Hi Tzuk,
A few minutes ago a guy asked me if sbie could prevent the lnk virus.
For example,create an lnk file of c:\windows\regedit.exe in drive D,then force drive D run sandboxed,and run the lnk file see if the regedit.exe run sandboxed.
I tested as what he said, the result is-----regedit.exe run unsandboxed.
I know there are several kind of files that sbie won't force run sandboxed maybe because Tzuk thought these suffixes are not very dangerours,however the guy told me that he could create a lnk file with command to run tftp.exe(or cmd.exe something else) to download an infected usp10.dll(it's a famous virus),and the system will be infected when boot next time...
Well....he said this is just a simple example...this is vulnerable and could be fatal.
In a word....we all wish sbie could be better and better~
Can you add .lnk file to force folder?
Not surprising at all. I'm sure there are hundreds of ways to bypass the force run sandboxed command. However, in my opinion, that isn't the primary purpose of Sandboxie. The primary purpose is of course to prevent anything that is already in the sandbox from breaking out of the sandboxed environment.
EDIT: I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed, and there's no workaround for this. Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
EDIT: I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed, and there's no workaround for this. Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
but there is a vulnerability...lnk virus just cheats on you to double click the lnk file and there you go , you get infected ....ssj100 wrote:Not surprising at all. I'm sure there are hundreds of ways to bypass the force run sandboxed command. However, in my opinion, that isn't the primary purpose of Sandboxie. The primary purpose is of course to prevent anything that is already in the sandbox from breaking out of the sandboxed environment.
EDIT: I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed, and there's no workaround for this. Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
It's not secure to run things in sandbox,how do you think about that?
Variations on this have been discussed here several times. The forced folder feature has some limitations, in that it only comes into play when an EXE file runs. It does not know about the document file (PDF, LNK, TXT, whatever). In this case, your LNK says to run an EXE from from drive C, so the forced folder feature does not apply.
tzuk
That's exactly right (of course). Mature, as I already implied, if you want to have "100%" security, you also need a good "security approach", rather than just rely on your "security setup".tzuk wrote:Variations on this have been discussed here several times. The forced folder feature has some limitations, in that it only comes into play when an EXE file runs. It does not know about the document file (PDF, LNK, TXT, whatever). In this case, your LNK says to run an EXE from from drive C, so the forced folder feature does not apply.
Regardless, it seems you are not quite fully understanding what "running in the sandbox" means. A forced folder only "tries" to run everything in it sandboxed - there's no guarantee it will...not by a long shot.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
Indeed. However, I always try to minimise the number of third party software I use on my systems.arran wrote:Or use 3rd party software to open media and picture files.ssj100 wrote: Solution? Simply always open them in a sandboxed explorer.exe environment instead, or you can always right click the file and manually run it sandboxed.
Also, there's just no guarantee that Sandboxie will always open your file sandboxed if you rely on its force command. Objectively, it's much more secure opening newly introduced files with a sandboxed explorer.exe. Because in doing so, you are using the full power of Sandboxie to "house" the potential malware/exploit, as you are already starting in a sandboxed environment. That is, for the malware to break out, it will need to TRULY bypass Sandboxie.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...
Anyway i raise this up...wheather you fix it is up to you~
Anyway i raise this up...wheather you fix it is up to you~
Exactly. As I said, I'm sure there are many ways to bypass the "force folder" command of Sandboxie (and as I already mentioned, it's already bypassed by default with .jpg and .avi files when using Windows Media Player and Windows Picture and Fax Viewer).Mature wrote:well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...
Anyway i raise this up...wheather you fix it is up to you~
And in general, this isn't really a "fix" to ask for. It's more a "feature" to potentially add if Tzuk can be bothered haha.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
Windows Firewall + NAT Router
Drive SnapShot (on-demand)
hehe~i don't think i can bother Tzuk without your support since the whole WS is bothered by youssj100 wrote:Exactly. As I said, I'm sure there are many ways to bypass the "force folder" command of Sandboxie (and as I already mentioned, it's already bypassed by default with .jpg and .avi files when using Windows Media Player and Windows Picture and Fax Viewer).Mature wrote:well....is this mean force folder can just apply to the known apps?Because it is possible to get infected when run a file under force folder,the guy told me pdf and jpg needs buffer overflow vulnerability to execute code,but lnk just execute directly...
Anyway i raise this up...wheather you fix it is up to you~
And in general, this isn't really a "fix" to ask for. It's more a "feature" to potentially add if Tzuk can be bothered haha.
Who is online
Users browsing this forum: No registered users and 1 guest
