Safezone and Sandbox vs DllInjection

[floste]

I believe browsers are set up to allow dll injection at some level by default (avast behaviour shield employs dll injection on browsers to monitor behaviour - and every time it does trusteer rapport blocks it on my system).

It is not a property of the browsers but the way windows works:
Any program can manipulate any other program running under the same user account at the same Integrity Level in any way it wishes.

The proper and relatively simple solution would be to run the SafeZone under a different user account.  

I can't see why the safezone browser should be set up this way though - it doesn't want to let anything else in.

Yes, but it is not so easy to block these functions. The best way is to make windows block it for you somehow! As I said, just running it under a different user account using a service as broker would at least increase the security.

Do any other AIS users find this thread a bit disconcerting

Well, thats most likely because you do not understand the technical details ^^

or is this in reality something that malware would struggle to replicate

DllInjection is very common and already in use for:
-Displaying framerates and other info inside games
-Cheats/mods
-Spell checking
-Bypassing firewalls
-Usermode rootkits
-Keyloggers

There are many variations of the technique
Most common for keyloggers is SetWindowsHookEx, this does not work against SafeZone.
Most common for specific targets (e.g cheats/mods) is CreateRemoteThread, this still works.
And some more complicated variations

So a huge percentage of programs using such techniques will not work. But they could be modified to work again^^


I would like to hear from/chat with a developer.

[Rednose]

Read my previous post

Petr Kurtin is the developer of SafeZone, so also the person to discuss it with

Greetz, Red.

[MAG]

Do any other AIS users find this thread a bit disconcerting

Well, thats most likely because you do not understand the technical details ^^

Well, yes - but I was happier in my ignorance before you posted

[gdiloren]

I did not try the dll injection cause too complicated for me. I expect AILWIL to test it. What I found is that I have to thoroughly clear my browsing data before exiting safe zone. Does it solve the problem? Is there still piracy?
 

[floste]

Actually I thought: This will never ever work and did not even try until today.

But it seems like the so-called sandbox is all about drawing red frames but not preventing anything.

What i did: Start process hacker in sandbox and do dllinjection into random processes (truecrypt, firefox etc)
Result: First attempt worked, sandbox outbreak...

This is so hilarious!

[pk]

(edited, do some more tests)

[MAG]

(edited, do some more tests)

Any more news?
Thanks

[MAG]

(edited, do some more tests)

Any conclusions yet?

[MAG]

Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.

Issues with the sandbox effectiveness wouldn't be much of a problem for me. The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).

Safezone weaknesses would be more of a concern.

[floste]

Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.

What did you expect?

At least somebody of their staff noticed. 2 weeks for a response and several months more for a fix are nothing unusual. 

The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).

IE9 already has a "sandbox" when run under Vista or above. And both sandboxes amend each other very well!

[MAG]

I'm wondering if there might be a different way to get someting like safezone.

Run a tiny linux OS (loaded from CD) entirely in memory. No persistence for changes.

It's certainly quick!.

[MAG]

(edited, do some more tests)

Any update on this available now that a new version of avast is out?

[floste]

Obviously not...

[floste]

Push

(Nothing happened so far)

[pk]

This was already fixed in avast7 version, thanks for report.