[REQUEST YOUR THOUGHTS]|Ransomware & SBIE

[cj716]

The last 2 were rar files containing powershell scripts that downloaded Locky. Only one single engine on VT caught it on the day I got it. A week later there were 30.

Hi Chris. I force WinRar. When I run a RAR file, it runs in its own dedicated sandbox were no program is allowed access to the internet. I have Drop rights ticked and only WinRar.exe can run. Then I recover the file to my Downloads folder which is forced. And then eventually, if I decide to keep the file and move it elsewhere in the PC, when it runs, it will run sandboxed via forced programs or forced folders. For most files, it is rare when I run something unsandboxed and usually, most files run sandboxed for as long as they remain in my computers. I do a lot of what you do, as described in your post.

Bo

Hello Bo, as always a sensible approach and one I adopt also. SBIE killed these dead i.e. no Locky download because of no internet access and even if it did download would have been trapped with no access to critical, sensitive or important personal and system files. I only know what the payload was because I'm running another product through it's paces and wanted to see how it reacted so ran unsandboxed (but in Shadow Mode).

Any product relying solely on signatures at the stage I got these would have been powerless to prevent a nasty Ransomware infection. Taking precautions and running internet facing apps, files you get from the internet or USBs etc and running applications known to be susceptible to exploits etc under SBIE protection with sensible settings like your's is a very effective way of preventing infection as you know. Also like you even known safe files I run sandboxed as a matter of course.

Should have pointed out in my post I also use forced folders extensively including forcing removable drives etc.with similar success. Another reason to add SBIE to your set-up.

Cheers

[bo.elam]

Chris, when I read your first post in this thread, you pretty much described what I do.

Taking precautions and running internet facing apps, files you get from the internet or USBs etc and running applications known to be susceptible to exploits etc under SBIE protection with sensible settings like your's is a very effective way of preventing infection as you know. Also like you even known safe files I run sandboxed as a matter of course.

Oh yes, taking precautions is huge. Let me give you an example. A few days ago I started experiencing problems with my old XP. Changing the Power supply unit fixed the issue. I cant do that kind of work so I got me a technician to come home and figured out what the problem was. He did and came on Sunday to change the PSU and the XP is working great again.

But the day he came over to check the PC and diagnose what the issue was, he took everything apart and after putting the computer back together, I said let me get a flash drive to check the USB drive is working OK, and he said, here I got one. And immediately I said No, wait, let me get mine.

And guess what, when I introduced the flash drive, it did not run sandboxed even though I force my USB drives. The reason being that when he assembled the computer back together, a different letter got assigned to my USB drives than the ones I had as Forced. I am glad I didn't test with his flash drive cause he being a technician going to different peoples houses, all of his flash drives are probably infected.

So, with or without Sandboxie, we have to take precautions. And I am glad I did that day.

Anyway, I sandbox as much as I can, that's my formula. If a file or program can run sandboxed, I run it sandboxed. Why not do it? For me personally, programs pretty much feel the same running sandboxed as unsandboxed. No inconvenience and by doing it I am as safe as I can be.

Good to see you, my friend. Dont get lost.

Bo

[Craig@Invincea]

But the day he came over to check the PC and diagnose what the issue was, he took everything apart and after putting the computer back together, I said let me get a flash drive to check the USB drive is working OK, and he said, here I got one. And immediately I said No, wait, let me get mine.

Glad you caught that. Yep, Drive assignments would change in that scenario.

At my previous job, we used to randomly drop very nice 32/64 GB USB thumb drives in the bldg and in the parking lot to test if they would show up on our network. They would. And we'd go talk to the user and inform them of XYZ and why this is frowned upon. We'd then killdisk the USB stick of our software and give it to the user as a gift and a reminder.

[Syrinx]

Sadly most of what I would have to say will not be relevant for 'ransomware' [encrypting files and holding them for ransom] as it currently exists. I have yet to find a scenario where sandboxie fails vs ransomware (you have no idea how happy I am for that, ransomware is the scariest thing I've encountered in a long while)
I do think that there are points where sandboxie already excels but could be improved upon but these points would not be vs ransomware, instead they involve harvesting of data which is pretty dangerous on its own. Sandboxie has already made great strides in allowing users to protect themselves via closed 'FILE' paths but it's missed a major (to be fair just about every other security app has as well) front by allowing the applications under its protections to read [eg harvest data] outside of the sandbox. While the changes made in a sandbox might not persist to the system, there is currently nothing stopping them from collecting data from the memory of other programs that are currently running outside.

On an entirely different note, (as stated before by others) it would be a great idea to add an option in the SBIE Control menu that lets users more easily control the run restrictions. eg, without (the requirement of) adding specific rules.
You could instead make use of options that would allow a user set a heightened security level on demand [eg anything that is not currently running in the box or on the list prior to the point where the rule is set / and the user accesses a 'potentially shady' site and using such an option] (then again we should allow for the opposite scenario where things are temporarily allowed even if they are not on the <StartRunAccess> list for a certain box) amounting to a block most/allow most policy at will.

Sure, I haven't thought through each potential situation but as it would be at the discretion of each user anyhow using said options should not be much worse then making use of open file/pipe paths on a permanent basis. [aside from potential confusion by a user] Sandboxie is so close to being much more then it is 'currently' marketed as, a few tweaks here and there and it WILL be a great tool vs other types of infection...

I'm sure I have failed to get my intent across (despite multiple edits) but I understand that my points, [made as slily as they were (or not :P) ] won't be considered as relevant. UNTIL...it's too late.

[bo.elam]

Glad you caught that.

That was done by pure instinct. I just don't plug flash drives from anybody else, its rare if I do it.

Bo

[bo.elam]

On an entirely different note, (as stated before by others) it would be a great idea to add an option in the SBIE Control menu that lets users more easily control the run restrictions. eg, without (the requirement of) adding specific rules.
You could instead make use of options that would let a user set an increased security level on demand [eg anything not currently running in the box or on the list prior to the point where they access a potentially shady site and set such an option] (and again with the opposite where things are temporarily allowed even if they are not on the <StartRunAccess> list for a certain box) amounting to a block most/allow most policy at will.

Hi Syrinx. You can sort of do what you like by using a few dedicated sandboxes for the same program. I do that for Firefox, my everyday browser, I constantly use 6 different sandboxes with totally different restriction in each and set for different purposes. Probably everyday, I use at least 4 of them.

Bo

[Der Moloch]

Sandboxie is already 100% against ransomware in its default state, there are no additional restrictions necessary (internet access, start/run, etc). Of course I understand that ransomware is the threat which gathers the most media attention and, when you are selling protection, this is the way to go. The aforementioned additional restrictions can indeed be very important, but rather against stopping a keylogger or banking trojan from starting in your browser sandbox.

[cj716]

Sandboxie is already 100% against ransomware in its default state, there are no additional restrictions necessary (internet access, start/run, etc). Of course I understand that ransomware is the threat which gathers the most media attention and, when you are selling protection, this is the way to go. The aforementioned additional restrictions can indeed be very important, but rather against stopping a keylogger or banking trojan from starting in your browser sandbox.

You're right of course and if this is about how to market SBIE's wares then promoting the efficacy of the default config is the way to go. I've go so used to tweaking over the years I sometimes forget .

The other things like file restrictions and start/run can be very useful in preventing ransomware in a non-default scenario though. If you have a situation where for convenience or necessity you have allowed direct access, for example, then you may want to restrict what has that direct access and/or what runs in the sandbox. I have done lots of weird and wonderful things over the years and the granularity of the product has allowed me to retain the security I need in what others would consider a very open set-up. It needs more consideration and probably more familiarity with the products feature set but it can be done.

I'm not suggesting this is a good idea and I appreciate for this scenario to play out there are a number of other factors involved like allowing macros among other things but say you want to allow your sandboxed office applications to write directly to your documents without the need to recover them. You therefore set a direct access link to your documents. If in that scenario you were to somehow acquire a booby trapped Word document that downloads and runs ransomware then allowing direct access from your office sandbox also allows direct access to the malware potentially leading to encryption of your documents. However you can retain the convenience of direct access for your office apps while preventing anything malicious they may contain by employing start/run restrictions or preventing anything other than your office apps seeing or writing to the documents folder.

Whether you're happy with the default set-up or a confirmed tweaker like me SBIE can protect you from ransomware. Win Win.

Cheers

[Bellzemos]

And guess what, when I introduced the flash drive, it did not run sandboxed even though I force my USB drives. The reason being that when he assembled the computer back together, a different letter got assigned to my USB drives than the ones I had as Forced. I am glad I didn't test with his flash drive cause he being a technician going to different peoples houses, all of his flash drives are probably infected.

Hello Bo (and others), I always set to force more than the actual drives that are in use (I set the A and B even though I don't have floppy drives, I leave C root unsandboxed of course, D is not sandboxed since it's my second partition and then I sandboxe E which is an optical drive, F which is a fake optical drive - Daemon Tools, and then G which is used when I connect an external HDD or a USB, but then I also add H and I - exactly for that purpose, if something new comes in). And I have never ever had a problem.

[bo.elam]

Hi Bell, you really don't need to force the folders for programs you want to force. For programs, all you need to do is force the exe via Forced programs. I seen lately some people forcing folders to force a programn but that's not really the way its supposed to be.

Bo

[Bellzemos]

It's a lazy way (I find it faster or I simply got used to to sandbox a program folder rather that it's executable) but it works.

[kawaiiwolf]

Trust no program:

- Do not use Metro style applications, as they cannot be sandboxed, hence they cannot be trusted
- Do not ever install software onto a bare system unless absolutely necessary, this includes

• Antivirus
• Sandboxie
• virtualization (In my case, vmware player)

- Install each piece of software into its own sandbox. If it cannot go into a sandbox due to driver issues, it goes in a virtual machine
- Use forced folders to protect everything else, to make sure something errant isn't being run outside a sandbox.
- Don't use your own computer using an account with administrative access. Create an admin user for that, you'll be prompted for those credentials anytime you need to install something


If after doing that you still somehow get ransomware, blow out the sandbox with the application containing it and start anew with a fresh copy of said sandbox and any saved configuration or in the worse case, software that doesn't come packaged with ransomeware/bloat.

[Nix]

*Really don't have to do anything default will work just fine against Ransomware;
*Browsers are always sandbox, download folder and other Drives are force sandbox;
*Files are always(except .dwg) launched sandbox if my other protection blink it just a matter of deleting the sandbox;
*Much as possible always install/test program in the sandbox.

Sandboxie protection against ransomware can't be denied even w/ Petya, I always suggest Sandboxie as first line of defense in other forum.

[Craig@Invincea]

*Really don't have to do anything default will work just fine against Ransomware;
*Browsers are always sandbox, download folder and other Drives are force sandbox;
*Files are always(except .dwg) launched sandbox if my other protection blink it just a matter of deleting the sandbox;
*Much as possible always install/test program in the sandbox.

Sandboxie protection against ransomware can't be denied even w/ Petya, I always suggest Sandboxie as first line of defense in other forum.

Awesome. Thanks for the feedback...this goes for everyone.

[UPieper]

@bo
There's a tool called USBDLM which can be configured to always give the same drive letter to specific USB drives (eg. by volume label).

http://www.uwe-sieber.de/usbdlm_e.html#config