How to deny writing sectors of the hard disk for sandboxed programs ?

Hi!
Malware can modify the boot sector of a disk, and can even install a kernel-level rootkit...
Can anything be done? Thanks.
 
Windows 10 1903 [Version 10.0.18362.175]. Sandboxie 5.31.2
Testing program  - dmde.exe (DM Disk Editor and Data Recovery Software). This software does not load driver.
 
(Drive)     \Device\HarddiskVolume10
(Drive)     \Device\HarddiskVolume15
(Drive)     \Device\HarddiskVolume16
(Drive)     \Device\HarddiskVolume4
(Drive)     \Device\HarddiskVolume7
Clsid       -------------------------------
Clsid       {C2F03A33-21F5-47FA-B4BB-156362A2F239} Immersive Shell
File/Key    -------------------------------
Image       -------------------------------
Ipc         -------------------------------
Ipc         \BaseNamedObjects\[CoreUI]-PID(1160)-TID(12580) 68eb743c-179c-4b18-8349-d12963815c0f
Ipc         \BaseNamedObjects\__ComCatalogCache__
Ipc         \BaseNamedObjects\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}
Ipc         \BaseNamedObjects\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}
Ipc         \BaseNamedObjects\RotHintTable
Ipc         \BaseNamedObjects\SC_AutoStartComplete
Ipc         \BaseNamedObjects\windows_shell_global_counters
Ipc         \RPC Control\actkernel
Ipc         \RPC Control\epmapper
Ipc         \RPC Control\OLE02A7E95599E162D94337A770BA57
Ipc         \Sessions\1\BaseNamedObjects\__ComCatalogCache__
Ipc         \Sessions\1\BaseNamedObjects\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}
Ipc         \Sessions\1\BaseNamedObjects\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}
Ipc         \Sessions\1\BaseNamedObjects\ComPlusCOMRegTable
Ipc         \Sessions\1\BaseNamedObjects\RotHintTable
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_11452
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_11484
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_1160
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_12440
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_RPCSS_SXS_READY
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_Mutex1
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcEptMapper
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs
Ipc         \Sessions\1\BaseNamedObjects\SboxSession
Ipc         \Sessions\1\BaseNamedObjects\SC_AutoStartComplete
Ipc         \Sessions\1\BaseNamedObjects\ScmCreatedEvent
Ipc         \Sessions\1\BaseNamedObjects\SM0:11452:120:WilError_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:11452:120:WilError_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:11452:120:WilError_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:120:WilError_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:120:WilError_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:120:WilError_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:304:WilStaging_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:304:WilStaging_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:11484:304:WilStaging_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:120:WilError_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:120:WilError_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:120:WilError_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:304:WilStaging_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:304:WilStaging_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:1160:304:WilStaging_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:120:WilError_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:120:WilError_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:120:WilError_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:304:WilStaging_02
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:304:WilStaging_02_p0
Ipc         \Sessions\1\BaseNamedObjects\SM0:12440:304:WilStaging_02_p0h
Ipc         \Sessions\1\BaseNamedObjects\SyncRootManager
Ipc         \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Ipc      O  \BaseNamedObjects\[CoreUI]-PID(3220)-TID(7284) 7c316af8-5f85-45f3-9f57-497c76d11449
Ipc      O  \BaseNamedObjects\CoreMessagingRegistrar
Ipc      O  \BaseNamedObjects\msctf.serverDefault1
Ipc      O  \KernelObjects\MaximumCommitCondition
Ipc      O  \KnownDlls\windows.storage.dll
Ipc      O  \KnownDlls\WS2_32.dll
Ipc      O  \RPC Control\lsapolicylookup
Ipc      O  \RPC Control\lsasspirpc
Ipc      O  \RPC Control\SbieSvcPort
Ipc      O  \Security\LSA_AUTHENTICATION_INITIALIZED
Ipc      O  \Sessions\1\BaseNamedObjects\CicLoadWinStaWinSta0
Ipc      O  \Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1
Ipc      O  \Sessions\1\BaseNamedObjects\MSCTF.Asm.MutexDefault1
Ipc      O  \Sessions\1\BaseNamedObjects\MSCTF.CtfMonitorInstMutexDefault1
Ipc      O  \Sessions\1\Windows\ApiPort
Ipc      O  \Sessions\1\Windows\SharedSection
Ipc      O  \Sessions\1\Windows\Theme1891728384
Ipc      O  \Sessions\1\Windows\ThemeSection
Ipc      O  \ThemeApiPort
Ipc      O  \Windows\Theme1913631050
Pipe        -------------------------------
Pipe        ?
Pipe        \Device\00000041
Pipe        \Device\00000044
Pipe        \Device\CNG
Pipe        \Device\HarddiskVolume1
Pipe        \Device\HarddiskVolume10
Pipe        \Device\HarddiskVolume11
Pipe        \Device\HarddiskVolume12
Pipe        \Device\HarddiskVolume13
Pipe        \Device\HarddiskVolume15
Pipe        \Device\HarddiskVolume16
Pipe        \Device\HarddiskVolume2
Pipe        \Device\HarddiskVolume4
Pipe        \Device\HarddiskVolume6
Pipe        \Device\HarddiskVolume7
Pipe        \Device\HarddiskVolume9
Pipe        \Device\KsecDD
Pipe        \Device\MountPointManager
Pipe        \Device\Ndis
Pipe        \Device\NDMP1
Pipe        \Device\NDMP10
Pipe        \Device\NDMP11
Pipe        \Device\NDMP2
Pipe        \Device\NDMP3
Pipe        \Device\NDMP4
Pipe        \Device\NDMP5
Pipe        \Device\NDMP6
Pipe        \Device\NDMP7
Pipe        \Device\NDMP8
Pipe        \Device\NDMP9
WinCls      -------------------------------
WinCls   O  Shell_TrayWnd
Parents Reply Children
  • Thank you for the answer. Generally, this output doesn't really matter.
    I found, that this problem affects windows 10 Enterprise x64 1903 [build 18362.175] + Sandboxie 5.31.2.
    Sandboxie does not block direct writing to hard disk, if sandboxed program use sector-level access (NOT TO BE CONFUSED WITH FILE-LEVEL ACCESS !!!!!)
     
    For testing purposes, I ran in the Sandboxie (with default settings)  such disk edition tool, like DMDE x64 (downloaded from the site https://dmde.com). As a result, the DMDE was able to freely modify the boot sector! It `s sad...
    Thus, in this case, Sandboxie cannot prevent any  program (not only DMDE) from modifying or erasing all data on the computer via direct access to sectors.
    This is a very serious security issue.
    In Windows 10 Pro x64 1809  + Sandboxie 5.30/5.31.2 there is no such problem (direct sector writing for sandboxed programs is not allowed). And Windows 10 Enterprise x64 1903  + Sandboxie 5.30 also do not have this problem !
    P.S. Sorry for my English.
  • Hi Alex5,

    I've passed your concerns to the dev team for clarification.

    I'll update this thread when I receive a response.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Barb@Sophos said:
    I've passed your concerns to the dev team for clarification.

    How is possible you don't receive a clarification from the dev team after so many days considering the potential risk of the reported vulnerability?

  • I tested the new version of the Sandboxie (5.31.4). And it seems, that this issue has already been resolved. When a program in the Sandboxie tries to modify sectors, it reports an "Access denied" error. As it should be!

    P.S. This applies to Windows 10 Ent 1903 [18362.175]. But I don’t know how Sandboxie (5.31.4) works with the latest build of Windows 10 :)