I have found a way to run an unknow program outside sandbox.
These are the steps to reproduce the problem:
- Run an unknown licit program
- Answer “Dont isolate again” to the Isolated application alert
- Contrary to what is said in the documentation this will NOT assign trusted status to the program but will create an exception in the autosandobox rules instead
- Now replace the exe file with a malicious one (obviously keeping the same name of the licit) and run it
- the program will run OUTSIDE the sandbox although the malicous exe is once again classified as unrecognized in the file list (duplicating the orginal entry)
I specify that I have disabled file source tracking in sandbox settings
Yes, that could be an issue, but the unknown malware first needs to replace the “unknown licit” program first which would either take a) A trusted application that does it in which case you have a trusted malicious application on the system which is an issue in and of itself or b) User interaction.
The other option is to have it be added to trusted applications instead, in which case it would also be excluded from HIPS, Firewall and AV depending on settings.
Perhaps the best way to deal with this is to add a Hash option to auto-sandbox policy settings and so that the automatically added rule when you click “Don’t isolate again” is only relevant to the file in question and if the hash changes then it’ll be sandboxed again. Such a setting would require a wish though.