Important Question About Spyware/Virus: Can .MP4 Files Be Infected?

Compumind said:

@bo elam -

Which do you prefer:

Windows Sandbox or the latest Sandboxie?

Just curious.

Hi Compumind. I am a Sandboxie junkie, for me to choose something over Sandboxie, it would have to be something really special. At this point in time, there is nothing that I would gain by replacing Sandboxie with anything that's available. Certainly, replacing Sandboxie with the Windows Sandbox would be a loss, I wouldn't gain nothing.

Let me explain real quick. Sandboxie has been around since 2004. When I started using SBIE in 2008, the program was already mature, stable. It has been a very solid program for many years. On the other hand, The Windows sandbox as I understand it (I never tested it, only read about it what other people say about it), is unstable, certainly not mature yet, and before it becomes solid and mature, years have to pass by. So, on one hand you have SBIE, mature and stable. On the other side, The Windows Sandbox that by all accounts is not stable.

Lets talk Sandbox Settings. Sandboxie has many settings. The Windows sandbox has none. With Sandboxie you can recover files, with the Windows sandbox you can not. To use a program of this kind for everyday use, you have to be able to recover files, downloads, etc. Otherwise, in my opinion, the program is not usable or convenient. You got to have a balance between security and usability and that's what you get with SBIE.

With Sandboxie you can tighten up the security of the sandbox as much as you want (nothing gets out) or loosen it up as much as you wish. You choose the balance. When I create a new sandbox, my goal is to strike the perfect balance between usability and security. I don't give up usability for security. And I always achieve this balance. I tighten up security as much as possible but without losing usability. I can do this because Sandboxie allows the user to create dedicated sandboxes for each program or activities. So, you might have 2 or 3 sandboxes for Firefox. One is very tight and the others are relaxed regarding security. Or you can create dedicated sandboxes for 7Zip, or Libre Office, and set this sandboxes up so no program that run in them can connect to the internet. You can set sandboxes like that for this type of programs that don't require access to the internet but you could not run browsers in them as they wouldn't be able to access the internet. Sandboxie gives this flexibility to create and use multiple sandboxes at the same time that you dont have in the Windows sandbox. This flexibility allows you to have sandboxes with no internet allowed or other sandboxes that internet is allowed. Or sandboxes where all programs are allowed to run, or, you can set a sandbox where only one exe can run. Thats super tight and is what Sandboxie is all about. Choice. Your choice on how tight or relaxed you want each individual sandbox.

Sandboxing is isolation, by Sandboxie allowing users to separate programs in their own dedicated sandboxes and setting each sandbox according to the dedicated program, you are maximizing isolation and tightening up the security of each individual sandbox. You are separating programs not only from the system but from other programs as well, this is something that Sandboxie is designed for, but not the Windows sandbox.

Bo

Compumind said:

@bo elam -


Thanks for the information.
I need to completely isolate what I am testing down to the BIOS level.

If necessary, I could use another system but that would be a waste of resources to me.

You are welcome, Compumind. You might like to try Sandboxie. Sandboxie works better with programs that are installed on your host, and you run them sandboxed. But testing programs by installing them sandboxed, and keeping the installation in the sandbox for as long as you want is also a purpose for using SBIE. Sandboxie is restrictive software so it allows what needs to be allowed for programs to run sandboxed but no more than that. This does make it hard for complicated programs to run or install sandboxed. Example, programs that install drivers or services can be run sandboxed but cant be installed sandboxed.

Right now things are looking good for Sandboxie as open source. At this point in time, the version to be on is 5.33.6, last version developed before open source. You can get the installer from this link. Easy to try, it takes 15 seconds to install/uninstall SBIE.

Announcing Sandboxie 5.33.6 release and open source update - Sandboxie Forum - Sandboxie - Sophos Community

If you dont want to go through the EULA stuff, I uploaded the installer here.

TinyUpload.com - best file hosting solution, with no limits, totaly free

Even if SBIE doesn't work for you for what you are doing now, I am certain you ll find it useful in many other ways. Think about this, I never stop using SBIE, whenever I am using the computer, I am using SBIE. The only time I dont use SBIE is when the computer is idle or I am doing updates. In other words, every activity I do with the computer is always done under Sandboxie's supervision. That's how useful this program is.

Bo

[QUOTE=Compumind;1910064]

bo elam said:

Example, programs that install drivers or services can be run sandboxed but cant be installed sandboxed.[i/QUOTE]

That's the problem. I need *everything* to be sandboxed. No chance of bringing down or infecting the host.

In the early days of Sandboxie, there was a setting that you could enable that would allow drivers to be installed in the sandbox by programs that were installed in a sandbox but it was rarely used by users, because of that, the gain in having the setting available was little, so for security reasons it was done away with it about 8 years ago.

Bo

Bree said:

If you are relying on Defender then you should enable its Potentially Unwanted Application (PUA) detection. This will detect further types of unwanted applications, the same sort that Malwarebtes detects over and above the normal viruses.

Enable or Disable Windows Defender PUA Protection in Windows 10

Thanks, but I'll need some time to review this as I'm not familiar with "Windows Defender PUA Protection".

You can see the contents of a .rar file by opening it in WinRar or 7-Zip File Manager. This is a safe way to see what a .rar contains as it just lists the contents, nothing will be extracted until you choose to do so.
There are a number of example .rar files available to download. Using those I have confirmed that Windows Defender can scan inside a .rar file. Here are two sample .rar file containing a total of 9 files/folder between them. As you can see, Defender has scanned all the contents. I have tested this in both version 1909 and 1809. Again, scanning with Defender (or another scanner such as Malwarebytes) is safe as nothing gets extracted.
Attachment 278219

Thanks very much!

So I can scan the .RAR files that I download to my Windows 10 PC and therefore not be in any danger from potentially malicious/malware/spyware files?

I'm only in danger if I open the .RAR files?

NiceAndShy said:

Thanks, but I'll need some time to review this as I'm not familiar with "Windows Defender PUA Protection".

PUA (also called PUP by others) means potentially unwanted programs. These are a class of malware/adware that may not be strictly malicious but that can modify the behaviour of your system in unwanted ways, such as taking over your browser's homepage. An example of PUA is the Ask Toolbar. Defender does not by default detect PUA, but the signatures are already in the definitions updates. Turning on PUA detection increases the range of things Defender will protect you from.

Some more information on what a PUA is and can do from Sophos...

Potentially unwanted applications (PUAs) are programs that are not malicious by themselves, but which are generally considered unsuitable for most business networks. Examples include, but are not limited to, adware, dialers, remote administration tools, bundleware, downloaders, aggressive monetizing software, uninstall tools.

What is a potentially unwanted application (PUA)? - Sophos Community

So I can scan the .RAR files that I download to my Windows 10 PC and therefore not be in any danger from potentially malicious/malware/spyware files?
I'm only in danger if I open the .RAR files?

Scanning a .rar with Defender or any other AV or malware scanner is safe. Nothing is extracted or run.

You could even, if you are careful, open a .rar and extract the files it contains. The danger is not from having the files on the system, the potential risk only comes when you try to run a file you have extracted from the .rar.

Bree said:

PUA (also called PUP by others) means potentially unwanted programs. These are a class of malware/adware that may not be strictly malicious but that can modify the behaviour of your system in unwanted ways, such as taking over your browser's homepage. An example of PUA is the Ask Toolbar. Defender does not by default detect PUA, but the signatures are already in the definitions updates. Turning on PUA detection increases the range of things Defender will protect you from.

Some more information on what a PUA is and can do from Sophos...
What is a potentially unwanted application (PUA)? - Sophos Community



Scanning a .rar with Defender or any other AV or malware scanner is safe. Nothing is extracted or run.

You could even, if you are careful, open a .rar and extract the files it contains. The danger is not from having the files on the system, the potential risk only comes when you try to run a file you have extracted from the .rar.

Wow, Bree, thanks very much for bringing me some clarity to my problem!

It's good to know that I'll be safe from these .RAR files as long as I scan them before I open them.

I only use Windows 10's built-in antivirus and I keep it fully updated, BUT would I be better off using a 3rd party anti-virus like Norton or is this a question that just depends on people's opinions?

NiceAndShy said:

I only use Windows 10's built-in antivirus and I keep it fully updated, BUT would I be better off using a 3rd party anti-virus like Norton or is this a question that just depends on people's opinions?

There are lots of people with different personal opinions, each will advocate one particular AV over the rest. Which rather goes to show that there is no strong argument for any one over all the the others. It's a matter of what each person is familiar with and trusts.

What I would say is that Defender may let through PUA/PUPs unless you enable its PUA detection. A switch to do this will actually be added to Windows Security in the soon to be released version 2004, see Option One in Brink's tutorial. For 1909 or earlier Options Two or Three can be used.


Enable or Disable Windows Defender PUA Protection in Windows 10