95 replies to this topic

[niche99]

@Wonko

Would this be OK as a warning and allow to go on?

I cannot prevent and do not want to prevent Buster from going on. I am no longer interested in using Buster Sandboxie Analyzer.
As I said before, I have no problems with anyone else wanting to use his application. I just take issue with saying sandboxie is a safe environment in which to test malware behaviour.

[Buster_BSA]

Yes, I can accept I should not discuss with someone that has not probed his/her claims.

[niche99]

@Wonko

I guess everyone has now taken note of the opinions and claims by niche99 and just as he/she had the freedom to express them, each one has the freedom to choose whether to trust them and avoid reading further or continue trying to understand some more details about your app, but if you stop writing about it to "fight back" or abandon the thread, many people will get the impression that the critics were founded.

I agree, just because someone doesn't agree or has issues with how you do something is no reason to give up.

@Buster
As psc has said in the past I'm a Nightmare, but don't let that stop you.

[Buster_BSA]

@Buster
As psc has said in the past I'm a Nightmare, but don't let that stop you.

Nah, you are not a nightmare, you are just someone making claims without proofs to support them.

If you consider Sandboxie is not safe go to Sandboxie´s forum and tell that there but you will not do that because between us you don´t mind making such claims but you don´t dare to do the same in front of a whole forum.

[niche99]

Between us I have no need to use sandboxie.

And between us, I can still consider sandboxie not safe and still have no desire to go to the sandboxie forum, not because I don't dare to, but because it is not software that I want to use.

[Buster_BSA]

And between us, I can still consider sandboxie

And you can consider you can fly wich doesn´t mean you can probe it or that you will dare to probe it.

[niche99]

BTW.

Just to satisfy myself, I reinstalled and used BSA as you detail in the instructions you provide. The hide driver now fails to load and run with an invalid handle message.
I did read your thread on the sandboxie forums and I note that others have had success hiding sandboxie processes, but I haven't.
You are probably not interested, so you can just chalk it off to a crazy user not installing your application correctly.

[Peter H]

Buster Sandbox Analyzer does not provide a safe environment to test software, SandboxIE attempts to do that.

Anyone that thinks VPC, VirtualBox and Sandboxie provide a safe environment to test software (viz a viz malware behaviour) before installing it on a Live system are in for a BIG shock. Unless you can disassemble the software you are testing to understand exactly what it's behaviour is, malware writers can easily code for detection of VPC, VirtualBox and Sandboxie and others. The software will therefore exhibit no malware behaviour in those environments. Once you have been lulled into thinking the malware is clean and install it on your live system the malware comes to life.

Sure VPC, VirtualBox and Sandboxie may be useful tools, but they are by no means SAFE in themselves.
Saying or implying that Sandboxie provides a safe environment to test whether software is malware or not is reckless behaviour, especially by giving that advice to those who know no better.

I think on the main point (Sandboxie) we agree - I'm interested in the comments regarding virtual tools for analysis - it's not something I'd come across, perhaps you could enlighten me on the risks? It may be more of an insight than I've been getting so far!

[Buster_BSA]

niche99 has a problem with concepts. He thinks safe and completely safe are the same concepts.

In informatic what´s completely safe? Probably nothing. So from a more realistic point of view we can talk about safe security tools and unsafe ones. In the group of safe security tools we have Virtual PC, VMWare, VirtualBox, Sandboxie, ...

If anyone pretends that any of the above security tools is not secure he must present proofs of the contrary.

Saying "it´s not safe!" is not any kind of argument and even less a proof.

[Wonko the Sane]

Well, the good thing is that we are allowed to conditionally and speculatively think and discuss.

Let's transform what different people is now considering "facts" (on which there is no agreement) into "assumptions".

So, let's try assuming it is NOT safe.
This thread, the application, and everything become meaningless (in the sense that there won't be any practical result).

Now, let's try assuming it is EITHER "marginally safe" OR "reasonably safe" OR "completely safe".
This thread, the application and everything acquire meanings (in the sense that there will be some practical results), and the thread can go on.

Please consider that we are NOT "bound" to the initial assumption, if we assume that it is "reasonably safe", it is possible that when more info about the thingy is presented we can find out that the initial assumption was wrong and that actually the approach is EITHER "marginally safe" OR "completely safe".

In other words, the first assumption allows NOT for any increase of knowledge (it doesn't matter if this added knowledge will result in determining that the approach is actually "completely unsafe") whilst ANY of the second ones will allow for delving a bit deeper in the matter.

So, let's ALL assume that it is "reasonably safe" (even if someone doesn't agree with this, it is now a speculative assumption and as thus it can be accepted for the sake of discussion) and let's go on.


Wonko

[niche99]

And you can consider you can fly wich doesn´t mean you can probe it or that you will dare to probe it.

Buy me a plane ticket to your country and I'll fly there. Not what you had in mind as proof? But I'll still have reached your country.

I just want to say *cough* GMER *cough*.

[niche99]

@PeterH

I think on the main point (Sandboxie) we agree - I'm interested in the comments regarding virtual tools for analysis - it's not something I'd come across, perhaps you could enlighten me on the risks? It may be more of an insight than I've been getting so far!

The problem with virtual environments is that it is possible for an application to detect if it is executing in such an environment. Once the application has determined it is in such an environment, it will not exhibit any malware behaviour. This means that analysing for malware behaviour will fail because the application is not exhibiting any malware behaviour. You may then think the application you are testing is safe to run outside a virtual environment.

The old saying: What science can invent science can circumvent, is still true.

While these tools, VMware, Sandboxie et al, are useful, it is a mistake to think they are safe.

[Buster_BSA]

The problem with virtual environments is that it is possible for an application to detect if it is executing in such an environment.

While these tools, VMware, Sandboxie et al, are useful, it is a mistake to think they are safe.

VMWare, Sandboxie etc are safe, that´s why malwares detect such environments and avoid running them.

If they were not safe they would not need to do that, would they?

If they were unsafe they only had to bypass them but they can not because they are safe.

[niche99]

VMWare, Sandboxie etc are safe, that´s why malwares detect such environments and avoid running them.

If they were not safe they would not need to do that, would they?

If they were unsafe they only had to bypass them but they can not because they are safe.

What Buster Sandbox Analyzer provides is a safe environment to test the software and get an opinion about if the software is or not malicious, something that VPC and VirtualBox can not do.

My point is that a malware application will exhibit no suspicious behaviour when it detects it is running in a sandbox, which they can do, even when you are employing stealth techniques, or are you still in denial about this? Your analyser will rightly report to the user that no suspicious behaviour was observed. What opinion should the user form. Well, they could form any opinion I guess. Equally, the user could be lulled into installing the application outside of a virtual/sandboxed environment thinking it is safe to do so. If this happens the malware has bypassed the protection offered by the virtual/sandboxed environment. Remember, not everyone runs every application all the time in these kinds of environments.

As for directly bypassing sandboxie, I assume the following information is still true, as it is still on the sandboxie website. If it is, it gives cause for concern. See:
http://www.sandboxie...?WindowsVista64

This is why I say these tools, including yours, are useful, but it is a mistake to think of them as providing safe environments. They are useful for mitigating risk, but cannot completely remove it. As you yourself state, Sandboxie is not 100% bullet proof.

I am satisfied that my application can detect it is in a sandboxed environment, even when you are employing stealth techniques, and chose what behaviour to exhibit. This means your tool will, in this case, not provide useful or even possibly misleading information about the application's behaviour.

Let me say again, I think your tool is useful to the users of Sandboxie. However, I think it is incorrect and irresponsible to refer to Buster Sandboxie Analyzer as safe. You obviously disagree.

I have no more to say on this topic.

[Wonko the Sane]

I have no more to say on this topic.

It's a deal!


Wonko

[Buster_BSA]

My point is that a malware application will exhibit no suspicious behaviour when it detects it is running in a sandbox, which they can do, even when you are employing stealth techniques, or are you still in denial about this?

Of course I´m!

Provide a malware sample which will exhibit no suspicious behaviour when you have Sandboxie hided with the tools I include in BSA package, please.

You are talking without a proof in your hands of what you say.

[Buster_BSA]

What it´s really funny is that we started discussing that Sandboxie was not safe but now it´s agreeded that Sandboxie is safe, and that´s why malware need to exhibit no suspicious behaviour when executed under its supervision.

So, at the end, it´s not a question of safe or not safe. The question is if BSA results are 100% trustables or not. And of course, BSA results are not 100% trustables but that´s something I would have agreeded from the beginning.

Conclusion: We have discussed for nothing.

btw... I would not mind reading "you were right, Sandboxie is safe". (Don´t confuse that with "100% safe" or "completly safe")

[Wonko the Sane]

btw... I would not mind reading "you were right, Sandboxie is safe". (Don�t confuse that with "100% safe" or "completly safe")

Just for the record, I would not mind reading :

Anyway, now that this completely pointless discussion has taken place and has finally come to an END, we can go on...

Wonko

[me4833]

Thank Goodness the "Safe/Not Safe" wars are over.

Everything needs to be seen "In Context"...

It has been enlightening tho....

I plan on using both and would really like to see if there is some program in the wild
that can detect that it is in a SandboxIE and respond differently there.

There is an article that I think might be useful on this subject

Evading the Norman SandBox Analyzer at ntsecurity.nu

http://www.ntsecurit...2007-02-27.html

HAve Fun,

Jerry

[Brito]

Hi Jerry, interesting article.

Would you please refer it back on virusremoval?

http://virusremoval....hread.php?tid=9

[me4833]

Done... Jerry

[TheK]

I plan on using both and would really like to see if there is some program in the wild
that can detect that it is in a SandboxIE and respond differently there.

Here are a few lines of autoit code to show how easy it is to detect BSA or Sandboxie ...

#include <WinAPI.au3>



_Main&#40;&#41;



Func _Main&#40;&#41;

	Local $hBSA

	Local $hSB



	$hBSA = _WinAPI_FindWindow&#40;&#34;TFormBSA&#34;,&#34;Buster Sandbox Analyzer&#34;&#41;



	If &#40;$hBSA = 0&#41; Then

		MsgBox&#40;0, &#34;BSA Detector&#34;, &#34;BSA NOT detected!&#34;&#41;

	Else

		MsgBox&#40;0, &#34;BSA Detector&#34;, &#34;BSA detected&#34;&#41;

	EndIf



	$hSB = _WinAPI_GetModuleHandle&#40;&#34;SbieDll.dll&#34;&#41;

	If &#40;Not $hSB = 0&#41; Then

		MsgBox&#40;0, &#34;BSA Detector&#34;, &#34;SandBoxie detected!&#34;&#41;

	Else

		MsgBox&#40;0, &#34;BSA Detector&#34;, &#34;SandBoxie NOT detected!&#34;&#41;

	EndIf



EndFunc  &#59;==>_Main

[xpt]

Oh, come on~~~, we had a good start, and I believe BSA is an amazing, ground breaking tool that I should definitely give a try.

But the great topic ended like this? That's too~~~ sad. Had I knew it before, I wouldn't spend a second more reading those pointless arguments. Due to repeatedly interruptions, our guest speaker had been so worn out that he gave up the great topic entirely. Oh, come on, that's too sad.

Buster_BSA, would you continue please? I don't know if you still watching the thread, but this is my personal effort trying to make it moving forward. Please be ensured that the silent majority want your writing to go on.

Oh, BTW, if you do continue, would you start it all over in another thread, so that the next person who bumped into it wouldn't need to wade through all the noises?

Thank you.

[Buster_BSA]

I still watch it and I will consider if I open other thread to explain the tool. The problem is I have much less time than I used to have.

Anyway thanks for your kind words!

[xpt]

Great, thanks for your respond, and looking forward to it...

cheers