Sandbox bypassed or..?

Please post your problem description here

Moderator: Barb@Invincea

Nix
Posts: 248
Joined: Wed Sep 11, 2013 12:15 am
Location: Philippines

Re: Sandbox bypassed or..?

Post by Nix » Fri Mar 20, 2015 10:15 am

@danicx...

What were your conclusions in this test?! As Joehood concluded it's a probable breach, information escape the sandbox... was hoping others would test this, and see comments from the support team.
Regards,
Nix

Win7 Ultimate (x64)

Image

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Fri Mar 20, 2015 11:11 am

escape occurred exactly. I'm not prorammer, like a most users of this forum. We need expert or developer to understand what is happens. But they keep silent so long... I hope we will get answers soon

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1666
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandbox bypassed or..?

Post by Curt@invincea » Fri Mar 20, 2015 4:19 pm

Are you guys sure your sandboxes are completely deleted? You aren't getting any errors about the registry hive being locked? If you try to delete the contents again, Sbie says "The sandbox is empty. There is nothing to delete"?

1) I disabled UAC in gpedit.msc as described.
2) Installed Akvis in the sandbox, ran it, splash screen said "expires in 10 days"
3) Changed my date to the future
4) Ran Akvis, splash box said "expires in 6 days"
5) Changed my date back to today, splash still said "expires in 6 days"
6) Delete my sandbox. Akvis was gone.
7) Installed Akvis in clean sandbox.
8) Splash screen says "expires in 10 days" just like new.

I see no hole anywhere. I can reset the expiration date at will. The only way I can see UAC being an issue is that it is allowing something in Windows to prevent the sandbox from being cleaned out properly.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 4:37 pm

Follow the gpedit directions in this page:
http://www.petri.com/disable-uac-in-windows-7.htm

Works the same for windows 8.1 - Option B

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 4:43 pm

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode – Set its value to Elevate without prompting.
User Account Control: Detect application installations and prompt for elevation – Set its value to Disabled.
User Account Control: Only elevate UIAccess applications that are installed in secure locations – Set its value to Disabled.
User Account Control: Run all administrators in Admin Approval Mode – Set its value to Disabled.
Reboot

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1666
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandbox bypassed or..?

Post by Curt@invincea » Fri Mar 20, 2015 5:03 pm

I just did it again with exactly those settings in Win 7-32. If the sandbox is deleted properly, I can reinstall Akvis and it goes back to the 10 day evaluation. I can see exactly what they are doing and it in no way bypasses the sandbox.

Try again, and make sure the sandbox is completely deleted.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 5:12 pm

I have done it twice in 8.1 64 bit ( sandbox completely deleted ) both times the same - counter is set to less than 10 days.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 5:25 pm

Curt@invincea wrote:5) Changed my date back to today, splash still said "expires in 6 days"
That step I think maybe is the problem don't set the clock back to today

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1666
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Sandbox bypassed or..?

Post by Curt@invincea » Fri Mar 20, 2015 7:35 pm

Ok, they are being very clever. If UAC is disabled, they are communicating with lsass.exe to get some kind of hidden date from Windows. I am not sure exactly how this date is set or what exactly it signifies. If UAC is enabled, they can't do that without prompting for elevation. I assume they don't want this prompt to pop up, so they avoid the trick with lsass.exe completely.

So if you have UAC enabled, the evaluation period will reset every time the sandbox is deleted. There is nothing escaping from the sandbox.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 7:40 pm

Curt@invincea wrote:So if you have UAC enabled, the evaluation period will reset every time the sandbox is deleted. There is nothing escaping from the sandbox.
And if UAC is disabled?

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 8:05 pm

I was in airplane mode, so there was no phoning home. Everything I tested was in the sandbox. After fully deleting the sandbox, my sytem was changed.
danicx, RooJ and me all can replicate this, on both Win 7 and 8.1
Curt@invincea wrote:If UAC is disabled, they are communicating with lsass.exe to get some kind of hidden date from Windows.

I would assume most time trials do this or something like this.
Curt@invincea wrote:So if you have UAC enabled, the evaluation period will reset every time the sandbox is deleted.

Yes, I get the same result with UAC enabled or even only partially disabled.
Curt@invincea wrote:There is nothing escaping from the sandbox.

IMO that is an extremely misleading way to end a post. A casual reader could assume this was a false positive.

JoeHood
Posts: 178
Joined: Sat Apr 12, 2014 12:51 pm

Re: Sandbox bypassed or..?

Post by JoeHood » Fri Mar 20, 2015 9:02 pm

@Curt: In re-reading this thread, danicx, RooJ and me all tested in 64 bit and you were in 32 bit - maybe the different results is due to that?

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Sat Mar 21, 2015 2:13 am

I just tested it at win 7 x32. Same problem. Counter is not resetted. Curt@invincea may be you have some additional protection on your pc? (custom local group policy, permissions at file, foler or reg hives, or some software) I'm test all on a clean vmware machines and result is same always

BUCKAROO
Posts: 207
Joined: Sun Oct 24, 2010 3:13 am

Re: Sandbox bypassed or..?

Post by BUCKAROO » Sat Mar 21, 2015 4:08 am

Something is stored only while Elevated. That something is read back by NoiseBuster.exe only while Elevated. Once set, it is not set again.

It survives a Restart. Afaik it is not USN journal, Prefetch, AppCompatFlags, or Spooler. It may phone home a HWID, but net can be blocked.

You can take the main program out of the Sandbox, so can delete the Sandbox after testing it Elevated (which shall dirty the Sandbox also).

danicx
Posts: 65
Joined: Tue Aug 28, 2012 2:23 pm

Re: Sandbox bypassed or..?

Post by danicx » Sat Mar 21, 2015 4:24 am

Small remark. Not only noisebuster, it was only sample. Any of their programm.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 10 guests