Sandboxie Force Folders really protect you ?

[henz]

well, create this topic just experience with sandboxie force folders feature today..

times ago, the force folders feature work for me as intended

but today, plug in an usb and get infected :(

lets says the scenario like this

Force Folders enable on Drive Letter says "G:\"

note: sandboxie service running lol

my usb drive letter is G:

soon on, a file mso.sys is created on C:\ and related link

like this

http://www.threatexp...e881b199495243e

scan with mbam, no luck, no work as intended also :( (the trojan appear in november 2010 according to theatexpert )

ahh, i delete the mso.sys file with unlocker (of course it's locked)

reboot in safe mode, and delete ****ALL,

the registry Winrar SFX does not created as theatexpert report

well, this is my experience today, do not rely on program/software..useful tool make you smile but it can make you crazy also..

Edit : installed version Sandboxie 3.46 :)

[ssj100]

The Sandboxie forced folder feature isn't very reliable in general. Check here for some information:

http://ssj100.fullsubject.com/t290-defensewall-pitfalls#2314

By the way, when you plugged in the USB drive, did a sandboxed explorer window pop up automatically?

[henz]

no, i had disable autorun

even not click on the "shortcut"(Recycle.link (pointed to mso.sys in usb..).

[ssj100]

no, i had disable autorun

even not click on the "shortcut"(Recycle.link (pointed to mso.sys in usb..).

Actually, it sounds like you've disabled "Autoplay". Might be worth checking out how to disable "Autorun" too:

http://ssj100.fullsubject.com/t158-how-to-disable-the-autorun-functionality-in-windows-windows-xp#994

[myidisbb]

sandboxie doesnt really protect anything on a 64 bit system. the software makers/owner even said so on their site

[DKT27]

sandboxie doesnt really protect anything on a 64 bit system. the software makers/owner even said so on their site

That's not entirely true. These security companies only complain because of the kernel patch protection that's implemented in 64bit, it offers more security and because those companies cannot modify the kernel for their own needs or liking, they cry about it. I use Sandboxie on 64bit OS and I haven't seen any file going through it, have strong HIPS enabled to check so.

[myidisbb]

sandboxie doesnt really protect anything on a 64 bit system. the software makers/owner even said so on their site

That's not entirely true. These security companies only complain because of the kernel patch protection that's implemented in 64bit, it offers more security and because those companies cannot modify the kernel for their own needs or liking, they cry about it. I use Sandboxie on 64bit OS and I haven't seen any file going through it, have strong HIPS enabled to check so.

sandboxie company said they couldnt protect users with 64 computer/OSs nor grantee it, unlike their 32 bit version.

i do have the last version that didnt have the crazy online checks but dont use it. i try to instlal software that the avg user doesnt need to do anything.

[ssj100]

sandboxie doesnt really protect anything on a 64 bit system. the software makers/owner even said so on their site

That's not entirely true. These security companies only complain because of the kernel patch protection that's implemented in 64bit, it offers more security and because those companies cannot modify the kernel for their own needs or liking, they cry about it. I use Sandboxie on 64bit OS and I haven't seen any file going through it, have strong HIPS enabled to check so.

sandboxie company said they couldnt protect users with 64 computer/OSs nor grantee it, unlike their 32 bit version.

i do have the last version that didnt have the crazy online checks but dont use it. i try to instlal software that the avg user doesnt need to do anything.

It's a bit silly to say/imply that Sandboxie 64-bit offers no protection. Give me a piece of in-the-wild malware that can bypass Sandboxie 64-bit. I'll bet you won't find any, period. So therefore, does Sandboxie 64-bit offer any protection?

[henz]

Actually, it sounds like you've disabled "Autoplay". Might be worth checking out how to disable "Autorun" too:

http://ssj100.fullsu...-windows-xp#994

i had disable autorun long time ago,.. :think:

nad the registry value

NoDriveTypeAutorun REG_DWORD 0x0000000b5(181) :mellow:

[ssj100]

Actually, it sounds like you've disabled "Autoplay". Might be worth checking out how to disable "Autorun" too:

http://ssj100.fullsu...-windows-xp#994

i had disable autorun long time ago,.. :think:

nad the registry value

NoDriveTypeAutorun REG_DWORD 0x0000000b5(181) :mellow:

Did you use this method to disable autorun?

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

[henz]

Did you use this method to disable autorun?

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

yeah, the value at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] =

Default - REG_SZ - @SYS:DoesNotExist

[ssj100]

And are you running in a Limited/Standard User Account?

With autorun disabled properly, and proper use with Sandboxie, you should not have got infected. You need to make sure you are opening/browsing the USB drive sandboxed.

[henz]

i am running with admin acc (i am home user, not really care about that)

With autorun disabled properly, and proper use with Sandboxie, you should not have got infected

that's why i said at the first post, sandboxie work for me as intended.

but no for this time.

every file i opened from usb drive, have a # sign in it's title. -> i am sure sandboxie proper configured.

[henz]

Update :

plug usb today, sandboxie work :P

my friend's pc need to call a doctor :frusty:

it's the same malware mso.sys

i wonder why the two some way plug the usb, get a different result .. :think:

scenario for this time :

a C:\sandbox...\program files\microsoft\watermark.exe is going connect to internet..

under sanboxie control, have several svchost.exe prosess..

and every file on my C: drive copy to sandbox folder.. (this cause system slow down, and drive full :()

terminated program in sandboxie control, and everything is okay, delete the content in sandbox to keep my drive normal.

ohh, the autorun.inf file

Site: http://pastebin.com/

Sharecode: 7Kah8wwJ ^[?]

and scanned usb with mbam again, no any detection..

[Jin]

@ssj100

Thank you for your tutorial info in setting up a well-secured OS.:lol:

I set up my W7 Ultimate with SUA+sandbox+applocker(not yet so sure with my settings) plus my fav AV(NOD32v2) + AM(Prevx) and LnS firewall.

For my W7 HP with SUA+sandbox+Parental Control Policy+Surun plus AV(NOD32v2) + AM(Prevx) and LnS firewall.

Both are with MBAM for on-demand scan.

I also have some error to 1 of my application (chikka messenger) when using the Std Acct but I can live with it. Hope you can guide me more how to setup applocker. TIA :)

Jin