 |
|
Tech0
| Joined: 26 Dec 2008 |
| Posts: 14 |
|
|
|
 Posted: Thu Jan 01, 2009 10:03 pm |
|
 |
 |
|
|
There were other files left on my system too, not just in Sandboxie's cache.
|
|
_________________
Norton AntiVirus 2009
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Thu Jan 01, 2009 10:38 pm |
|
|
|
|
|
| Tech0 wrote: |
| There were other files left on my system too, not just in Sandboxie's cache. |
Then something went wrong and was not Sandboxie who executed the malware.
Iīve tried thousands of malwares lately and none is able to bypass Sandboxie. |
|
|
|
Tech0
| Joined: 26 Dec 2008 |
| Posts: 14 |
|
|
|
| Posted: Tue Jan 06, 2009 2:51 am |
|
|
|
|
|
Did I tell you that Sandboxie left a context menu option after uninstall?
|
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Tue Jan 06, 2009 11:35 am |
|
|
|
|
|
| Tech0 wrote: |
| Did I tell you that Sandboxie left a context menu option after uninstall? |
But thatīs not related to a malware bypassing Sandboxie which was what we were talking about, is it? |
|
|
|
Tech0
| Joined: 26 Dec 2008 |
| Posts: 14 |
|
|
|
| Posted: Wed Jan 07, 2009 2:38 am |
|
|
|
|
|
I found that out after I attempted to remove Sandboxie on both of my systems. Both times it left the option.
And check this out.
hxxtp://www.megaupload.com/?d=XS6SMZ5I
There is a inappropriate video in the collection. If you stumble across a video file, just delete it or never open it.
Of course I did not compile the collection.
http://www.offensivecomputing.net/?q=node/748
--------
And it's fairly recent; uploading an array of files from the collection to VT showed that the last analysis was generally 1.04.09. |
|
|
 |
 | |  |
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Wed Jan 07, 2009 2:38 pm |
|
|
|
|
|
Tech0 you are probably installing/uninstall Sandboxie from one user account, while actually using Sandboxie from another. In that case you cannot realistically expect software being uninstalled from one account to be able to "undo" configuration made in the second account.
What you should do in this case is use Sandboxie Control > Configure > Windows Shell Integration to undo these associations before you uninstall Sandboxie. Also if you're getting rid of Sandboxie, a good idea to make sure your sandboxes are all deleted.
|
|
_________________
tzuk
|
|
Tech0
| Joined: 26 Dec 2008 |
| Posts: 14 |
|
|
|
| Posted: Wed Jan 07, 2009 8:34 pm |
|
|
|
|
|
I uninstalled/installed Sandboxie from the same administrator account. I used Sandboxie in a Guest account.
This is the first time that it happened. I install numerous programs on an Admin. account and use it on the guest account sometimes w/ the run as... command.
|
|
|
|
Tech0
| Joined: 26 Dec 2008 |
| Posts: 14 |
|
|
|
| Posted: Wed Jan 07, 2009 10:56 pm |
|
|
|
|
|
And I installed NAV on one account and use it on every other account on my system. When uninstalling, no context menu entry was left. It uninstalled completely. How did this supposedly bloated piece of software defy your rule of thumb?
|
|
|
|
Oneder
| Joined: 30 Aug 2005 |
| Posts: 364 |
| Location: Perth,West Oz |
|
|
| Posted: Sat Jan 24, 2009 2:16 am |
|
|
|
|
|
Tested a fake codec (?) earlier today and this is the first time I've seen the messages below from the very many malware samples I've tested.
The usual Sandboxie/VM aware ones, which are probably zlob variants, just refuse to run without popping up their own messages?
video-share.servegame.org/Best.html
 |
|
_________________
Hunting the Hunter!
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Sat Jan 24, 2009 7:55 am |
|
|
|
|
|
| Oneder wrote: |
Tested a fake codec (?) earlier today and this is the first time I've seen the messages below from the very many malware samples I've tested.
The usual Sandboxie/VM aware ones, which are probably zlob variants, just refuse to run without popping up their own messages? |
It refuses to run in virtual machines (VMWare, Virtual PC, VirtualBox) and malware analyzers (Anubis, ThreatExpert, JoeBox, CWSandbox). |
|
|
|
| | |
|
admsupport
| Joined: 12 Oct 2008 |
| Posts: 33 |
| Location: Japan |
|
|
| Posted: Sat Jan 24, 2009 9:11 am |
|
|
|
|
|
I finally got to the end of the thread. It has a good informative value; thanks to the participants.
A question though: Can a malware (any type: virus, worm, spyware, etc) install on a XP/Vista system without a user action (knowing that the autorun.ini feature is disabled?). If so, which & how?
So far, all the virus I came across where all executable (.exe, .vbs, .pif, etc..). I could download them, but as long as I did not run them, it was no harm.
|
|
|
|
;)
Guest
|
|
| Posted: Sat Jan 24, 2009 9:50 am |
|
|
|
|
|
I'm glad badwares don't like antimalware and sandboxes 
IF a program doesn't like to run the way I want it to THEN I would suspect it and eventually choose an alternative software which likes my way.
And as far as SBie provides a very almost-natural virtual environment I choose only those programs which can go with SBie flawlessly.
The more troyawormovirii don't like my PC the more I like SBie.
Cheers |
|
|
|
| | |
|
Oneder
| Joined: 30 Aug 2005 |
| Posts: 364 |
| Location: Perth,West Oz |
|
|
| Posted: Sat Jan 24, 2009 11:10 am |
|
|
|
|
|
| admsupport wrote: |
A question though: Can a malware (any type: virus, worm, spyware, etc) install on a XP/Vista system without a user action (knowing that the autorun.ini feature is disabled?). If so, which & how?
So far, all the virus I came across where all executable (.exe, .vbs, .pif, etc..). I could download them, but as long as I did not run them, it was no harm. |
| Quote: |
| While bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, worms can infect a computer with no interaction from the user. Worms spread by sending network communications across a network to exploit a vulnerability in remote computers and install the worm. Once installed, the worm continues looking for new computers to infect. |
Also you could have a look at this tricky pdf exploit.
google-analytics.pbtgr.ru/pdf.php?id=48462
| Quote: |
File 680.pdf received on 01.24.2009 02:43:41 (CET)
Current status: finished
Result: 9/39 (23.08%) |
|
|
|
|
| Question | |
|
EASTER1
Guest
|
|
| Posted: Sun Jan 25, 2009 2:07 am |
|
|
|
|
|
Does SandboxIE self-protect its default sandbox from deletion by malware? Because seems to me if a bad ware could just delete the sandbox in Application Data then there would be no place to contain these foulwares. And sorry if this is been asked and answered already before someplace else here.
THANKS
|
|
|
|
| | |
|
admsupport
| Joined: 12 Oct 2008 |
| Posts: 33 |
| Location: Japan |
|
|
| Posted: Sun Jan 25, 2009 3:26 am |
|
|
|
|
|
| Oneder wrote: |
Also you could have a look at this tricky pdf exploit.
google-analytics.pbtgr.ru/pdf.php?id=48462 |
Onder, thanks for your answer. What's special about this pdf exploit? MB forum does not give much detail about this exploit, neither the virus scan page.
Does it really make sens (worms/zero day exploit) to run with a limited account (it is a pain on a stand alone machine) in addition to use SB and a AV/FF & MS patches? SB itself isn't it enough to cut short a new worm infection until the av vendor release the patch? The delay is usually very short.
A question about MACRO VIRUS (MS office). How to spot a document with a macro virus when you open it in SB? If the AV does not kick in when you open an attachment in outlook or on web page, how can you see it in the sandbox?
If someone has the experience, please share your knowledge, or send me a Macro virus sample with some info in the message. I know Macro virus by name. I 'd like to know how to spot them upon opening in a sandbox and in process explorer |
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 9 of 11
 Use the RSS feed to watch this topic for replies
|
|
|
|
| |
