How to identify malicious programs in Sandboxie

[karachidude]

hey guys,

Firstly

When we run a keygen in sandboxie,that first patches the desired .exeand then

creates the serial.How do we get to know that the Keygen is malicious or not,because it patches the .exe first(and thats making changes outsidethe sandbox)?

How do i no there arent any Keyloggers in the keygen?

Secondly

How do u guys make better use of the sandboxie,like except,using it with the browser or for keygens?

[Bizarre™]

@karachidude:

Go to other forums, ask for the MD5 / SHA-1 hash and compare it to the one you have.

Upload it to online virus scanners. Also, get 2nd opinion from others who knows this stuff.

Lastly, if you're still paranoid install some HIPS (e.g., COMODO, Outpost, Online Armor)

It will alert you of any applications activities.

[DKT27]

Bizarre is fully right. :yes:

It is also good to scan it with an online scanner. For me VirusTotal.com is the best.

[Icey]

I recently found a website called ThreatExpert which will automatically analyze the uploaded file for suspicious activity. It'll then generate a report listing information such as new processes created, dll files injected, and registry changes.

ThreatExpert is the host of the ThreatFire antivirus, which has a good reputation.

http://www.threatexpert.com/submit.aspx

[karachidude]

@Bizarre

ok understand.i have commodo installed now,with defence+ activated.i will check out the

MD5 / SHA-1 hashes process next time i run a keygen.From now on i will upload every

keygen i download to virustotal first.its clear now.

tnx yet again

@DKT

tnx man

@icey

i wll check out there web.tnx

[DKT27]

I have used www.threatexpert.com to know the infection properly when I already know the infection's name. But never tried it's analysis.

I also use http://www.microsoft.com/security/portal/T...dia/Browse.aspx . That is Microsoft Malware Encyclopedia, again if I know the name of the infection.

For VirusTotal, it is the best, also used by hackers and infection senders to test that they have crypted the software well or not.

[karachidude]

thanks DKT,i wll c to it

[Lite]

You can views your sandboxed registry and file space. If for example a program you download says it only "downloads and displays a webpage" but your sandboxed area says its created 100 files, you can see something is a little wrong.

[karachidude]

@lite

yes look for suspicious behaviour of apps,in the registry and file space,and that is shown in

the sandboxie control front page.

i also think i wll have to use it enough to get to know how to more efficiently use it.

tnk u Lite

[shought]

Generally if you open up a keygen and an actual window appears which presents you with the option to patch/generate something then it's not a virus, trojan or any of that kind ;) If it's a virus the harm will be done right after you open the file. (Speaking from my own experience here :)).

[karachidude]

@Shought

Fantastic that u shared this...offfffcourse if the .exe is an virus it wll try to do stupid things right

after u click it,it wont ask u to patch and illegaly activate..lol..

Now the Sandboxie concept is much clearer to me,and now i know y people use it so much,

its a fantastic program.

tnx Shought

[HATE9X]

this online scanner rox: http://virusscan.jotti.org/en

anyway keygens often appear as false positives, so just try to get ur 0day & dox from a reliable source.. run the sfv file to check the crc..

[karachidude]

hi Hate9x

tnx for the helping suggestion

i would b glad if u shed some light on the "run the sfv file to check the crc",which is the sfv file and what is crc.

i have heard highly of the Vscan u mentioned,i wll check it out

tnx

[HATE9X]

hi Hate9x

tnx for the helping suggestion

i would b glad if u shed some light on the "run the sfv file to check the crc",which is the sfv file and what is crc.

i have heard highly of the Vscan u mentioned,i wll check it out

tnx

crc is a checksum of a file that changes if it's modified.. thus there are sfv files with which you can check if the crc still matches the original values..

try QuickSFV (http://www.quicksfv.org/) for example.. be sure to associate it with sfv files, and u should then be able to check the checksums by double clicking an sfv file..

unmodified scene releases should w/o exception come with an sfv file..

[karachidude]

that is some gud knowledge :)

thank u

[HATE9X]

anytime ;)

[Bizarre™]

@shought:

It's a very bad idea to execute an unknown .exe file unless you have HIPS, sandbox, or running in a virtual OS.

If you don't have any of the aforementioned protection, next thing you know you got malware infection.

[karachidude]

@Biz

I m pretty sure shought meant opening the keygen in sandboxie

[DKT27]

I'm pretty sure that Bizarre wants to become a poet. :D

Well shought and all, if a keygen contains a virus or that sort, no matter if you Sandbox it, it will infect you PC. I know Sandbox can work wonders but what if the virus infects you PC even before you open it in the Snadboxie.

[karachidude]

@DKT

that is imposible..lol..i mean untill u dont run the exe ur safe,after u run the.exe then there is a problem.

And if ur running it in Sandboxie,it wont let the virus do any harm,atleast gives u the time

evaluate if its a virus or not...the abnormal behaviour on the Sandboxie control page..

[DKT27]

Believe me, you don't need to execute the keygen/virus if you wanna get you PC infected. Yea sometime you may need to but not everytime. If that would happen only if you executed world's 50% of infections would have become less.

Note: I'm not doubting the SandBoxie in fact I use it myself to stay safe but I'm talkin about the infection before SandBoxed.

[karachidude]

lol...HIPs then i would say would prevent any unauthorized program execution.

One more thing,if u have a sandbox enabled browser,everything u download will go into the sandbox untill u recover it.And we can also put Folders,like the folder in which u download ur things in the sandbox

[DKT27]

You are right about sandbox but as far as every security programs are concerned "no one can catch em' all".

[karachidude]

correct my man

[shought]

@shought:

It's a very bad idea to execute an unknown .exe file unless you have HIPS, sandbox, or running in a virtual OS.

If you don't have any of the aforementioned protection, next thing you know you got malware infection.

As a general rule: if it has a logo(any logo, except for the standard .exe file window thingy) and a .nfo then it's genuine. Of course there's smarter stuff out there, that's why you should use Sandboxie(I don't, I'm sorry, I'd rather learn how to remove them viruses(I never get any... parents do) than avoid them :D) ;)