What things can a malware do if it is running in sandboxie?

If it doesn't fit elsewhere, it goes here
Post Reply
genrohax
Posts: 3
Joined: Wed Jul 31, 2013 7:33 am

What things can a malware do if it is running in sandboxie?

Post by genrohax » Wed Jul 31, 2013 8:45 am

I understand that sandboxie prevents the sandboxed programs from writing and modifying files outside the sandboxie folder. However lets say I'm browsing with my sandboxed web browser and I go to a website which contains an exploit which then launches a virus on my computer. If the virus is a keylogger wouldn't it be possible that it logs everything that i type and sends it back home? If it works the way how Imagined then it doesn't need change or write anything to the drive and work the way it should. Or are there any other bad things that malware can do even if it is running in sandboxie?
Maybe I'm overly paranoid however this was really bothering me.

Also I have another question: Is it ok if I install my web browser (chrome) directly in the sandbox? I did this so that I wouldn't have to worry about updating chrome and addons outside the sandboxie.

Thanks.

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Wed Jul 31, 2013 10:19 am

http://www.sandboxie.com/index.php?Freq ... KeyLoggers

Using Start/Run Restrictions can allow you to decide which programs can start and run when sandboxed.
Don't try using this if the program you are running is installed inside of a sandbox, though.
Any program that is inside of the sandbox (or gets downloaded into the sandbox), and tries to run, will not be allowed to start.
Only programs whose .exe file is located outside of the sandbox will be allowed to use the sandbox (although there is a workaround that you might be able to apply, which could allow an .exe program that's installed inside of a sandbox to run).

Using Internet Restrictions can allow you to limit which programs can access the Internet, in the same way.
So if some program is downloaded into the sandbox and tries to access the Internet, you would have to OK that.

Installing a program inside of a sandbox is OK, but if the sandbox gets infected you will have to find a way to disinfect it, or delete the contents and reinstall the program and its extensions, change preferences, etc.
While the sandbox is set the way you want it, and before any malware can infect it, you can always make a backup of the sandbox folder and then restore it, later on.
Not the "C:\Sandbox" folder.
Some folder like "Chrome", located at C:\Sandbox\(user)\Chrome
This could become unwieldy though, since you will be updating Chrome as new versions are issued.

Maybe, program a script file that you can run periodically to make a backup copy of the sandbox folder, and .ZIP it.
That way you can restore the latest archived backup copy of the sandbox, if necessary.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

genrohax
Posts: 3
Joined: Wed Jul 31, 2013 7:33 am

Post by genrohax » Wed Jul 31, 2013 2:21 pm

Thanks for the answer Guest10. Looks like limiting programs that can start in sandbox or restricting internet access for programs in sandbox is the best option for security. However could you please share the workaround that can allow selected programs to be run in sandboxie even if all programs launched from sandboxie are blocked? This way I wouldn't have to worry about chrome updating when unsandboxed.

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Wed Jul 31, 2013 3:15 pm

genrohax wrote:However could you please share the workaround that can allow selected programs to be run in sandboxie even if all programs launched from sandboxie are blocked? This way I wouldn't have to worry about chrome updating when unsandboxed.
I'm not sure that would work out well in the case of Chrome.
The workaround consists of creating a folder structure outside of the sandbox, that corresponds to the folder structure that contains the .exe file inside of the sandbox.
Then the .exe file is moved from the sandbox, to the corresponding folder that's outside of the sandbox.
Then the .exe is "Run Sandboxed", either directly or using a shortcut that specifies the sandbox where the rest of its files are located.
Since the .exe file is now outside of the sandbox, the Start/Run or Internet Access restrictions would not affect it.

I don't know your OS version, and I'm not familiar with the internal sandbox folder structure for Vista/7/ etc (if you use those), but as somewhat of a guide:

If Chrome is inside the sandbox, at:
C:\Sandbox\(user)\Chrome\drive\c\user\current\AppData\local\Google\Chrome\Application\chrome.exe
then you would create a corresponding folder structure outside of the sandbox. Something like:
C:\Users\(user)\AppData\local\Google\Chrome\Application\
and move chrome.exe there.


In the case of Chrome, though, it seems like the chrome.exe program file would be changed whenever the program is updated. So, the chrome.exe file inside of the sandbox would reappear, and the chrome.exe file outside of the sandbox would not be updated. How would that work out??
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

genrohax
Posts: 3
Joined: Wed Jul 31, 2013 7:33 am

Post by genrohax » Thu Aug 01, 2013 10:15 pm

Guest10 wrote:I'm not sure that would work out well in the case of Chrome.
The workaround consists of creating a folder structure outside of the sandbox, that corresponds to the folder structure that contains the .exe file inside of the sandbox.
Then the .exe file is moved from the sandbox, to the corresponding folder that's outside of the sandbox.
Then the .exe is "Run Sandboxed", either directly or using a shortcut that specifies the sandbox where the rest of its files are located.
Since the .exe file is now outside of the sandbox, the Start/Run or Internet Access restrictions would not affect it.

I don't know your OS version, and I'm not familiar with the internal sandbox folder structure for Vista/7/ etc (if you use those), but as somewhat of a guide:

If Chrome is inside the sandbox, at:
C:\Sandbox\(user)\Chrome\drive\c\user\current\AppData\local\Google\Chrome\Application\chrome.exe
then you would create a corresponding folder structure outside of the sandbox. Something like:
C:\Users\(user)\AppData\local\Google\Chrome\Application\
and move chrome.exe there.


In the case of Chrome, though, it seems like the chrome.exe program file would be changed whenever the program is updated. So, the chrome.exe file inside of the sandbox would reappear, and the chrome.exe file outside of the sandbox would not be updated. How would that work out??
Thanks for this workaround. Most likely after update I would have to move the the updated chrome.exe from sandbox to non-sandbox location. I will try it out and see if that won't be too much of a pain.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest