0

Say my host machine is infected and I have a sandbox program. Will that sandbox environment then be infected also?

If the answer is yes, what if I have an AV running inside of the sandbox. Will it allow for a safe sandbox environment without having to remove the malware from the host?

schroeder
  • 123,438
  • 55
  • 284
  • 319
RebornXD
  • 1

2 Answers2

1

It sounds like you are looking for concrete answers, but there are none.

If the host is infected, then it is possible that any program running on the host is also affected. But, just like any malware, it would have to be programmed to do that. Not all do.

Will antivirus allow for a safe environment anywhere? No, an antivirus provides a layer of protection, so you cannot assume that you are safe just because antivirus is running.

Can malware affect sandboxes? Yes. Is it common? No.

Can antivirus protect the sandbox? Maybe, it depends on a lot of factors.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Ok so yes say there is a malware on the host wanting to gain access to this isolated environment because it holds some important information. Say that if the sandbox has a factor of only having the applications in which it needs to run in the environment, like lets say we have 3 programs allowed to run and then when we open sandbox we notice that the 3 programs are there but there is also another program that we did not authorized so to say we do not allow it to continue or for a user to enter their password? – RebornXD Nov 07 '18 at 20:54
  • Or to explain better lets say I have a Rasberry Pi which serves as a Sandbox/Isolated Environment correct. I pre code the Rasberry Pi to only allow write operations and no read operations from lets anything that it is connected to. So lets say I peform a operation on the Rasberry Pi that I did not want anyone to see correct while it is not connected to a PC or anything with internet connection. So after I have performed my operation I receive a code that is stored in my raspberry Pi and want to send it securely to someone... I mean I guess I just answered my question – RebornXD Nov 07 '18 at 21:13
  • Continuning with above I guess I would just use a device such as a Rasberry Pi for my isolated environment and just delate all information I do not need anyone having access to before connecting to the internet and for the Rasberry Pi to peform only a strict function such as say only send a email to someone not allow for a user to download anything else connect to the web or etc. – RebornXD Nov 07 '18 at 21:15
0

This is going to be a matter of implementation and the nature of the infection.

A separate installation running on another computer on another network typically will not share the infection unless the sandbox itself was infected at the application level and passes it along to the live installation when pushing an update.

However, where the sandbox is installed somewhere on the same network as the live version, there are things that can affect both. The less isolation you have here the more likely an overlap is to happen. So two machines on 1 network may spread a self-replicating virus if you have an overly permissive set up, or something at the router level may affect both of their traffic. One machine with multiple virtual machines may also be vulnerable to the same bios virus but immune to most other system level infections. One OS with minimal separation could have a varying level of vulnerability just depending on setup.

Short answer is that it's always possible, but how you isolate your sandbox makes a big difference. For the best redundancy, you want to maintain three separate environments. One live server (typically a cloud hosted server), one sandbox server (typically something local that you have a lot of control over so you can make it more-or-less inaccessible from the internet), and one backup server (typically a cloud server separate from your live server).

Backups are much harder to spread infections with because they are generally not executable. If you make a clean backup on Monday, and save an infected backup on Tuesday, Monday should still be clean. So on Wednesday when you discover that your application is compromised, you can just wipe it and pull up a clean backup from Monday and you are good to go.

Nosajimiki
  • 1,799
  • 6
  • 13
  • I think the OP means that the sandbox is on the host. No network involved. – schroeder Nov 05 '18 at 22:53
  • I believe you are right. I'm not sure if this falls into the scope of off topic, but It's probably best to leave this here anyway since it answers the more important question of how to mitigate the risk that he is asking about. – Nosajimiki Nov 06 '18 at 16:49