Offline Sword

Automatically created rules have errors for applications installed in sandboxie

Recommended Posts

My Operation System: Win 7 Pro x64

My Security Software: Emsisoft Internet Security 10.0.0.5409 & Sandboxie (Free version) 4.18

 

For convenience, sandboxie will be called SBIE for short in the following.

 

Consider the case that we INSTALL an application (called "APP_1.exe", for example) in SBIE.

Please note that this application is located in the "sandbox" folder, not just launched in SBIE.

Note also that, SBIE can support multiple sandboxes. Here we call the sandbox in which "APP_1.exe" is "TestBox".

In particular, "APP_1.exe" is assumed to be located in "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\". We call this path as the "actual" path.

 

According to the mechanism of SBIE, when we launch "APP_1.exe" in SBIE, this application will "feel" that it is located in "C:\Program Files\APP\". This path will be called the "virtual" path.

 

Consider the case that "APP_1.exe" tries to receive incoming data from a remote host. The user allows this behavior. Then an application rule will be created automatically according to the user's choice.

The problem is that:

The file path in the automatically created rule is the virtual path, not the actual path!

 

At first, I thought that a rule based on the virtual path will still work properly.

However, I found that, after such a rule is created, firewall alert will still be generated each time when APP_1.exe hopes to receive incoming data.

By contrast, when I manually revise the file path in the application rule to the "actual path", no alert will be generated again.

This implies that an application rule based on the virtual path cannot work properly.

 

This problem is incurred by the firewall, but I am afraid that the behavior blocker may also have such problem.

 

I think that this is not just an "incompatibility" issue.

Such a problem may be utilized by malicious applications to pass the behavior blocker or the firewall.

So, please pay attention to this problem.

Share this post


Link to post
Share on other sites

I think the problem is the way you are using sandboxie, and your expections there of.   If your application is that critical, get the sandbox back on c:,  install the application out of sandboxie and run it sandboxed.

Share this post


Link to post
Share on other sites

Is the application running out of "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\" or "C:\Program Files\APP\"? Or, perhaps more specifically, does something such as Process Explorer show the path the executable is running out of as "C:\Program Files\APP\"? If the running process appears to be running out of "C:\Program Files\APP\" then the rule should be created for "C:\Program Files\APP\", however the rule being automatically created for "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\" may be due to the way Sandboxie is redirecting filesystem access.

  • Upvote 1

Share this post


Link to post
Share on other sites

Is the application running out of "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\" or "C:\Program Files\APP\"? Or, perhaps more specifically, does something such as Process Explorer show the path the executable is running out of as "C:\Program Files\APP\"? If the running process appears to be running out of "C:\Program Files\APP\" then the rule should be created for "C:\Program Files\APP\", however the rule being automatically created for "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\" may be due to the way Sandboxie is redirecting filesystem access.

 

The application "APP_1.exe" is located in "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\", and is running in "D:\Sandbox\User\TestBox\drive\C\Program Files\APP\".
 
OK, just now (the time when I type the first version of this reply), the alert is generated again for the application (the one for which I have revised the file path of the corresponding rule) running in the sandbox...
But this time, EIS itself crashes!!!!!!
 
As you can see in the screenshot in the attachment, the alert window occupies the center of my screen
I cannot click any button on it, cannot move it (it is always in front of any other window!), cannot close it, cannot disable EIS through the menu of the tray icon !!!
Then, I find that I cannot access the Internet!
Finally, I have to restart my computer, and retype this post.
 
Why!?!?
 
I have been tired of the boring firewall of EIS.
Could you, or any other staffs, can help me to change me EIS license to an EAM license?

post-34940-0-17557700-1434270064_thumb.png
Download Image

Share this post


Link to post
Share on other sites

Hi Offline Sword

 

Would you be willing to let me test your application and see what I can see.   I have been running SBIE for years, and have never had an issue between SBIE and EIS.  Also I have tested them against real malware, and the protection is rock solid.

 

Pete

Share this post


Link to post
Share on other sites

Hi Offline Sword

 

Would you be willing to let me test your application and see what I can see.   I have been running SBIE for years, and have never had an issue between SBIE and EIS.  Also I have tested them against real malware, and the protection is rock solid.

 

Pete

 

Sent to you via PM.

Share this post


Link to post
Share on other sites

Could you, or any other staffs, can help me to change me EIS license to an EAM license?

Yes, we can do that.

Peter let me know that he has still been helping you out via Private Message. If you want to wait and see if he can help you with this, then please feel free to do so, otherwise you can send me a Private Message with your license key and I can handle the conversion.

  • Upvote 1

Share this post


Link to post
Share on other sites

Yes, we can do that.

Peter let me know that he has still been helping you out via Private Message. If you want to wait and see if he can help you with this, then please feel free to do so, otherwise you can send me a Private Message with your license key and I can handle the conversion.

 

Thank you for your help.

I am extremely busy these days, such that I do not help enough time to discuss with Peter on this issue.

I have decided to use EAM instead of EIS, but before that, I hope to do some more tests on EIS's FW such that I can provide more details to Peter. I hope these tests can be helpful for Emsi.

I plan to do these tests in this weekend, if I am free at that time.

I will PM you my license key after these tests are completed.smile.png

Share this post


Link to post
Share on other sites

It seems that the latest update (5532) may fix this issue.smile.png

 

Particularly, yesterday, a post in malwaretips mentioned some issues of EAM/EIS were fixed in the latest updates.

I was curious about whether this issue was also fixed.

Therefore, I installed a trial version of EIS on the virtual machine (My physical machine is running some other antivirus product...

Disappointingly, at that time I found that this problem still exists...

The version of EIS I tested at that time might be 5526.

 

However, just now I found a new post in malwaretips saying that 5532 is released.

So I launch the virtual machine, update the version, reboot the virtual machine, and test it again.

The new test result is exciting.

It seems that this time the automatically added rules are based on the correct path.

 

Please see the following two screenshots. The first is for BB, and the second one is for FW.

The rules in the green boxes were automatically created yesterday. The exe files in these rules are actually located in the Sandboxie. So, these rules are still based on the wrong path.

By contrast, the rules in the red boxes are created today. You can find that the path is right.smile.png

 

post-34940-0-05931300-1436412691_thumb.png
Download Image

post-34940-0-58365300-1436412705_thumb.png
Download Image

 

Since the only difference between today and yesterday is that 5532 is released in this moring, I guess this issue may be repaired by 5532. But I still need to test some other applications.smile.png

Share this post


Link to post
Share on other sites

I'm glad to hear that the new version seems to have resolved the issue.

 

Em...It seems that this issue has not be completely resolved.

Consider an executable file located in the Sandbox folder. If it is launched automatically by other executable files as child process, then 5532 can establish correct rules for it, which is shown in the screenshots in #10.

However, if it is launched manually by right clicking it and selecting the item "Run Sandboxed", then even 5532 could not create a correct rule for it.

 

The rules in the following screenshot are all created by 5532.

The rules in the red boxes contain the correct path, which is corresponding to the former case mentioned above.

But, the rules in the green boxes are based on the wrong path, which is corresponding to the latter case above.

Particularly, the executable files in the red boxes are launched as child process by the executable file in the green boxes.

 

post-34940-0-22912200-1436447201_thumb.png
Download Image

Share this post


Link to post
Share on other sites

However, if it is launched manually by right clicking it and selecting the item "Run Sandboxed", then even 5532 could not create a correct rule for it.

Are you sure that it's being executed in such a way that EIS will see it running out of the folder you expect?

  • Upvote 1

Share this post


Link to post
Share on other sites

Are you sure that it's being executed in such a way that EIS will see it running out of the folder you expect?

 

Sorry but I cannot fully understand your question...(maybe because I am not a native English speaker)

 

So I will provide some more details on my issue instead of directly answering your question.

 

The REAL path of the executable file "BaiduYunGuanJia.exe" in the screenshot in #12 is "C:\Sandbox\XXX\BaiduTestBox\user\current\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanJia.exe".

 

However, this executable file itself does not know it is located in this path. By contrast, when it is launched, it "believes" that it is located in "C:\Users\XXX\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanjia.exe"

 

In other words, this executable file is cheated by Sandboxie.

 

The problem is that, EIS tries to create rule for "C:\Users\XXX\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanjia.exe", which means that EIS is also cheated by Sandboxie.

 

As you can see in the following screenshot, although EIS continuously tries to create rules for "C:\Users\XXX\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanjia.exe", in fact there is no such a folder. That is why I say that EIS is also cheated.

 

post-34940-0-34438700-1436519990_thumb.png
Download Image

Share this post


Link to post
Share on other sites

In general we have no intention of fixing this. Any workaround would be Sandboxie specific. In the end the point of Sandboxie is to virtualize the system and make processes see an environment that isn't there. As some of our components do operate as parts of the virtualized process, they too will only see the virtual view. Doing something like this requires access to kernel mode. So we don't consider it a security problem because if malware manages to enter kernel mode, it virtualizing applications on your system will be the least of your problems.

  • Upvote 1

Share this post


Link to post
Share on other sites

In general we have no intention of fixing this. Any workaround would be Sandboxie specific. In the end the point of Sandboxie is to virtualize the system and make processes see an environment that isn't there. As some of our components do operate as parts of the virtualized process, they too will only see the virtual view. Doing something like this requires access to kernel mode. So we don't consider it a security problem because if malware manages to enter kernel mode, it virtualizing applications on your system will be the least of your problems.

 

Thank you for your reply and the information you provided.

I guess you mean that this problem will not affect the security. Maybe you are right. (I should say that I know little about kernel or virtualization.smile.png )

 

BUT, this problem indeed affects the usability.

Since FW cannot automatically create correct rules, it will generate alert again and again and again each time when the sandboxed application wants to establish a network connection...

Note the log events marked by red boxes in the screenshot at the bottom of this post. You can find that alerts are generated nearly every minute.

Each time a new alert appears, I will select "Allow All Connections", but the alert will appear again next minute...unsure.png

This is because, when I select "Allow All Connections", EIS will automatically generate a rule based on the wrong path.

It seems that such a wrong rule is unable to properly handle the sandboxed programs. This leads to the repeating alerts.

I mean, EIS creates a rule that allows all IN & OUT connections of "C:\Users\XXX\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanjia.exe", which does not exist. And when "C:\Sandbox\XXX\BaiduTestBox\user\current\AppData\Roaming\baidu\BaiduYunGuanjia\BaiduYunGuanJia.exe" wants to connect the network, EIS cannot find a rule that can MATCH this path, then it generates alerts again.

 

A real mystery is that, this issue seems to be FIXED today...

Please see screenshot below. You can find that the event marked by the green box shows a correct rule.

Alert is no longer generated...

I cannot understand what happened, because, no new version of EIS is released today, right?

 

post-34940-0-00040700-1436594548_thumb.png
Download Image

 

Best regards.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.