I’ve posted an article about Sandboxie which lets you safely run suspicious or untrusted programs in a virtual space without affecting your computer. Let’s say when you run a trojan in sandbox, you’re temporarily infected and the attacker can still connect to your computer. But once you terminate the sandboxed trojan process, it kills of the attacker’s connections and your system is still safe from infection. Even if you’ve forgotten to terminate the sandboxed process, it’ll automatically be removed once you restart your computer.
Question is, how can you identify whether the suspicious file is a threat or not? If you don’t know how, I will teach you how to use Sandboxie to check if the sandboxed file is a rogue software.
I’ll do a test with an Optix Pro trojan. Optix Pro is a configurable remote access tool or trojan that gives an attacker unauthorized access to an infected computer, similar to SubSeven or BO2K. It is no longer in development and it is detected by all anti-virus program.
I ran Optix Pro trojan with Sandboxie by using my mouse to right click on the file and select “Run Sandboxed“.
On Sandboxie program’s interface, I can see that msiexec16.exe being loaded in the process name.
Did you notice anything suspicious here? The original executable file was virus.exe and now it has turned into msiexec16.exe. If the process name changes, it is suspicious.
Next, let’s check out the contents of sandbox. On the menu bar, click Function -> Contents of Sandbox -> Explore Contents.
I see a folder “drive” and also 2 files, RegHive and RegHive.LOG.
From the “drive” folder, I found out that the trojan renames itself to msiexec16.exe and copies to C:\windows\system32.
As for the RegHive file you see, it is what is mounted in the registry as a subkey. To see the RegHive file, you must load it in your Windows Registry Editor. Before you load the RegHive to your registry, you must terminate the current sandbox first, otherwise you’ll get the error message “Cannot Load RegHive: The process cannot access the file because it is being used by another process.” To terminate the the current sandbox, click Function on the menu bar, select Terminate Sandboxed Process -> In Current Sandbox.
After terminating the current sandbox, you can load the RegHive in Registry Editor by going to Start -> Run and type regedit. Select HKEY_USERS, go to File -> Load Hive and browse for the RegHive file.
Enter any key name for the RegHive. I use sandboxie for easy identification. Once the RegHive is loaded, a new Key “sandboxie” will appear.
I checked the registry and found that there’s an entry of msiexec16.exe at one of Windows autorun location. Meaning whenever Windows is booted up, it will auto run msiexec16.exe.
As you can see, there are so many reasons that makes this file looks like a malware. You can upload it to VirusTotal to scan with 32 antivirus. If it doesn’t detect any virus, you can submit to to anti-virus company for them to check. Here are a list of websites that you can submit a suspicious file to:
1. Nicta Software Anti-Virus Technologies
2. Norman Sandbox Information
3. Computer Associates (CA)
4. ClamAV
5. Trend Micro
6. Sophos
7. VigorPro
8. Authentium Thread Matrix
9. Hauri
10. Alladin
11. F-Secure
12. Symantec
13. Kaspersky (Email to newvirus@kaspersky.com)
There are undetectable private versions of trojans being sold by trojan writers and you won’t even know that you’re being infected and monitored. So use Sandboxie whenever you can when you want to run any email attachments, files downloaded from the Internet or even from a files received from a friend.
Related posts:
Fantastic post!
good stuff thanks
Awesome! I’m posting this on my website right now!
I am using Sandboxie 3.42.0.0 . I have not used any older versions. I am sure the protection in the older versions are just a strong and secure. But is the version before 3.38 better because of the different menu? If so I want to try it.
Just found this site…
You may have already installed Sandboxie, Anna, but the file (virus) remains in Sandboxie. Raymond “left” Sandboxie and view Sandboxie in the registry. That registry hive never left Sandboxie. He was demonstrating that the file made changes to the registry. Of course, you can “reenter” Sandboxie and delete the file. At no time was there a change to your system’s registry.
You can also do virus scan using your local virus scan program by simply exiting Sandboxie, going to C: drive and open the Sandboxie folder to the folder where you downloaded the file. You can then do a virus scan of the file (which is IN Sandboxie). If it shows a clean file then you can go back to Sandboxie and recover to the folder and it will be copied to your system. You can also remove the sandboxed file if you like.
Sandboxie is sorta like a virtual PC. BTW, the latest Sandboxie (v3.38) is a bit different but essentially the same. For example, there is no Function on the Menu bar BUT you can access the same content by selecting Files and Folders from the Menu.
Sandboxie is cheap — and very useful program. Get it.
HTH,
janusz
Im thinking of installing sandboxie. But im a bit confused. If you run a file sandboxed and it contains a virus, and copies files to system32 and to the registry, then isnt it not sandboxed as it has copied files to other areas on your computer?
Or when you delete the sandbox does it also delete the installed files in system32/registry with it?
bonjour,
j’ai voulu apr
[...] and registry location is associated with the software? You can run the installer or program with Sandboxie to investigate the contents or you can also do it with registry and drive snapshot program. Other [...]
wise words ray
i too am a now a preacher of sandbox – an essential app – USE EVERY TIME U RUN A DLOADED CRACK / KEYGEN GUYS!!
wise words ray
i too am a now a preacher of sandbox – an essential app