Wallbreaker

[Oneder]

Test No11 at the link below - WB(wallbrealer.exe) seems to be able to open internet explorer when only FF and Wallbreaker are sandboxed.

At wallbreakers execution SB throws up warnings - "SBIE could not disable Windows Explorer as desktop process: [22 / C0000022]" but IE still launches.

http://www.firewallleaktester.com/leaktest13.htm

IE opens sandboxed but may be a security hole there???

Still playing in a vm.

[tzuk]

IE opens sandboxed but may be a security hole there???

Au' contraire. I would say: IE opens sandboxed so obviously there is NO security hole here.

Wallbreaker is trying to start IE in an indirect way to fool Firewalls and HIPS so they don't "see" that IE has started. Obviously it isn't fooling Sandboxie.

Note please, I disabled my ForceProcess on IEXPLORE so I was sure that IEXPLORE wasn't sandboxed due to this. IE was sandboxed because WB used a sandboxed Windows Explorer to start Internet Explorer.

I wonder if Sandboxie 2.86 handles this test as well.

[MikeH]

tzuk:

I just ran Wallbreaker sandboxed with Version 2.86.

Test 1 brought up Sandboxie Explorer.

Test 2 brought up a sandboxed Internet Explorer. (I also had disabled my ForceProcess on IEXPLORE.)

Test 3 brought up Sandboxie Explorer.

Test 4 brought up a Wallbreaker box stating that a task has been scheduled at 21:37.

When I exited Wallbreaker, Sandboxie wanted to download VLKGLI.bat to my documents. The only screwy thing was that a box appeared asking me if I was sure you want to move the system file? Since this was not a system file I answered yes and downloaded it to my documents folder. I then ran VLKGLI.bat Sandboxed and it brought up Sandboxie Explorer.

Thus I think we can safely conclude that Sandboxie 2.86 handles the Wallbreaker test as well.

Regards,
Mike