Page 1 of 1
The Anti-Sandboxie Rats use. Was this patched?
Posted: Thu Jun 15, 2017 12:09 pm
by ericprince811
Yes i found some troubling information about rats that can get around the sandbox with coding.
This link shows you can patch a server but not sandboxie itself.
https://www.youtube.com/watch?v=vhBooSrRtnc
I am concerned with this considering I am seeing cmd.exe launch whenever chrome is launched. And it is attached to sandboxie. So bottom line is this issue been dealt with or are we still at risk?
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Fri Jun 16, 2017 5:37 am
by RooJ
ericprince811 wrote: ↑Thu Jun 15, 2017 12:09 pm
Yes i found some troubling information about rats that can get around the sandbox with coding.
This link shows you can patch a server but not sandboxie itself.
https://www.youtube.com/watch?v=vhBooSrRtnc
I am concerned with this considering I am seeing cmd.exe launch whenever chrome is launched. And it is attached to sandboxie. So bottom line is this issue been dealt with or are we still at risk?
The link seems to be showing someone modding the sub7 rat so that it (sub7) doesn't detect sandboxie (by changing the check for SbieDll.dll), it's not in any way getting around sandboxie, sandboxie is doing it's job and protecting the system.
Malware often checks if it is being executed in a sandbox in order to avoid analysis by security researchers; In the example you provided for instance it's sub7 that's stopping it's own execution in the first example, not sandboxie closing it. This is just showing how you can modify the sub7 sandbox check in order to run the program in sandboxie (presumably to analyse sub7), sandboxie will still sandbox the program.
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Fri Jun 16, 2017 5:45 pm
by ericprince811
But for this it shows that it was able to re-open itself after termination. If that is the case can it re-write itself even after the contents are deleted.
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Mon Jun 19, 2017 11:40 am
by Barb@Invincea
Hello ericprince811 ,
Once you delete the contents of the Sandbox, all the applications that were inside it will be gone from your system.
There is also a way to do a Secure Delete, you can find more info here:
https://www.sandboxie.com/index.php?SecureDeleteSandbox
Regards,
Barb.-
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Mon Jun 19, 2017 2:54 pm
by RooJ
ericprince811 wrote: ↑Fri Jun 16, 2017 5:45 pm
But for this it shows that it was able to re-open itself after termination. If that is the case can it re-write itself even after the contents are deleted.
No, it doesn't re-open itself after termination. Every time it starts it is executed by the user who drags the exe into sandboxie.
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Sun Jul 30, 2017 10:02 am
by Dan_Br0673
I run my sandbox in a ram drive, that should terminate everything once you shut down or restart the computer. I also set Sandboxie to "delete all contents at close also
Re: The Anti-Sandboxie Rats use. Was this patched?
Posted: Mon Jul 31, 2017 9:26 am
by henryg
Dan_Br0673 wrote: ↑Sun Jul 30, 2017 10:02 am
I run my sandbox in a ram drive, that should terminate everything once you shut down or restart the computer. I also set Sandboxie to "delete all contents at close also
Me too, although I have auto-delete and non-delete sandboxes; until system close of course when all disappears.