Hi everyone. I was testing CIS 6 against malware and then I realized that I did not know to to reset the auto sandbox. I think that resetting the sandbox only affects fully virtualized programs. Am I right about this? Is there a way to erase changes made in the auto sandbox set at restricted?
AFAIK resetting sandbox erases all changes irrespective to the level of restriction. I can’t imagine how higher level of restriction (full virtualization is the lowest) prevents erasing.
Unless you are running the fully virtualized option, the automatic sandbox is a restriction based sandbox, much like the Chromium web browser sandbox. Most people tend to thing of a sandbox as a virtual container that something is run inside. The automatic sandbox is “sandboxing” the applications by limiting the changes an unknown process can actually make to the system. As such, there is really nothing to empty or “reset”. It is reset when you restart your computer. Meaning, if a malicious process is running inside the automatic sandbox, after a system restart, the malicious process will no longer run.
There isn’t really a way to “erase” any changes made, other than manually. This is one of the reasons that many YouTube testers have felt that the automatic sandbox had failed. It does tend to leave harmless pieces of the malicious installation on the users hard drive, which are then picked up as malware by other scanners. So while CIS in fact protected the system from infection, they consider the system compromised because of these pieces that are no threat.
For more information about how the Behavioral Blocker works, which is essentially the auto-sandbox, please read the part of this section of my article entitled “Brief Overview of How the Behavioral Blocker Works”.
Ok. Now I understand that malware traces left behind from the sandbox are not dangerous. It is nice to be able to get rid of the malware traces. I tried setting the behavior blocker to fully virtualized and then testing with malware. Then I scanned with HitManPro and Malwarbytes. Nothing was left. I really like the fully virtualized mode. Is it as secure as the restricted setting?
It’s different, but certainly at least as good. Running it as fully virtualized should fully protect your computer and your files from all types of malware.
Thanks Chiron. I thought that fully virtualized was very safe. I just wanted to check. So far CIS 6 seems like a big improvement from the last version.
The only problem with running the automatic sandbox fully virtualized is that you are likely to encounter applications that will not work in the sandbox. This is why the developers chose to add this feature so it must be enabled by a registry edit, because they feel it is only appropriate for advanced users.
That makes sense. I know enough that I am not worried about any problems resulting form full virtualization. Thanks for the information HeffeD.
So when I sandbox browsers and then reset the sandbox it does not mean that all the traces are erased? Just like “Delete Sanbox” in Sandboxie.
Doesn’t all the changes are stored in C:\VTRoot ? And when the button “Reset Sandbox” is pressed all the changes are erased?
I’ve just pressed the button “Reset Sanbox” and it disappeared and all the changes I’ve done to settings of the sanboxed browser are changed. Doesn’t it mean that the browser returned to the state before the sandboxing? Then why I cannot consider the sandbox as a virtual container?
I think it is a virtual container. When you reset the sandbox it deletes all changes. When you reopen a sandboxed web browser it will open exactly like a normal browser would. Except it is safer. Is this what you wanted to know?
Don’t get the manual sandbox confused with the automatic sandbox. The manual sandbox is (and always has been) a fully virtualized environment. So yes, it is a virtual container.
The automatic sandbox however, unless you’ve enabled the fully virtualized option, is not.
And since the original question was regarding the automatic sandbox being set to Restricted, the OP is not running the automatic sandbox fully virtualized, therefore it’s not the virtual container type sandbox, but an access rights restriction sandbox. Pressing the “Reset Sandbox” button will have no effect on the automatic sandbox if it is set to Restricted, because it hasn’t put anything inside the virtualized sandbox. Instead, it has been limiting the actions any unknown applications could make to your system.
You can either read the description I’ve made a few posts earlier in the thread, or follow the link to Chiron’s article that he posted, to see how the automatic sandbox works.
Well, could you clarify then one question important for me. I adjusted the Sandbox to run browsers there and assigned restriction level as Partially Limited. Then does it mean that all the changes in these sandboxed browsers and the OS, the disks (excluding the Shared Space) are erased after restart of Windows or resetting the Sandbox?
Any changes made to an application running inside the manual sandbox are semi-persistent. They will survive a system restart, but not a sandbox reset.
I’m glad to hear that!
I wanted exactly this thing!
Thank you very much.