Remove-Malware.com Forums

[Danimal]

What are the odds that a piece of malware could get through a sandboxed browser? Im guessing that this is not very likely, but has it ever happened?

[ieattacos]

Not a very big chance however it is possible. For example I could have a virtual machine with a bunch of on demand scanners, a real time security suite, and a sandbox inside the virtual machine. I can also have a bunch of on demand scanners on my host pc, a real time security suite, and the whole PC backed up on an external hard drive.

Now then what could happen is malware could find an expliot in the sandbox then it would get past the security suite on the virtual machine. After that it could find an expliot in the virtual machine and get onto the host, get passed it's security suite, and get through all it's on demand scanners. When the person tries to restore there whole system from the external hard drive the external hard drive could fail. So any security application could get bypassed.

All that happening however is a very low chance.

So yes malware can get passed a sandbox. It can get passed anything.

[ZOU]

I use Sandboxie all the time and have never had it happen that I am aware of. I cannot say that it is impossible for a malware author to penetrate the sand box though.

[DigiDis]

I don't think there are any bulletproof sandboxes. Sandboxie seems to be the toughest to escape from, but even they admit that all is not perfect with 64bit operating systems. The most given suggestion is to rely on a few layers of protection, like a sandbox plus a behavior blocker or HIPs just in case. Like ieatticos suggested, using virtual machines is much like using a sandbox, and cleaning VMs is much easier than cleaning the main OS. For those who just have to visit dangerous sites and seem to always get infected, I always suggest to put Ubuntu in a VM and do everything from there. That makes for a pretty tough sandbox to escape from, since almost all malware won't even run in Linux, and then having to escape a VM makes the possibility minuscule.

[BloatedElvis]

In the past, there's been some "proof of concept" VMware migrations demonstrated.

And there has been exploits announced (and patched) by Vmware.

But, as it stands, unless shared folders is enabled, malware cannot escape the guest.
I use the method mentioned by DigiDis - win64 host/Linux guest

I can't speak to a sandboxed browser in windows.

[iPanik]

Sure it might be possible to break out of a sandbox, but is it worth it?
first of all an exploit would have to be created for any given sandbox, and the amount of people using a sandbox these days is marginal at best. It's the same problem with malware for linux, it's simply not worth it yet.
Besides, if you actually make it out of the sandbox there is a high possibility that the user has other layers of security.

[Danimal]

cleaning VMs is much easier than cleaning the main OS.

Why is it easier to clean a VM?

[DigiDis]

@Danimal, that's a good question. I was actually thinking about having a flavor of Linux in the VM, and cleaning up messes in Linux is relatively easy, especially if you still have the support of the host OS. In general, an OS in a VM behaves just like a host OS, but the fact that it is held in a virtual environment means you always have access to the host OS and only have to worry about the VM being screwed up, not the whole computer. So, you still have access to the Internet, any shared folders on the host, a computer that still boots, functions, etc. In that way you can freely concentrate on just cleaning the malware or the problem in the VM.

With programs like VMWare and VirtualBox, you can create snapshots of states and then revert back to them very easily. It's like System Restore on steroids. Often if I have a certain state in a VM that is just working perfectly, I will export the VM as a virtual appliance and keep it stored as a backup. Then I can easily reload it back when I want, even side by side with the current state. Generally if one wants to play with dangerous stuff in a VM they use these tools so that reverting back happens in seconds, and there really is no need for a traditional cleanup.

[Dieselman]

Nothing is 100% effective and yes there are cases where malware has jumped out of a sandbox. Rare but there are cases. Thats why you need to lock down your sandbox settings to prevent this. But then again a VM is also not 100%. Malware can jump from a VM to the host machine. If you want to be secure then have a backup plan. Make an image of your HDD and keep it on an external HDD. Thats is the best and only effective way to 100% secure. If your real time fails.....................So what. Mount a new image and your all set.