sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.88k stars 1.54k forks source link

False positives i.e. "NOT A VIRUS!!!!!" #95

Closed DavidXanatos closed 3 years ago

DavidXanatos commented 4 years ago

The SbieDrv.sys driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications wrongfully flag it as potentially dangerous or a virus.

If you want SandboxiePlus to get a proper EV-Code Signing Certificate please support the project through donations. You can donate via paypal at https://xanasoft.com/ or patreon https://www.patreon.com/DavidXanatos

osmirog commented 4 years ago

Can you please post this on chocolatey? The Virustotal analysis there looks pretty scary, and I saw it after I had already installed the package, so I nearly got a heart attack.)

rdar-lab commented 4 years ago

Even with the proper founds, I am not sure you will be able to get an EV certificate without a registered company behind the request. A better workaround, for now, will be to create a custom CA (you can use Microsoft CA) and to generate a code signing certificate using that CA. A user who wishes to use the installer will have to first install the CA public key on his machine's root certificate authorities before installing (or the installer can do it for you). The benefits are that most chances are that the package will not be flagged as a virus. The downside is that a user installing that CA on his machine will really need to trust you not to misbehave and to keep the private key of the CA very safe and secure.

quangkieu commented 4 years ago

I think Tap network driver bundle in Openvpn for win also attached their own CA publisher and install that before main driver. Windows would show dialog that requesting to install custom CA

Valinwolf commented 4 years ago

Pardon my ignorance, but is there a reason you couldn't use an SV CS cert, like the $85 one from Comodo?

DavidXanatos commented 4 years ago

Pardon my ignorance, but is there a reason you couldn't use an SV CS cert, like the $85 one from Comodo?

Yes: microsoft would nto accept it and would not counter sign the driver hance windows kernel wouldn't load the driver: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

Valinwolf commented 4 years ago

@DavidXanatos lol so as long as you're a Chinese company you can create malicious drivers, but the perfectly valid FOSS developer gets to suffer. Microsoft 10/10. 🙄

DavidXanatos commented 4 years ago

@DavidXanatos lol so as long as you're a Chinese company you can create malicious drivers, but the perfectly valid FOSS developer gets to suffer. Microsoft 10/10. 🙄

Exactly :'(

jedimasterspaz commented 4 years ago

After I told Windows Defender to allow Sandboxie. I also got a warning, about the same virus being in a temp file. Is that normal? Screenshot 2020-10-10 10 18 16

DavidXanatos commented 4 years ago

No i don't think it is the file should be created in the program folder directly

jedimasterspaz commented 4 years ago

I talked to my wife about the code signing; she deals with that at her work. She was curious about how you did your code signing. She recommended the Eclipse Foundation that helps open source projects with code signing. https://www.eclipse.org/org/ I'm also including the https://opensource.com/resources/organizations. Lastly, I sent a request to DigiCert about getting a reduced price or donation for a cert.

Thordin commented 4 years ago

Even with the proper founds, I am not sure you will be able to get an EV certificate without a registered company behind the request. A better workaround, for now, will be to create a custom CA (you can use Microsoft CA) and to generate a code signing certificate using that CA. A user who wishes to use the installer will have to first install the CA public key on his machine's root certificate authorities before installing (or the installer can do it for you). The benefits are that most chances are that the package will not be flagged as a virus. The downside is that a user installing that CA on his machine will really need to trust you not to misbehave and to keep the private key of the CA very safe and secure.

I think this would be a better solution. Windows Defender automatically quarantines this driver and probably turns off a lot of people from using it.

DavidXanatos commented 4 years ago

Even with the proper founds, I am not sure you will be able to get an EV certificate without a registered company behind the request. A better workaround, for now, will be to create a custom CA (you can use Microsoft CA) and to generate a code signing certificate using that CA. A user who wishes to use the installer will have to first install the CA public key on his machine's root certificate authorities before installing (or the installer can do it for you). The benefits are that most chances are that the package will not be flagged as a virus. The downside is that a user installing that CA on his machine will really need to trust you not to misbehave and to keep the private key of the CA very safe and secure.

To my knowledge this won't work MSFT does not allow the user on a system that is not in Test Mode to load code into the kernel that is not MSFT approved.

Se here: https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm?tx=9 The only windows version on which this works is the China Governmental Edition and it requiters the use of UEFI secure boot to pass the key to the windows kernel. The windows kernel does not care for the certificate store for its root o trust as far as I know.

DavidXanatos commented 4 years ago

Some one else had the same issue, Possibly the obfuscation is not good enough or now they trigger on the modified kmdutill.exe... Could you send me the Fles from your temp folder for examination.

DavidXanatos commented 4 years ago

So you have a "old school" certificate for direct driver signage? Nice. Although 1.) Win 10 run with secure boot (unless it was an upgrade from an old w10 version) wont to my knowledge accept it and 2.) https://docs.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates#what-will-happen-to-my-existing-signed-driver-packages drivers signed in a few months with it won't be accepted by windows 10 eider. So such a cert is only a solution for the next half a year or so.

jedimasterspaz commented 4 years ago

I submitted false-positive check requests to most of the Anti-virus programs that listed SbieDrv.sys as bad, in virustotal.com, and Microsft Defender too. What sight would you prefer the donation to be sent through? My wife and I appreciate your work and will send you $60. I hope you are getting plenty of donations. Lastly, did you have a chance to look at the Eclipse Foundation?

Valinwolf commented 4 years ago

@DavidXanatos Correct me if I'm misinterpreting the article, but you'll have to get an EV cert and submit the code to M$?

DavidXanatos commented 4 years ago

I submitted false-positive check requests to most of the Anti-virus programs that listed SbieDrv.sys as bad, in virustotal.com, and Microsft Defender too. What sight would you prefer the donation to be sent through? My wife and I appreciate your work and will send you $60. I hope you are getting plenty of donations. Lastly, did you have a chance to look at the Eclipse Foundation?

I did not get answer yet from them, about the donations, there is a paypal donate button on my very incomplete website: https://xanasoft.com

@DavidXanatos Correct me if I'm misinterpreting the article, but you'll have to get an EV cert and submit the code to M$?

Yes that's how it now works, a lot of hassle just to take away a bit more freedom from the users, but there is no easy mass compatible way around it.

jedimasterspaz commented 4 years ago

Yes Microsoft. Submission details Refreshsbiedrv.sys Status: Completed Submitted: Oct 15, 2020 3:05:58 PM User Opinion: Incorrect detectionAnalyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

Have a good night, I have to get to bed. And thank you so much for working on Sandboxie. It has saved my customers from the FBI virus and a Crytpoware virus.

jedimasterspaz commented 4 years ago

Fortinet said oops and sorry. I'll keep you updated as each one says OK.

2 software companies didn't want to change their mind, so I pushed back with the Microsoft acceptance.

jedimasterspaz commented 4 years ago

I'm playing with installing Sandboxie and telling Eset NOD32 to exclude c:\program files\sandboxie\sbiedrv.sys. I got the following hit from NOD32 on the temp file we talked about earlier. Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 10/16/2020 8:41:40 PM;Real-time file system protection;file;C:\WINDOWS\TEMP\UDD2D16.tmp ;a variant of Win32/Agent.ABZW.gen trojan;cleaned by deleting;NT AUTHORITY\SYSTEM;Event occurred on a file modified by the application: C:\Windows\System32\svchost.exe (010DB07461E45B41C886192DF6FD425BA8D42D82).;1C25F411957728524F07A81256F420DF28DD1DF6;10/16/2020 7:56:30 PM Multiple files were created and I changed the extension from tmp to txt so it would upload. UDD2506.txt

DavidXanatos commented 4 years ago

As it looks its just the SbieDrv.sys file, not sure why it ends up in that temp location though

quangkieu commented 4 years ago

I got the same hit in temp folder, which is NOT where sandboxie stored, from Windows Defender last month or so. I could not re-produce it though.

DavidXanatos commented 4 years ago

The file posted above is just the driver however it ended up there its not a reason to worry about as its harmless.

jedimasterspaz commented 4 years ago

Eset replied with basically no cert, no pass.

jedimasterspaz commented 4 years ago

Avast said that it will continue to mark it bad because of the digital signature was revoked.

ghost commented 4 years ago

I'm having issues with it working, even when allowed in Windows Defender. For a while it used to work no problem but now all that happens is the Sandboxie icon gives me the ! and when I try and open it it says "something something SbieDrv", basically that Windows Defender still blocks it even though it worked before, had an exception set to it and so on.

I know this post isn't at all helpful with this whole issue but I really hope you can get that certification thingy done sometime soon. I just love Sandboxie, I've been using it for years to keep my PC save from anything that might seem dodgy when requiring an install. Just wanting to let you know that I really appreciate you keeping the project alive!

tasty0tomato commented 4 years ago

Again, the new release is marked as a trojan in Windows Defender

nyomen commented 4 years ago

Solve this and sell that stuff for money - Problem solved. I would easily pay 30-50 $ per year for this software. There are thousands of ppl out there. Get that company, solve the issue and buy what you need.... Its not that hard if you think about it.

tasty0tomato commented 4 years ago

Again, the new release is marked as a trojan in Windows Defender

I tried WD and Avira, and they didn't pass, but Kapersky passed.

hoffor commented 4 years ago

What's the status on the EV? Not to be nosey of course, but it would be nice if there were a more transparently laid out milestone progress indicator somewhere on the funds needed for a annual EV. I would like to donate, but I do want to be sure I'm donating explicitly to the sole purpose of purchasing an EV cert for Sandboxie Plus. Maybe a Gofundme would be more appropriate?

Tridens92 commented 4 years ago

I agree with @hoffersrc , and think it would be great if there was some sort of way to track towards a goal of an EV. I would also donate to this.

Alceatraz commented 3 years ago

Even with the proper founds, I am not sure you will be able to get an EV certificate without a registered company behind the request. A better workaround, for now, will be to create a custom CA (you can use Microsoft CA) and to generate a code signing certificate using that CA. A user who wishes to use the installer will have to first install the CA public key on his machine's root certificate authorities before installing (or the installer can do it for you). The benefits are that most chances are that the package will not be flagged as a virus. The downside is that a user installing that CA on his machine will really need to trust you not to misbehave and to keep the private key of the CA very safe and secure.

The EV cert request is very sick, I mean strict (lol So after the cert outdate, Things will get really screwed

DavidXanatos commented 3 years ago

So since we have an EV now i can close this issue

kristofmulier commented 3 years ago

Hi @DavidXanatos , We at Embeetle (https://embeetle.com) had the exact same problem. We're acquiring an EV-certificate from Sectigo, which should indeed solve the problem to some extent - at least the false positive flags from Windows.

However, I'm also concerned about false positives from Antivirus software (Norton/Symantec, McAfee, ...). The VT Monitor service from VirusTotal looks like a great solution (see https://www.virustotal.com/gui/monitor-overview), but it might be prohibitively expensive for commercial use.

How did you solve this (antivirus false positives) for Sandboxie?

Kind regards, Kristof Mulier

DavidXanatos commented 3 years ago

How did you solve this (antivirus false positives) for Sandboxie?

Aside of properly signing the driver and using a generic installer, I did not do anything.

IMHO: this all Anti malware fool industry is one huge scam, and apparently with VT Monitor they advanced from selling snake-oil to out right extortion.

The EU or US should make them liable for false positives.

DavidXanatos commented 3 years ago

PS: please don't expect to much from the EV Cert we have one from Globalsign for the driver, and I tried what VT says when I sign the sandboxie installers. The false positives went from 16 to 12 on the 32 bit installer and iirc were unchanged on the 64 bit one, although the later were only 1 or 2

kristofmulier commented 3 years ago

Thank you @DavidXanatos for your quick reply 👍

We don't have installers. Our software is zipped in a .zip and a .7z file - the user can choose which one to download. I've experienced that Norton Antivirus automatically doesn't mind the download itself, but it automatically starts to delete .exe and .pyd files (compiled Python files) as soon as you unpack the zip-file.

Aside of properly signing the driver and using a generic installer, I did not do anything.

Should we use a generic installer too? Would that help our case (avoiding trigger-happy Antivirus software) - or would it make no difference?

I tried what VT says when I sign the sandboxie installers.

What did VT say? I suppose VT == VirusTotal?

Thanks a lot for your help.

DavidXanatos commented 3 years ago

@kristofmulier In my case the problem was VT == VirusTotal reporting substantially more false positives for the installer than for the files contained within it. And strangely only for the 32 bit one.

If you have problems with the files themselves changing the installer will presumably not help. Also I don't know if you can even sign a *.pyd file.

What did VT say?

The false positives went from 16 to 12 on the 32 bit installer and iirc were unchanged on the 64 bit one, although the later were only 1 or 2

So short of complaining with the companies behind those fools that produced false positives I don't think there is a real remedy. The certificate clearly did not impress most of them.

Presumably if you sign your files and complain with the companies you may not need to complain each time you make a new release as they may possibly white-list your certificate.

kristofmulier commented 3 years ago

Hi @DavidXanatos , Thanks for your reply.

If you have problems with the files themselves changing the installer will presumably not help.

That's what I actually thought - but I'm glad to have your confirmation.

I don't know if you can even sign a *.pyd file.

Ugh, that would be terrible! Norton Antivirus flags and auto-deletes all our *.pyd files. We've got hundreds of them. I've posted a StackOverflow question regarding this issue here: https://stackoverflow.com/questions/65541913/is-it-possible-to-code-sign-a-pyd-file-for-windows

Short of complaining with the companies behind those fools that produced false positives I don't think there is a real remedy.

Seems like you're right - unfortunately. I still hope there is some deliverance from the VirusTotal VT Monitor service. I'll let you know if I can figure something out.

Presumably if you sign your files and complain with the companies you may not need to complain each time you make a new release as they may possibly white-list your certificate.

That would be awesome - at least if we could sign our *.pyd files. Otherwise we're still in trouble.

Thanks for your help :-)

cuonguet commented 3 years ago

I was created EV code signing and signature on all Partner Center for Windows Hardware submissions. I get signed package, build and installed Sandboxie but I can't a trusted signature file SbieDrv.sys on windows refuses to load it. How to trusted signature file SbieDrv.sys on windows and Sandboxie worked. Note: I was build and run Sandboxie in version 5.53.0