Full Virtualization vs Ransomware

I was thinking a bit, wouldn’t Full Virtualization prevent ransomware malware from affecting the system without any other special rules? Till now in v5.x, even when ransomware was sandboxed and limited, it still modified user files (encrypt images for example).
In Full Virtualization, at least in theory, it shouldn’t affect anything, not even user files.
Is my thinking correct? I’m basing this on knowledge from Sandboxie…

some one with some samples, may be Morpheus or Wasji6 can check this and tell the status…

i havent tested with full virt. but i did test with partially limited. it was allowed to without problems but with limited it was blocked. egemen said this was the expected behavior. if you enable HIPS then it asks for direct disk access so im thinking this is allowed with partially limited and blocked with limited probably for usability reasons.

morph is the one that gave me the sample when i tested so im sure he still has one.

Well, i’m mostly looking at running CIS without HIPS (sister doesn’t really know what to answer in HIPS questions), just with Sandboxing. But she works with images a lot and i want to make sure her photos are safe from ransomware junk that specifically targets image files (usually).

I tested default i.e Partial Limited with 76 Zero-Day Malware, I didn’t got any COM or Protected Things Popups with AutoSandbox (These popups were there in the previous version) & no popups with Elevated Privilege Rights too i.e after clicking Sandbox on the popup there were no popups further.

Are the popups eliminated with security enhancements or now they are simply allowed (like in previous version there was an option to allow all D+ Alerts)?

COM access are handled without alerts. Most cases are covered safely for sure. There is one case mods raised which Egemen assured us is handled safely, but we would still like to know how. Good thing to test, if you have time.

The one case was unrecognised (behavior blocked, but non-virtualised) .exe calling trusted COM object capable of doing something unfortunate, which could be .exe or .dll (DCOM or local). We thnk the DLL (as it’s in process) is probably covered by inheritance of security restrictions on the calling object but this needs checking, not sure re COM calls to .exe COM servers.

Elevated privs, would think it should ask if unrecognized - any other mod know? See what happens if you use a disk sector editor to change a byte in a prog that definitely needs elevated privs. Past versions of CIS sometimes asked for whitelisted files, that’s probably gone.

Hope this helps a bit

Mouse

Mouse1,

I again tested with app. 70 zeroday malware & no popups at all. I think popups have been eliminated & thats good.

I tested with default i.e partial limited & observed that autosandbox is a lot improved, can say terrific, almost all the malware that were autosandboxed gave error, only 1-2 apps opened, so I wonder about the safe apps & it would be good if someone test it against safe apps.

About the test you asked me, sorry I am not that expert to test what you have asked.

I didn’t get what you said about elevated privilege.

What I meant about elevated privilege that previous version when I tested & got elevated privilege popup I use to hit sandbox & at time I use to get few more other popups but with this version no other popups at all with elevated privilege too.

I think with default settings there are no popups at all besides isolated i.e autosandbox alert & unlimited i.e elevated privilege popup, atleast here I didn’t get any with total 2 tests app. 150 zeroday malware.

Now going to test auto full virtualization.

Thanks I’m sure someone else will test.

Re: Elevated privs. I was just saying you to make a recognised file unrecognised. If you were techie you could use a disk sector editor to change bytes at the end of an .exde (usually lots of nulls at the end of .exe’s).

Please let me know what you find. Also, if possible do test it against ransomware so we know how it will react.

I am not an expert. Here is the test—

I disabled AV, all the options under File Rating Settings & set to Auto Full Virtualization.

Attached are the screenshot of KillSwitch, Hide Safe Processes, Trusted Lists, Unrecognized Files, VTRoot, HitmanPro & MBAM.

KillSwitch - You will see some malware are not rated. The malware not rated are not shown when hide safe processes is selected.

Trusted Lists - The entry VTRoot - Corel - Only this entry got into trusted lists. I guess VTRoot is the Virtual Folder of CIS, right? So is this entry in trusted lists fine or virtualization was bypassed?

VTRoot screenshoot - It is the screenshot of the folder program files in VTRoot.

CCE Autorun is closing midway.

CCE Quick Repair - Everything is fine.

No slowdown during test or any other probs. I dont see any newly created files/folders/entries or any other things in any location.

HitmanPro detected one threat.

MBAM too found the same threat as HitmanPro. 1 Memory Process & 1 Temp Internet File.

I haven’t run Ccleaner & haven’t restarted the system yet.

I dont see sandboxed processes in this version like in previous version.

Restarting the system now & will post here.

Update—

I restarted the system. I Didn’t run Ccleaner.

HitmanPro & MBAM found nothing.

No malware in memory.

All the Unrecognized Files were automatically deleted. Only 1 entry is there which HitmanPro & MBAM had detected before system restart. Attached is the After Restart Unrecognized Files screenshot.

No Malware, Clean PC & no probs.

Only 1 prob CCE Autorun is closing midway. Before the test it was working fine.

Anything else you guyz wanna know? Otherwise I am going to restore the system to a clean state.

I know system is clean but I will restore it.

[attachment deleted by admin]

To make your sister extremely secure do these 2 things to DEFAULT CIS config:

  • change in BB settings from Partially Limited to Limited (it will stop all encrypting malware),
  • place a web browser in the sandbox, create a shortcut, place it on the desktop and advise sister to use it only(as her browser). ;).

That like 99,99% secure now. 2 simple steps.

Hi

Similar story, would like to create a visualized browser shortcut on the desktop for the wife,
can see how to create shortcut in the taskbar, how do I put one on the desktop ?
fully expecting a glaringly obvious answer :embarassed:
thanks

go to tasks → sandbox tasks-> run virtual then select the box create a shortcut on the desktop then navigate to the browser of choice

Hi
aha knew I’d seen it somewhere :wink:
Thanks
awesome software keeps on getting better

But will a sandboxed browser run uTorrent or eMule inside sandbox or outside sandbox, if you click a magnet/torrent/ED2K link in sandboxed browser? Sandboxie had this problem and was the reason why i had to remove fully sandboxed browser.