Alternatives for sandboxies

•Returnil Virtual System Pro

•Shadow Defender

•EvaLaze

•Attack Surface Analyzer

•Total Uninstall

31

Virtualization with EvaLaze

• Select the monitored area for files and registry

32

Virtualization with EvaLaze

•Pre-Scan

•Execute application for virtualisation

•Post-Scan

•Generating virtual application

•Test virtual application

•Free version no comparing

33

Sanboxies

•How to use Sandboxies (comparing changes, creating new sandbox, settings the attribute,...)

•How does it work ( No direct access, monitored systemobjects, security issues)

•Automated commands (prombt)

•Recovering data from the sandbox

•Analyzing sandboxie results

•Redirecting and analyzing registry results

–Regshot

34

How does Sandboxies work?

•No direct Access

–Application could not access direct to the hardware, OS is interposed

•Monitored systemobjects

–Files, drivers, registry keys, processes ....

•Securiy issues against breaking out

–Prevents seizure of programs

35

Automasition commandline

•Start selected programs in Sanbox

–Start.exe /box:MyBox /silent /wait /elevate <command>

•Stop all executed programs

–Start.exe /box:MyBox /terminate

•List all Prozess-Ids

–Start.exe /listpids | more

•Delete content of sandbox

–Start.exe /box:MeineBox delete_sandbox

•.......

36

Recovery in Sandboxie

•Rudimentary

–Sanboxie-Control > right click > show content

•Quick recovery

–Sandbox-Menu > Sandbox > quick recovery

•Immediate Recovery

37

Analyse of Sandboxie Results

•Buster Sandbox-Analyzer (BSA), v.1.53 (29. march 2012) Malware-Analyse

•http://bsa.isoftware.nl/bsa.rar

http://www.sandboxie.com/phpbb/viewtopic.

php?t=6557

38

Redirecting Registry

•Seperate Registry

–Root folder sandboxies RegHive and RegHives.LOG

•Mount Registry

•Rerouting path

–U der HKEY_USERS > KeyRootPath

–Default: HKEY_USERS\ Sandbox_<USername>_<Sandboxname> or \ REGISTRY\USER\Sandbox_%USER%_%SANDBOX%

39

Redirecting Registry

•HKLM\Software\NewKey is reroutet to

<KeyRootPath>\machine\Software\NewKey

•HKCU\Software\NewKey is reroutet to

<KeyRootPath>\user\current\Software\NewKey

•Similar with subkeys from HKLM\ and HKCU\ to machine and reroutet to user\current

•HKCR is not reroutet to user\current_classes

•Key user\current\software\classes is a symbolic Link to user\current_classes.

40