Shouldn't VTRoot folder be restricted?

VTRoot folder is created when Kiosk is launched or app an manual sandbox is launched, any created \ changed files by virtualized app(s) are kept there, and is deleted on restart or when “reset sandbox” button is used. It’s a hidden folder, but other than that, I can do anything with it (Copy to \ from it edit \ delete \ execute files there, etc). So I was wondering if I really should be able to do all this? I kinda thought that it should be accessable only by CIS \ sandboxed apps, and Shared space is supposed to be the only link between sandbox and real system.

me too wondering the same 88)

the real question is can other applications modify it? remember CIS allows the user to do whatever they want but it watches what applications do. iv tried to clear the folder with ccleaner but it didnt work, but that was with an older build

what if something from inside tries to execute something outside it ???

I think if for example file 1.exe (virtualized) tries to open Iexplore.exe (that isn’t virtualized), then Iexplore.exe (and other needed files) will be copied to sandbox and executed there, so 1.exe will use a copy of Iexplore.

At least that’s how I think it works.

but that would be the case when the program is actually running, i meant what if no virtualized app is running and some malware from inside that folder tries to communicate outside ???

It wouldn’t be a very good sandbox if things inside could easily interact with things outside. :wink:

well yea thats right but when we are talking about a full fledged security suite why not restrict that folder, in case u never know, malwares are always a step ahead :smiley:

But the only way malware will be in that folder is if you run it sandboxed, or use auto full virtualization, unless you yourself will put it there and run it, in wich case it’s considered user action and CIS won’t do anything about it… I think.

correct unknown applications are not allowed to modify CIS processes or directories but the user is.

ohk well that gives me a bit of relief ;D
Thanks !!

Is saving a text file considered user action?

I mean I opened notepad (unvirtualized) typed few letters and saved it in VTroot folder, it was successfuly saved.

I think you answered your own question there…

So that’s user action, is that what you’re saying?

ok how about this?

I created bat file in C:\ with 2 lines
cd vtroot
del *.txt

and placed bunch of txt files in vtroot

when run, cis said file was isolated, but txt files were deleted anyway. Tested on partially limited and limited.

with and without enchanced protection mode (I got x64 os).

Is there something I dont understand?

p.s. on Restricted BB level action actually got blocked.

Honestly I don’t see the problem of being able to change the stuff within VTRoot, as long as the items inside that folder can’t change anything outside of that folder.

A malicious program that is allowed to run outside of the sandbox could do much more damage than just changing stuff in the VTRoot folder, these items would still be reset at a restart of the computer.

So the real issue would be a malicious program within the sandbox that somehow got out, but even then it’s not the biggest of deals since we still have HIPS and Auto-sandbox to protect us, that is if the malware isn’t detected by the Anti-virus component.

So in my opinion a program changing files in the sandbox folder is okay, but a program within the sandbox changing the files outside of the sandbox folder… that is a huge security threat.

I opened a virtual firefox window and I have downloaded a malicious file from net just to test how it can affect the system. Now when I ran it, no harm was done to the system and I was satisfied.

But, later when I was searching for some files in Windows via “search”, it came up with this “downloaded malware” in it’s results, which I think is extremely dangerous. I thought the “virtualised browsing” was completely isolated, but still the downloads are saved to this “VTRoot” folder which is normally accessible to all users and all applications in windows.

PLEASE…either encrypt the folder or restrict access to the folder in some way…It is extremely dangerous to keep it available to all apps and users normally…

When a sandboxed program executes another program the other program gets sandboxed too.

The root of the system disk has never been protected by CIS. CIS allows you to add it to the protected files and folders list. After adding c:\ to the protected files and folders list try again.

well, if we move our bat file to let’s say C:\2 folder and add cd … at the top, then same thing happens.

Also I don’t think sandbox resets on restart, when you use reset sandbox button, vtroot folder is completly deleted with any contents there, but when I restart, the folder is still there.

Well, I’m not really convinced.

  • It’s not normally accessible, it’s hidden and ins secure location. Could be made system via an attribute change maybe, then you get a warning. You could probably set this yourself without adverse results, not sure
  • In Sandboxes Privacy is normally protected by deletion, which will be made secure deletion soon I suspect - they have it in CSC. Maybe you could encrypt VTRoot using a separate utility - or even OS facilities. Not sure if that would work with CIS, but it might. Encryption is a nice idea.
  • If you start the malware it starts virtualised, shouldn’t do any thing to the rest of the computer.
  • So the only risk I can see is copying to the non-virtualised environment. Then it would be unknown if run, and the BB would nuke it
  • You can put your own restrictions on the folder I expect, using standard OS facilities, but you have to klmake sure this would not inhibit CIS.
  • My FAQ deals with the program comms issues that have been raised, and how to control them.
  • Malware in the real environment getting data from the virtual one and sending it somewhere. Well it should be unknown so behavior blocked, so that should not be possible.
  • Malware in the virtual environment getting data from the real and sending it somewhere. That’s the only one I can see posing any risk at the moment. Needs more thought. Not sure if unknown visualized apps can read from non-virtual - that would be a possible restriction. Some of the advanced ways you can use CIS could control this maybe.

And please note quite a lot of the advanced ways which you can exert greater control over sandboxed process depend on VTRoot being optionally accessible (See my FAQ Leaks? section). Also even checking virtualisation actually works and does not leak may depend on this too. So lots of disadvantages. Try making it ‘system’ if you want more control an see if that causes problems.

Best wishes


c:\2 is not a standard protected folder. Please try making c:\ a protected folder and try again. It during testing you made the batch file a trusted file then make sure to remove it from the Trusted Files list.

Also I don't think sandbox resets on restart, when you use reset sandbox button, vtroot folder is completly deleted with any contents there, but when I restart, the folder is still there.
Do you mean the folder is still there after resetting the sandbox yet it is empty?