up about rootkits, zero day threats and new technologies that were better designed to prevent infections than traditional anti viruses. At that time I came to realize that to protect myself I needed to use something that doesn't depend on updating signatures and that's how I came to discover Sandboxie and a bunch of other programs.

Why did I choose sandboxing over HIPS, Etc? I followed my instinct. Sandboxing sounded like it was effective and convenient. And it has. Sandboxie was only the second program that did not require signature that I tried and it stuck.

That infection at the end of 2008 was my last infection. Malware has not come around my computers for nothing ever since. I started like everyone, just sandboxing the browser and using an AV along SBIE. Eventually, I dropped using the AV, stopped looking for the perfect companion for SBIE and started sandboxing as many files and programs that I can.

Bo

[Craig@Invincea]

Here is a Youtube video of SBIE and Cryptolocker
http://bit.ly/sbieransom

[cj716]

I always have specific boxes for specific purpose, make use of start/run restrictions, internet restrictions and file access restrictions. I don't allow any auto or quick recovery and where I need to save files outside the box it is into a forced folder with very strict access rights until I know its safe. Deletion on close for all boxes

For Ransonmware in particular I think start/run and file access restrictions are my main tools. With file restrictions in some boxes I use something like this ClosedFilePath=E:\ to block everything and sometimes I use something like ClosedFilePath=!safe.exe,=E:\MyForcedFolder\ to allow a specific app to see out.

It's about restricting the potential for anything other than what I want to spawn from an internet facing app and when it has to run, to what it can do/see.

As for rebuttal how about the numerous e-mails I get from an old account I keep that is relentlessly spammed by malware. Office attachments that are actually malware executables, word docs that launch powershell scripts to download and run malware that bypasses AE/HIPS software and plain old fashioned redirects to drive-bys. SBIE easily contains them all, blocks most and foils the payload of the others. No signatures, no fuss.

The VT results from these samples rarely reach double figures in detection rates and few of the 'big boys' ever feature at all. If I wasn't using SBIE I'd be infected every 5 minutes. The last 2 were rar files containing powershell scripts that downloaded Locky. Only one single engine on VT caught it on the day I got it. A week later there were 30. SBIE would have saved me between day one and a.n.other blacklister detecting it.

Just because you haven't been infected using your chosen AV solution doesn't mean your safe. AV is a resource waste for me (YMMV) because SBIE does what I need without the daily update/scan routine. Certainly an AV alone set-up is a flawed and ultimately foolhardy approach. Restrict and flush away is the way to go. SBIE all the way.

[bo.elam]

The last 2 were rar files containing powershell scripts that downloaded Locky. Only one single engine on VT caught it on the day I got it. A week later there were 30.

Hi Chris. I force WinRar. When I run a RAR file, it runs in its own dedicated sandbox were no program is allowed access to the internet. I have Drop rights ticked and only WinRar.exe can run. Then I recover the file to my Downloads folder which is forced. And then eventually, if I decide to keep the file and move it elsewhere in the PC, when it runs, it will run sandboxed via forced programs or forced folders. For most files, it is rare when I run something unsandboxed and usually, most files run sandboxed for as long as they remain in my computers. I do a lot of what you do, as described in your post.

Bo