Cybersecurity Project: Sandboxing with Sandboxie-Plus

Last time on my continuing saga of trying to analyze Epic Games Store's network traffic without possibly compromising my PC, I discovered that VirtualBox wasn't a functional way to progress.

Instead, I would have to use a sandbox to isolate the program on my own PC, in order to have proper access to the necessary hardware and software resources.

After some fairly quick research, I discovered Sandboxie-Plus, a free open source sandbox program and installed it on my PC. But before progressing on the topic, I decided to do a little extra research.

Trying to be Secure

One major downside of Sandboxie-Plus is that many of the privacy and security related features are contingent on having a supporter certificate, which requires a donation of some kind. (The website and Github are both vague on this, and not even the FAQ explains if a one-time PayPal donation is enough.)

This led me to use Microsoft Copilot to gather information on how to configure Sandboxie-Plus to be as secure as it could be without the certificate, as well as how to configure logging:

Sure, here are some best practices for configuring Sandboxie-Plus considering your factors:

1. Configuring without Supporter Certificate for Privacy Mode:
While the Privacy Mode feature in Sandboxie-Plus requires a supporter certificate⁴, you can still configure Sandboxie-Plus to limit access to your data. Here's how you can do it⁴⁵:
- Go to Sandbox Options > Resource Access > Resource Access Policies.
- Enable the "Privacy Mode, block file and registry access to all locations except the generic system ones" checkbox under Access Mode.
- Dismiss the pop-up that says you just activated a supporter-only feature⁶.

2. Logging Behavior by the Sandboxed Software:
To log as much behavior by the sandboxed software as possible, you can use the Trace Log feature¹²:
- Enable Trace Log tab by opening Options menu -> Trace Logging.
- When the Trace Log tab is activated, it immediately starts to collect and display resource access information from all sandboxed programs that are running.
- At this point, perform any specific tasks that fail when done under the supervision of Sandboxie Plus.
- Finally, right-click on the collected data and select the entry named Copy Panel. This copies the collected data into the clipboard.
- You can now paste (Ctrl+V) the collected data somewhere and make it available for analysis¹².

3. Denying Sandboxed Software Unnecessary Permissions and File Access:
You can restrict the sandboxed software's unnecessary permissions and file access⁸⁹[^10^]¹¹:
- Right-click on the sandbox > Sandbox Options > Resource Access > Files > Add File/Folder.
- By default, Sandboxie doesn't allow writing to the Host system. Select Open if the program is installed outside the sandbox. Select Open for All if the program is installed inside the sandbox⁸.
- If you want to restrict network access for the apps within your sandbox, visit Access Restrictions in the General Options group. Ensure both options under Network Restrictions are enabled to prevent apps from tinkering with your network and firewall settings, or accessing network files and folders[^10^].

Remember, these are general guidelines and the exact configuration may vary based on your specific needs and the software you are sandboxing. Always ensure to test your configuration thoroughly to ensure it works as expected and provides the necessary security. Also, keep your Sandboxie-Plus software up-to-date to benefit from the latest features and security updates.

Source: Conversation with Bing, 4/19/2024
(1) Privacy Mode | Sandboxie Documentation. https://sandboxie-plus.github.io/sandboxie-docs/PlusContent/privacy-mode.html.
(2) Privacy Mode - GitHub. https://github.com/sandboxie-plus/sandboxie-docs/blob/main/PlusContent/privacy-mode.md.
(3) Sandboxie requires a supporter certificate for boxes where supporter .... https://github.com/sandboxie-plus/Sandboxie/issues/1718.
(4) Trace logging (for Sandboxie Plus) - Sandboxie documentation. https://okrc.github.io/sandboxie-docs/PlusContent/TraceLog.html.
(5) Trace Log | Sandboxie-Plus. https://sandboxie-plus.com/tracelog/.
(6) How to restrict a program of filesystem access? #2573 - GitHub. https://github.com/sandboxie-plus/Sandboxie/discussions/2573.
(7) Resource Access Settings | Sandboxie-Plus. https://sandboxie-plus.com/sandboxie/resourceaccesssettings/.
(8) How to Run Anything You Download Securely With Sandboxie Plus for ... - MUO. https://www.makeuseof.com/windows-sandboxie-plus-guide/.
(9) Restrictions Settings | Sandboxie Documentation. https://sandboxie-plus.github.io/sandboxie-docs/Content/RestrictionsSettings.html.
(10) Trace logging (for Sandboxie Plus) - Sandboxie Documentation. https://qzlin.github.io/sandboxie-docs-site/PlusContent/TraceLog/.
(11) Privacy Mode | Sandboxie-Plus. https://sandboxie-plus.com/privacy-mode/.

Unexpected Interaction

Given my limited ability to secure the sandbox directly, I decided to use Windows Security's Controlled Folder Access setting to restrict access to the most likely folder to be altered - the hidden AppData folder.

This turned out to be a massive mistake, as this interfered with all sorts of operations inside and outside of the sandbox, including software installations.

Additionally, following Copilot's advice on the Sandboxie-Plus privacy settings revealed a new problem: the settings work, but only for five minutes.

Eventually, this led me to scrap the original sandbox and reconfigure Windows Security to be less restrictive.

The Second Attempt

After reconfiguring Windows Security and deleting the original sandbox, I created a fresh new sandbox, and attempted to install Epic Games Store (EGS) in it.

This worked, and I collected a great deal of network traffic with Wireshark in the process, which I'll analyze in the next post.

However, there was plenty of odd behavior to diagnose:

• I could access the Unreal Engine page, download UE 4.27.2, go to the plugin marketplace, and add plugins to the cart.
• I could not complete the transaction and add the plugins to my account.
• I could not load a preexisting UE 4.27 project into to my instance of UE 4.27.2.
• After suspending and resuming the EGS process, I could not get EGS to properly load up the usual user interface. I could load directly to the UE page and launch it from there, but not the regular page.

Examining my Pi-Hole records from that time indicates connections to three Epic Games subdomains were being blocked:

• tracking.epicgames.com
• datarouter.ol.epicgames.com
• graphql.epicgames.com

Tracking seems like an obvious thing to block, but the two other subdomains were rather puzzling.

After looking through a number of forum posts (Unreal Engine dev forum, Steam forums for Fishing: Barents Sea), I discovered that this a was general usage data reporting function. Further examination via AlienVault OTX revealed that said subdomain is associated with 4 malware files:

• Win32:DropperX-gen\ [Drp] / ALF:SpikeAexR.MSILMVID
• Win32:Evo-gen\ [Susp]
• Win32:Malware-gen
• MSIL:Agent-DRD\ [Trj] / Backdoor:MSIL/Bladabindi.AJ

To be fair to Epic Games, I don't think they are putting malware and backdoors into their games. The Unreal Engine plugin marketplace is full of plenty of dubious material, including multiple blockchain and data access plugins, which provides plenty of opportunities for third parties to sneak malicious code into the platform.

The other subdomain, graphql.epicgames.com, is much less obvious in its purpose. Google results point to this subdomain being related to some type of AWS integration, and possibly more data collection. Regardless, it shouldn't have anything to do with actual functionality.

Next Steps

Now that the sandbox has been setup, there's a few things to do:

• Analyze the Wireshark data for actionable insights.
• Troubleshoot the various EGS issues and hopefully solve them.
• Actually do the intended UE 4.27 development work.

Next time, we'll dig into the PCAP file from this session.