Re: [Full-disclosure] Avast Antivirus

Here is your post taken from the forum, it was not really taken to
well....but, nomatter, im just stating the facts as i see them, and
hope you understand this, but, i also giving you the chance to please
try a real sandboxie, then load some bot.exe into it, and watch what
it does... would maybe explain abit better what a sandbox is about.

Then I just wondered: What is that SafeZone and how does it work?
I opened Process Explorer and noticed, that the processes run under
the same user account o.O
I tried some simple dll-injection into the browser and the first
attempt worked. This really made me laugh. <--- this is standard for
a sandbox, try SandBoxie,it is abit neater for a sandbox, and maybe
what your after
When I tried to save some screenshots I noticed that the file is
created but empty afterwards, when I place it on the system drive. But
saving to another drive was no problem at all.
Could you please tell me what this feature is supposed to prevent?

Re: Safezone vs DllInjection
From what I read and already used, SAFEZONE BROWSER is a Google
browser without toolbars that can access your info. Nothing else.
Nothing goes from out into but you can go from in to out,so that's why
they call it safezone. What's a dll injection and how do you do it?

Yes, dude they wont bother todo anything because thats actually what
you 'can' do in the safezone, is inject a dll, and then yes, it should
showup virtually tho, not actually running on your main box right...
coz, it is injection INTO the sandbox....when you use say, SandBoxie
for example, you would load the app up and, simply right-click on any
file and open within sandboxie, then, you can watch it drop and dump a
million exes, thats exactly what it is supposed to be doing, is not
letting this oout.
now, if your saying you injected, into the AV dll itself, wich, i see
nothing here of, then there would be a vuln, wich would eed attending,
but, your injecting into this safezone, wich is, what nearly every AV
nowdays comes with,simply a processkiller/sandbox, so in some cases,
it can be of use to you in making sure your safe,...
anyhow, seems like, normal functioning sandbox to me, you should have
this powers to inject anything into it, and, then trace that ll you
Cheers dude..hope you have a good time playing with sandbox, dirtying
them is definately fun :)

On 19 January 2012 22:04, Juergen Schmidt <ju@xxxxx> wrote:
On Tue, 17 Jan 2012, Floste wrote:


Avast Antivirus also comes with sandbox and a "SafeZone". But both can
be circumvented using simple dll-injection and they seem to do nothing
about it:

Maybe this post here will encourage them to fix it.

In my understanding a sandbox is not supposed to prevent you from getting
in from the outside but from escaping from the inside. So if a sandboxed
process injects a DLL in say a running IE process outside -- then we are
talking about vulns

bye, ju

Juergen Schmidt       Chefredakteur  heise Security
Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 ,   D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju@xxxxxxxxx
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • [Full-disclosure] Avast Antivirus
    ... Avast Antivirus also comes with sandbox and a "SafeZone". ... be circumvented using simple dll-injection and they seem to do nothing ...
  • Re: dll question
    ... Is it possible to prevent loading libraries or making library calls in a process? ... I have an application and I expect a dll from a third party but I don't want the third party dll load another dll or call functions from it. ... You could run inside a sandbox (VM or a separate process as a separate user) which hasn't enough privileges to do real damage even if unauthorized code is run. ...
  • Re: Fehler einer eingebundenen DLL abfangen, als Sandbox handeln
    ... Da ich jedoch keinen Einfluss auf diese DLL habe, möchte ich zumindest die Auswirkungen auf meine Applikation begrenzen. ... die dll als ganzes wirst du nicht in einer "SandBox" laufen lassen können. ...