Open 65wat opened 8 months ago
This sounds useful for security researchers or malware analysts.
Malware that detected that it is being analyzed, often changes its behavior. It's possible that something behaves differently under Sandboxie's control than without. Bad for those that want to analyze something or those that test software before using it, but good for those that run software under Sandboxie's control, just to be safe in general.
Malware is most likely still be able to write to the files it created or dropped, in which case those could be overwritten with junk, to hinder the analysis.
Yeah, bastik-1001 you put it quite nicely. That’s why I’d like to see that feature. I need it for malware analysis. A file I was working on dropped files in the temp folder (a .bat file and an encrypted .7z file). The program however exits after that (maybe because of sandbox detection) and deletes the temp files before I can copy them. Disallowing file deletion would let me keep the dropped files and analyze them independently.
Bumping this after a malware dropped on my discord server (friends account got jacked and DM'ed everyone) https://www.virustotal.com/gui/file/636c7fd02475c1c9d1957e3af96a0dceefeb134b3461f1a7392a5600dd7dcbb3/behavior
Is your feature request related to a problem or use case?
Files inside the sandbox are always deleted if a malicious program running inside the sandbox deletes them. There should be an option to leave all files that the program/malware dropped inside the sandbox, thereby disallowing deletion of potentially interesting files.
Describe the solution you'd like
Add an option in box configuration to disallow the deletion of files.
Describe alternatives you've considered
Auto / Immediate Recovery is not a useful alternative for this.