in the sandbox FAQ (within this forum) it says, “Unrecognised software is automatically sandboxed using the partially limited policy by default is restricted as follows. It cannot:
write to (ie infect) existing protected files or registry keys
drop files in protected directories
take some admin privileges (e.g. Debugging and driver loading)
key log or screen grab by most known techniques
set windows hooks without asking
access protected COM interfaces without asking
access non-sandboxed applications in memory
access the internet without asking.
MY question is this: the above is what a file can not do if sandboxed but what can the file do if sandboxed?
It also says, “You can increase these restrictions and add operating system access restrictions (Eg UAC-type restrictions)”
Where can one find out how to do this?
Finally some executables will only work if 'Run as Administrator” Would I be correct in this case that if such a file is sandboxed then it will not operate/work/ (and, of course, in so doing take a risk)
Assuming I know a file to be quite possibly infected. To what degree does sandboxing (50%, 75%, 99%) eliminate the possibility of infection (trojan, virus, malware etc.) if the file is run sandboxed?
Thank you
A sandboxed file can perform any action which is not on the list of sandbox restrictions presuming the action is allowed by:
- the current logged in user’s account type (eg admin or user)
- any group policy (restrictions for groups of computers normally set by companies, but can be applied by administrators)
- individually applied restrictions (restrictions you as the user or your computer’s system’s administrator apply).
There are too many possible actions to list them all here, but the idea is that no allowed action should be dangerous to the typical computer system.
It also says, "You can increase these restrictions and add operating system access restrictions (Eg UAC-type restrictions)"
Where can one find out how to do this?
As the FAQ says: "You can increase these restrictions and add operating system access restrictions (Eg UAC-type restrictions) by changing the default restriction level ['treat unrecognised files as'] in Image Execution Settings under Defense plus settings."
For example if you set the default restriction level for unrecognised files to "Limited" you will get all I think of the restrictions applied to a standard user (ie non-admin) account even if running as an administrator.
Finally some executables will only work if 'Run as Administrator" Would I be correct in this case that if such a file is sandboxed then it will not operate/work/ (and, of course, in so doing take a risk)
If the executable asks for admin privs by most normal methods you will get an unlimited access alert. (This is the meaning of the setting 'automatically detect installers'). You can choose to block allow or continue sandboxed. If the executable does not ask via a normal method I guess the file will be sandboxed and the action may either be silently blocked, or in a few cases, alerted.
Assuming I know a file to be quite possibly infected. To what degree does sandboxing (50%, 75%, 99%) eliminate the possibility of infection (trojan, virus, malware etc.) if the file is run sandboxed?
CIS concentrates on damage prevention. It's ability to prevent serious forms of damage by zero day malware is close to 100%, that's why people use it! CIS tolerates some minor effects - for example I think it still allows files to be dropped in some non-sensitive positions. But these dropped files are themselves regarded as unrecognised of course, and thus sandboxed or quarantined when run if executable. It tolerates these effects so that sandboxed applications remain usable while they are being submitted for analysis. (CIS 6.0 will we hope - no promises - address the dropped file irritation, through full virtualisation).
Hope this helps, best wishes
Mouse