Sandboxie does not terminate a malware

[123456]

Video:
https://www.youtube.com/watch?v=DEVC9CvECq0


Malware file:

Flight details.scr
https://malwr.com/analysis/MmZlZTk5MmQ5 ... E4NGFjZTY/

[Mr.X]

What exactly do you mean by fails to stop malware?
That SBIE couldn't stop/terminate the program or prevent from executing it in the first place?

[123456]

What exactly do you mean by fails to stop malware?
That SBIE couldn't stop/terminate the program or prevent from executing it in the first place?

That SBIE couldn't terminate the program.

[problem]

Does the process manage to violate the boundaries of the sandbox or just set itself up that sandboxie has trouble with process persistence and kill permissions? If it's the former, logging out should and restarting the computer would kill it. If it's a sandbox boundary violation, it's a real problem.

[Bellzemos]

I think that something like that once happened to me. But nothing "ventured out of then sandbox". So it's all good.

[Mr.X]

Does the process manage to violate the boundaries of the sandbox or just set itself up that sandboxie has trouble with process persistence and kill permissions? If it's the former, logging out should and restarting the computer would kill it. If it's a sandbox boundary violation, it's a real problem.

No, this is not about a sandbox escape whatsoever. OP is talking about Sandboxie not terminating the process itself. Sometimes this has happened to me even with goodware.

[problem]

Does the process manage to violate the boundaries of the sandbox or just set itself up that sandboxie has trouble with process persistence and kill permissions? If it's the former, logging out should and restarting the computer would kill it. If it's a sandbox boundary violation, it's a real problem.

No, this is not about a sandbox escape whatsoever. OP is talking about Sandboxie not terminating the process itself. Sometimes this has happened to me even with goodware.

Wondering if a "kill process tree" in windows task manager on the process or on sandboxie itself would terminate it.

[Curt@invincea]

It is possible to make a process that cannot be terminated: https://blogs.technet.microsoft.com/mar ... processes/

Skype.exe is an example of one that makes it very difficult to terminate.

https://www.google.com/webhp#q=error+te ... +is+denied

[123456]

please fix... Sandboxie not terminating the process

Malware file:

h++p://updo.nl/file/da53177e.scr

[Sandboxie User]

I think that something like that once happened to me. But nothing "ventured out of then sandbox". So it's all good.

Interesting, I had a similar experience too(but for me, this program managed to escape Sandboxie), but with a game trainer that I didn't fully trust to run in normal windows mode as it required admin privileges to start which I thought was strange for a trainer to do so - mind you this is the first trainer I've executed in my entire life of gaming! So I wasn't too sure whether that is the usual for game trainers to require admin privileges to work properly or not but I wanted to be safe so started it in sandbox) so started it up in sandbox mode and then started the game it was to be for in the same sandbox or else the trainer obviously will not work and then tried to do those commands the trainer allowed but then something happened(maybe it was suppose to happen from the game trainers point of view? In which case the trainer I got is actually malware infected and not free from malware/virus as is touted by the download site I got it from.....) and then it crashed sandboxie (SB), the game went down with it(because it was ran under SB) but the trainer was still opened, however since sandboxie crashed and is no longer in process, the trainer was now running in normal windows mode with full admin privileges as I saw it with Process Explorer! I don't know how but it was now running unsandboxed with full admin privileges, yes I wanted to repeat that.

Here, you can check this place out for more information on what happened afterwards..... Thankfully nothing worse became of it(I guess all my proactive protection was doing their job properly....)...according to their malware expert............so I suppose that's a sigh of relief.

I've actually yet to receive further information on their analyses of said file.....I have a feeling they won't bother coming back to me on this.....though I will prod them a few more times and after which if I get no replies or keep hearing things like "Oh we'll get it to", "Please wait a bit longer, our team will be there to do this for you", "I will pass this onto the relevant departments", "I'll get back to you on that", "I'm sorry we're quite busy, perhaps wait a little longer?" etc, then I will assume they don't care because surely it doesn't take this long to analyse a file for me to see if it actually had any malware/virus intent on it or not.

[Curt@invincea]

Sandboxie User, if you are going to write provocative things like, " this program managed to escape Sandboxie", you are going to need to provide proof. Do you have a repro?

[Mr.X]

@Sandboxie User
I agree with Curt. And maybe this sounds rude but I don't believe you. I don't think there was a sandbox escape at all... Until you prove otherwise of course.
You have to give all details needed to replicate your scenario, then we'll talk.

[123456]

Why Can't You fix this issue?

[Sandboxie User]

Sandboxie User, if you are going to write provocative things like, " this program managed to escape Sandboxie", you are going to need to provide proof. Do you have a repro?

@Sandboxie User
I agree with Curt. And maybe this sounds rude but I don't believe you. I don't think there was a sandbox escape at all... Until you prove otherwise of course.
You have to give all details needed to replicate your scenario, then we'll talk.

Ok, I'm sorry, it does sound a bit rude and provocative now that I'm in calm state, heh. I was just frustrated at the time and I guess I took it out on you guys.

Ok so if it *didn't* escape seeing how you two seem to tout that *nothing* ever escapes(without proof but I don't have proof as I didn't tape it at the time as I was obviously not expecting such an event to take place - I've since tried to replicate it and hasn't happened so I guess it must have been a one off issue And no I wasn't dreaming this up either as if you two have followed through that Spybot forums thread, that exists and this was triggered by this event I had - albeit maybe a week or two late ), how come there was no Yellow border around the window(yes I always have this on so I know which windows are sandboxed and which aren't and that I also know that sandboxie is working) and that the process was not under Sandboxie when I had checked via Process Explorer when Sandboxie crashed, at the time? Explain that. Perhaps a reasonable explanation might sooth my dying curiosity about this.

Why Can't You fix this issue?

Maybe because it can't be fixed as according to the information link provided, it's basically a process that can't be stopped even in normal windows mode? So if you can't stop that, how do you stop it in Sandboxie? Unless they can somehow whip up a special command of some sort that can kill *anything*, whether being these unkillable processes or normal processes that can be easily killed, then I guess they can't?

[123456]

Why Can't You fix this issue?

Maybe because it can't be fixed as according to the information link provided, it's basically a process that can't be stopped even in normal windows mode? So if you can't stop that, how do you stop it in Sandboxie? Unless they can somehow whip up a special command of some sort that can kill *anything*, whether being these unkillable processes or normal processes that can be easily killed, then I guess they can't?

no, i cant terminate in normal windows mode. I can terminate with PCHunter
http://www.softpedia.com/get/Security/S ... nter.shtml