Why AV in Combination With Sandboxie is Needed

[Lode]

Hi!

Day before yesterday I had scanned my notebook with the free Panda Active Scan 2.0, and it detected 15 Trojan horses. They were in my Opera browser's integrated mail program supposedly.

Since my mail folders seemed to be empty, I though they were a false positives. Or maybe malware in my browser. So I posted about that on the Panda forum. But the response was that Panda had found the Trojans in my email.

So I checked again, and yes, they were old emails with malware attachments forgotten and left for months in my spam box. So I finally deleted them. scanned again, and this time the verdict was "clean."

I posted on the forum:

"BTW, I use Sandboxie, and always surf and open emails in its sandbox -virtual space- so nothing gets on my hard disk outside of the sandbox. Even if I would open the attachments with the malware, it could copy the addresses from my address book, send the spam to the addresses, and spy on my notebook, but it would still stay in that virtual space until I would delete it. It would not affect any changes on my notebook outside the sandbox."

I suppose this info is correct. Otherwise I would like to hear about it here, so I can correct it there:
http://support.pandasecurity.com/forum/ ... 273cef7b14

[Lumberjack]

Hello,

I'm a Sandboxie user (paid user), and well I like it. But, past has shown us that Sandboxie has been bypassed before; some folks have provided PoC (proof-of-concepts). Quite recently, someone came with a PoC where this "malware" would create a user account in our real system. The funny thing is, way before this person came with this PoC, someone else had reported an issue saying that an application (legitimate application) had bypassed Sandboxie, doing the exact same thing this PoC did.

Sandboxie's author did fix this bug... But, well, we're not dealing with static code, and you always need to think about the 1% chance that some bug does exist in Sandboxie, and what it came happen due to this bug. It's said that not software is free of bugs, and that's true.

So, as you can see, sometimes things may not happen deliberately, but may happen by accident. Now, imagine that instead of a legitimate application, this user came across a piece of malware, that while not bypassing Sandboxie deliberately, did it so due to some bug in Sandboxie? Would this be so impossible to happen? It happened with a legitimate application... I'm not an expert, but logic tells me that it could happen with malware as well, correct?

And, Sandboxie's author does say:

Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way.

Typically, those other solutions employ various forms of pattern matching to discover malicious software and other threats. Sandboxie, on the other hand, quite simply does not trust any software code enough to let it out of the sandbox.

The combination of the two approaches should keep malicious software -- which is serving the interest of other unknown parties -- out of your computer.

http://www.sandboxie.com/index.php?Freq ... HowItWorks

So, an antimalware is still there to say Hey, this is bad., and stops it.

Not quite. In sandboxie you have options when malware installs inside Sandboxie that it can't do anything at all, it can run, which means it can't execute, it can't access internet or any program/file process outside Sandboxie.

[ssj100]

For the vast majority of users, I would generally recommend that a real-time Anti-virus is used. However, for many people who eg. post on security forums (meaning they care a lot about computer security), an Anti-virus is not required at all if you have a decent security setup/approach. In fact, I would argue that adding an Anti-virus (especially in real-time) may lessen your protection. The more code you have on your system (particularly running in real-time), the higher chance there is for conflicts to occur. And often, these conflicts aren't obvious. People always seem to assume that if everything is appearing to run normally, then there must be nothing wrong. This is not always the case. I have a few examples of software conflicts which resulted in security mechanisms being bypassed:
1. Sandboxie + Antivirus (even though the Antivirus was installed only as on-demand) - however, this was a Beta version of Sandboxie, and tzuk fixed it.
2. Sandboxie + CIS - again, this involved a Beta version of Sandboxie.
3. Sandboxie + DefenseWall
4. Sandboxie + Shadow Defender - developer of Shadow Defender fixed the issue after I made enough noise about it haha.

All the examples above were not obvious at first. In some instances, the conflict was only reproduced in specific situations.

Anyway, it's all about risk-benefit. If you know how and want to use Sandboxie to its potential and have a reasonable security setup/approach, adding more software (like a real-time Anti-virus) would arguably reduce your protection level. However, for the vast majority of users out there, adding a (real-time) Anti-virus would most likely increase their protection level.

[D1G1T@L]

The more code you have on your system (particularly running in real-time), the higher chance there is for conflicts to occur.

+1

3. Sandboxie + DefenseWall

Both softwares although different in approach, utilize some of the same resources for policy restriction hence the issue. You should only use one of them (which is an easy choice to make )

4. Sandboxie + Shadow Defender - developer of Shadow Defender fixed the issue after I made enough noise about it haha.

Just to clarify, it was a bug from when ssj set the sandbox folders to be excluded from the shadowsession that this happened. It seems many are using this combination on wilders without any side effects as they haven't excluded anything in their setups.

[Lode]

I had not thought of malware entering through email attachments yet. I just found out how it affected my Opera integrated mail program, as described here:
http://www.sandboxie.com/phpbb/viewtopi ... 5004#75004

[Lode]

Come to think of it:
Even when malware opened in a sandboxed email attachment does not affect whatever is on the rest of the hard disk outside the sandbox, not only can it still spy on that disk, it can also copy the email addresses from your address book and then have malware and spam send to those addresses.

So AV which detects the malware and removes it is still necessary. Unless we make absolutely sure we never open any of those attachments.
But it seems that some malware can even be installed directly by just opening and reading the email without the need for an attachment:

"What about getting a virus through e-mail?

It is now possible to get a virus just by reading a plain-text e-mail message. This is a property of the KAK Worm virus.":

http://www.querycat.com/question/4a76a9 ... 8b394c221d

[ssj100]

Come to think of it:
Even when malware opened in a sandboxed email attachment does not affect whatever is on the rest of the hard disk outside the sandbox, not only can it still spy on that disk, it can also copy the email addresses from your address book and then have malware and spam send to those addresses.

So AV which detects the malware and removes it is still necessary. Unless we make absolutely sure we never open any of those attachments.
But it seems that some malware can even be installed directly by just opening and reading the email without the need for an attachment:

"What about getting a virus through e-mail?

It is now possible to get a virus just by reading a plain-text e-mail message. This is a property of the KAK Worm virus.":

http://www.querycat.com/question/4a76a9 ... 8b394c221d

AV is not needed. To open attachments, I always download the attached file and then view/open this attached file in a separate sandbox (via a sandboxed explorer window). Within this sandbox, nothing can connect to the internet. Once I'm done with the file, the sandbox is emptied. If I don't need to keep the file, I delete the file with a batch command. This means I never have to view the REAL file in a REAL window. This would prevent exploits that are triggered without the need to open the file:
http://blog.didierstevens.com/2009/03/0 ... gger-trio/

If I want to keep the file, I would then eg. upload it to virustotal and/or look for a valid digital signature/verify checksums to check if it was clean. I generally would not rely on just one AV's opinion.

Of course, to keep it simple, you can just view the e-mail or attachment within a sandbox that has start/run/internet access restrictions. This means that any payload triggered would be unable to initiate and cause harm.

By the way, the KAK Worm virus would need access to the REAL system to cause any damage:
http://support.microsoft.com/kb/262165

This worm appends itself to the end of legitimate outgoing e-mail messages as a signature, and then it enters your computer through a hole in Outlook Express e-mail security, Scriptlet.Typelib. When you receive an infected e-mail message, the worm, Kak.hta, automatically copies itself to a startup folder on your computer if you are using either the French-language or English-language versions of a Microsoft Windows operating system. The Kak.hta file is copied to your computer without your knowledge because you do not have to open an attachment for it to run; if you simply receive and then read the e-mail message, the worm is copied to your computer.

Files with the .hta file extension are run by Microsoft Internet Explorer and Netscape Navigator. You must restart your computer for this file to run. After the worm runs, it modifies the following registry key in order to add its own signature file, the infected Kak.hta file
HKEY_CURRENT_USER\Identities\Identity\Software\Microsoft\Outlook\Express\5.0\Signatures
where Identity is the name of your identity. When the worm modifies the registry key, all outgoing e-mail messages are appended with the worm. In addition, the following registry key is added to your computer that causes the worm to run each time that you restart your computer:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu
On the first day of the month, at 5:00 P.M., you receive the following message and Windows is sent the command to shut down:
Kagou-Anti-Kro$oft says not today!

In fact, I think most stand-alone AVs (all?) would be unable to detect such a virus or exploit, particularly in the "zero-day" setting. On the other hand, using Sandboxie would stop this exploit cold, even with default settings.

[Lode]

Thank you.
Good to know that the mentioned direct only-reading email malware cannot do anything in and from the sandbox.

I never open attachments from unknown sources. But I still think that if I did -by mistake- it could still spy and copy stuff from my hard disk outside the sandbox. And possibly copy the content of my email address book, and then bug those people. Even though I always run my Opera email program sandboxed.

Your method I'm sure is very effective, but frankly too complicated and too much work for me. As I think it would be for the large majority. Not everyone who utilizes Sandboxie is a nerd. Many of us are just home users who are happy to know the bare basics of using a pc and the Internet, as I am.

I've been protected many times by Sandboxie from drive-by malware when surfing -which I do sandboxed by default- since I got the lifetime license in 2005, and I'm grateful Tzuk developed it.

[ssj100]

I never open attachments from unknown sources. But I still think that if I did -by mistake- it could still spy and copy stuff from my hard disk outside the sandbox. And possibly copy the content of my email address book, and then bug those people. Even though I always run my Opera email program sandboxed.

So the question is what stuff on your hard-drive needs to be protected from being spied on? Once you work this out, you can utilise Sandboxie's Blocked Access function:
http://www.sandboxie.com/index.php?Reso ... tings#file

For example, if you're worried about files in "My Documents" being spied on, you can add this folder to the Blocked Access list. This means that programs running in the sandbox would be unable to access this folder, so you won't need to worry about stuff being copied from your hard-drive.

I'm not sure about copying the contents of your e-mail address book. Presumably you're talking about e-mail clients - I don't use them and I never have, so I don't have much experience with this.

[Lode]

I see. Thanks again.

I'm not worried about someone spying or even copying anything from my notebook. I wrote that more in the general interest for people who do have important data they want to keep confidential. I don't have that. But for business people -for example- that might be important.

But now the issue of malware in the sandboxed email client being capable of doing its thing or not is still in the air.
Again, because in general I never open attachments from to me unknown sources, the chances that my email address book would be copied seem nihil to me. But I might open an attachment by mistake. And also for others it might be good to know how that is. In light of it being safer to have AV or not.

Otherwise I don't understand why Tzuk advices to use AV as well as Sandboxie. For you and others who know much more than I about Sandboxie etc. that might not be an issue, but for those of us who like myself don't have your knowledge, it might be.

[tzuk]

I think I answer that question here,

http://www.sandboxie.com/index.php?FAQ_Virus

[Lode]

Thank you Tzuk.

So do I understand it well that the following you wrote there means that indeed malware that copies our email address book can send those addresses to the source of the malware, and via that source -or directly from our email client- pass on the malware to those email addresses, even though our email client is operating sandboxed? Reason the use of an Anti-Virus program is strongly advisable? Because without it we might never even discover that this is happening in your sandboxed email client? And that it might continue to happen until either we -or have the AV- delete those emails/malware attachments from the sandboxed email client?

............................................................................................................................................................................
Q. Should I use Sandboxie instead of anti-virus software?
A. No. Sandboxie can prevent a virus in the sandbox from escaping into your real computer. However, common sense dictates that it is preferable to prevent the virus from running in the first place. Therefore it is a good idea to use anti-virus software to prevent known threats, while relying on Sandboxie to be your first line of defense against threats that are not yet known to the anti-virus."
.............................................................................................................................................................................

[D1G1T@L]

So do I understand it well that the following you wrote there means that indeed malware that copies our email address book can send those addresses to the source of the malware, and via that source -or directly from our email client- pass on the malware to those email addresses, even though our email client is operating sandboxed?

You are misunderstanding. The statement was meant as a disclaimer for the (very) off chance that something escapes or does something undesired with default settings.

You could accomplish more with Sandboxie's antiexecution capabilities since it uses whitelisting - ie. only programs that you know and trust that reside on the actual OS are allowed to run. This is more efficient and much more practical than the AV blacklist approach where the exe in question is compared to a database containing hundreds of thousands (probably millions by now) of signatures of known malware. Using Internet access restrictions provided in sandbox settings, enables you to block any unknown programs from sending out you confidential info. You also have closedfilepaths to block sanboxed programs from reading certain folder - which you'd use to isolate your email/outlook folder. But in that case be sure to create the exception for outlook's processes if you're running them in that specific sanbox.

The above blanket precautions do much more in stopping all and any potentially malicious activity. While an AV can warn you, its more noisy and inaccurate compared to the former strategy. Depending on your personal knowledge and expertise; leave your AV as on-demand and add the desired restricitions for the sandboxes in question. Your pc will be much safer and lighter.

[Lode]

Thank you for explaining.

I still get the impression that -unless one configures Sandboxie as you suggest- malware in the sandboxed mail client can still do what I described: copying the addresses from the email address book, and then bug those addresses. Is that understood correctly?

[D1G1T@L]

Yes in theory it could, as a keylogger would. But then I don't store anything important on my PC and I use webmail, I also delete sandboxes immediately after sailing into the abyss, so problem solved. You seem like a Sandboxie oldtimer, configuring it should be easy if you dedicate a few minutes of your time reading about the settings here and here. We can help you set it up right.