0

Supposing we have a malicious .EXE which deletes (using DEL command with cmd) a sensitive system file.

First, common antivirus will analysis the file with signature detection.

Secondly, it will be sandboxed at runtime by the antivirus.

How does the antivirus sandbox it? Does he "trace" it by using a "ptrace like command" on Windows and stop the malicious .EXE from using DEL? Or does it stop the OS from making the associated process and run the malicious .EXE on a tiny virtual machine with a tiny specific OS?

Duke Nukem
  • 687
  • 3
  • 9
  • 20

1 Answers1

0

Sandboxes and AntiVirus are two separate things. AV scans a file and typically checks for "known knowns" (signatures) and heuristics of a file, whereas a sandbox executes a file in an isolated environment. As Schroeder stated sandboxes work differently depending on what Sandbox you're running.

A typical sandbox will take a snapshot of processes, connections, threads, registry prior to running a sample, run the sample, re-take a snapshot of the processes, threads, etc., and compare the differences. The differences are then reported to you. This is the most optimal method of determining what is going on. Malicious software (if run with escalated privileges) can (sometimes) do anything an administrator can do. This means the software can modify event logs, erase files, hide connections/software, etc. With "snapshots" most sandboxes can show you the differences (before and after). HOW AV does it depends on the software, the gist is the same (comparisons)

munkeyoto
  • 8,682
  • 16
  • 31
  • 1
    I think you misunderstood how anti-virus software uses a sandbox and what you described is not a sandbox but a security vulnerability... – billc.cn Jul 05 '16 at 15:21
  • @billc.cn I didn't misunderstand anything. I explained what the concept of a sandbox is used for. (See a more popular one here https://cuckoosandbox.org/). AV handles sandboxing however they handle it, but AV is not a Sandbox. It (AV) may contain sandboxing capabilities, but it is best to understand the differences between the two – munkeyoto Jul 05 '16 at 15:46
  • Can you tell me more about "isolated environment" ? Is it a virtual machine? How does the sandbox prevent windows to execute the malicious .exe in his environment? – Duke Nukem Jul 06 '16 at 18:05
  • 1
    @DukeNukem again it depends on what your AV developed. They're all different. In the CUCKOO sandbox, things are executed in its own environment (operating system) – munkeyoto Jul 06 '16 at 18:42
  • I think I get it. If we take the CUCKOO sandbox for exemple, how does he prevent Windows to directly execute it? – Duke Nukem Jul 06 '16 at 22:00
  • 1
    @DukeNukem it doesn't prevent Windows from executing anything. It executes it on purpose to provide you with a report of what it did when it was running – munkeyoto Jul 06 '16 at 22:02