Page 1 of 1
Program restrictions
Posted: Fri Sep 14, 2012 2:14 am
by Idqwroi
It's possible to set restrictions on internet access by program, i.e. firefox.exe or install_flash_player.exe. But if any of the filenames change, then the restrictions change, even for the same binary file. Is the pattern matching really filename only? What's stopping malware from renaming itself and slipping through the filter? An easy way to get through the filter would be to look at the other processes' names and then systematically change one's name to each of them until one works.
Posted: Fri Sep 14, 2012 5:04 am
by DR_LaRRY_PEpPeR
Assuming the malware, or whatever, is actually in the sandbox and not the real system (through OpenFilePath), that stuff isn't allowed anyway when Start/Run or Internet Access restrictions are in effect, no matter the name. Same goes for OpenFilePath/OpenKeyPath.
Posted: Fri Sep 14, 2012 3:17 pm
by Idqwroi
I don't understand. How does Sandboxie know to let Firefox through, but not some malware that calls itself firefox.exe?
Posted: Fri Sep 14, 2012 3:49 pm
by Guest10
If a malware program is located outside of the sandbox, and it calls itself firefox.exe, the Internet Access Restriction will allow it to access the Internet when it runs sandboxed. There's no way for Sandboxie to check it to see if it's the real Firefox.
The purpose of Sandboxie is to keep malware from escaping from a sandbox, but if it's already on your computer, then there's nothing that Sandboxie can do to help that. You should still scan for malware periodically, whether it's a free on-demand scanner or a memory resident scanner.
If Internet Access Restrictions are in effect, then no .exe file that is located inside of the sandbox will be allowed to access the Internet - even if the name it uses matches firefox.exe. The only .exe files that will be allowed Internet access are those that are located outside of the sandbox and are listed under Internet Access Restrictions.
Posted: Fri Sep 14, 2012 4:01 pm
by Idqwroi
Guest10 wrote:If a malware program is located outside of the sandbox, and it calls itself firefox.exe, the Internet Access Restriction will allow it to access the Internet when it runs sandboxed. There's no way for Sandboxie to check it to see if it's the real Firefox.
The purpose of Sandboxie is to keep malware from escaping from a sandbox, but if it's already on your computer, then there's nothing that Sandboxie can do to help that. You should still scan for malware periodically, whether it's a free on-demand scanner or a memory resident scanner.
If Internet Access Restrictions are in effect, then no .exe file that is located inside of the sandbox will be allowed to access the Internet - even if the name it uses matches firefox.exe. The only .exe files that will be allowed Internet access are those that are located outside of the sandbox and are listed under Internet Access Restrictions.
Ok, but what about files originally located inside the sandbox? Is the restriction still filename-based?
Posted: Fri Sep 14, 2012 4:28 pm
by Guest10
Idqwroi wrote:Ok, but what about files originally located inside the sandbox? Is the restriction still filename-based?
If you are referring to .exe files that are inside of the sandbox, then if Internet Access Restrictions are in place they won't be able to access the Internet at all - no matter what name they call themselves.
No .exe program located
inside the sandbox will be able to access the Internet when Internet Access Restrictions are in effect.
Only .exe programs that are located
outside of the sandbox will be allowed to access the Internet.
Posted: Fri Sep 14, 2012 4:46 pm
by Idqwroi
Guest10 wrote:No .exe program located inside the sandbox will be able to access the Internet when Internet Access Restrictions are in effect.
Only .exe programs that are located outside of the sandbox will be allowed to access the Internet.
That makes perfect sense.
Sandboxie's current explanation in "Sandbox Settings -> Restrictions -> Internet Access" is undecipherable. In particular, "programs in this sandbox" can mean anything; it's impossible to tell if it means programs running in the sandbox or programs installed in the sandbox. It should clarify explicitly the difference between the access levels.