Forum Thread: Sandboxes: Real or Imaginary?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Outlook 2007

This thread has been marked as resolved.
smallbiz Sandboxes: Real or Imaginary?
Member 21st Nov, 2011 21:08
Ranking: 16
Posts: 19
User Since: 26th Sep, 2009
System Score: N/A
Location: N/A
I think of a sandbox as a sand-filled box into which an explosive may be put, and there be remotely triggered to explode harmlessly.

My MS Outlook has a folder named "infected Items." An incoming email occasionally gets dumped there. I examine its properties and see the many servers and services through which the email passed on its route from the sender to my mailbox. But I don't get to see the actual content of the message.

Instruction 1.01, please!
Is the Outlook infected items folder a true sandbox, in the sense that it completely removes & destroys an email's dangerous payload?

If I see an email in my Inbox that looks suspicious to me, and I drag it unopened into the Infected Items folder, is the message content there and then stripped off and dumped by the Outlook Good Fairy?

Bewildered Smallbiz

Post "RE: Sandboxes: Real or Imaginary?" has been selected as an answer.
Maurice Joyce RE: Sandboxes: Real or Imaginary?
Handling Contributor 21st Nov, 2011 22:06
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Which version of MS Outlook are U using?

I have used Outlook 2003/2007 & now 2010. There is no default folder called Infected Items.

Who created that folder? A third party anti virus suite?

I assume your ISP is the facilitator for your mail?

Once I know a bit more I can try and help.

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+0
-0
smallbiz RE: Sandboxes: Real or Imaginary?
Member 22nd Nov, 2011 02:22
Score: 16
Posts: 19
User Since: 26th Sep 2009
System Score: N/A
Location: N/A
My OS is Vista Home Premium, scrupulously updated. All MS programs & tools are likewise auto updated. Security oversight and updating is automatically done by MS Security Essentials.

No other security program is loaded: I don't like having programs that can conflict with or try to outsmart others that do the same job.
I don't go to honeypot or "odd" sites. I don't do games. I don't do RSS. I click on news video clips only on the sites of major news providers and aggregators. No social media / friending-type sites - not even G+.

I noticed the Infected Items folder for the first time about 3 weeks ago. It contained just 1 email. I read its properties, didn't know the sender, noted that no message content was being displayed, and immediately deleted the msg.

A second such msg.went into my Infected Item folder over the w/end. I did not open it, I just examined its properties. My guess is that I would see content if I actually open the msg.

So the question remains: is the second msg languishing in the Infected Items folder inside a true sandbox, and unable to do any harm if I click to open it?

Thanks, Maurice!
Was this reply relevant?
+0
-0
Maurice Joyce RE: Sandboxes: Real or Imaginary?
Handling Contributor 22nd Nov, 2011 02:46
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
The answer to the question "has MS Outlook got a sandbox" the answer is no. It is safe in there waiting investigation - I assume the emails have attachments that has been removed? Is that what U are being told from reading the properties?


Thanks for the other detail but I cannot really explain further about opening the mail until U have answered my first questions & a few more mainly:

1. Which version of Microsoft Outllook are U using?

2. Who or what programme created the Infected Items Folder 3 weeks ago? Have U for example installed a new security programme because a folder called with that name is not native to Outlook?
3. Are U able to publish datails of what the properties of the latest email are?

Late he in UK so off to bed. The mail is safe unopened where it is. Once U give me a bit more detail I should be able to answer the rest of your query.



--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
smallbiz RE: Sandboxes: Real or Imaginary?
Member 22nd Nov, 2011 03:28
Score: 16
Posts: 19
User Since: 26th Sep 2009
System Score: N/A
Location: N/A
Outlook is 2007 (12.0.6607.1000) SP3 MSO (12.0.6607.1000
There [b]is[-b] an attachment, which I have not opened.

This is the header that is displayed in the Properties window -- edited here with xxxx to conceal my name & email address:
X-Apparently-To: xxxx@verizon.net via 98.138.199.42; Mon, 21 Nov 2011 10:54:14 -0800
Received-SPF: pass (domain of gmail.com designates 209.85.210.173 as permitted sender)
X-YMailISG: VH7pHjIWLDu0qlh5VnBpBpIpeN9z458QbqE2VZcQTm.m1ANz
TfhPZinPybpfa8KbL.5.IPWLVYPCPvDpCIQwOwE8rIgJz9QAeo plUE2Twucx
9Ouh3fnohI3AHWtEhwJQpK4_eDAxS8zfookcda_Iu7lgnPJoxL FR6NqJZSuz
6nH1JXz4.NZ7Y6ko73n35zVMDAJO5eMLmsU2GyotncWwIpjVJy 4HXQvyQp3e
lieZdz6NZ0xufB2xXh9OCOvhQrAqhudP3IG0Zw--
X-Originating-IP: [209.85.210.173]
Authentication-Results: mta1003.vzn.mail.mud.yahoo.com from=us.shuttle.com; domainkeys=neutral (no sig); from=us.shuttle.com; dkim=neutral (no sig)
Received: from 206.132.3.123 (EHLO vms172053pub.verizon.net) (206.46.172.53)
by mta1003.vzn.mail.mud.yahoo.com with SMTP; Mon, 21 Nov 2011 10:54:14 -0800
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_rO0tpaoAX8IeGHdDeqFZ+A)"
Received: from mail-iy0-f173.google.com ([unknown] [209.85.210.173])
by vms172053.mailsrvcs.net
(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
with ESMTP id <0LV000ECNXTV9E80@vms172053.mailsrvcs.net> for
xxxx@verizon.net (ORCPT xxxx@verizon.net); Mon,
21 Nov 2011 12:54:12 -0600 (CST)
X-Originating-IP: [209.85.210.173]
Received: by iakk32 with SMTP id k32so9627425iak.32 for
<xxxx@verizon.net>; Mon, 21 Nov 2011 10:53:55 -0800 (PST)
Received: by 10.42.177.129 with SMTP id bi1mr14350369icb.12.1321901634500; Mon,
21 Nov 2011 10:53:54 -0800 (PST)
X-Forwarded-To: xxxx@verizon.net
X-Forwarded-for: xxxx@gmail.com xxxx@verizon.net
Delivered-to: xxxx@gmail.com
Received: by 10.50.135.7 with SMTP id po7cs171825igb; Mon,
21 Nov 2011 10:53:52 -0800 (PST)
Received: by 10.43.52.136 with SMTP id vm8mr14119809icb.26.1321901629957; Mon,
21 Nov 2011 10:53:49 -0800 (PST)
Received: from smtp165.dfw.emailsrvr.com
(smtp165.dfw.emailsrvr.com. [67.192.241.165]) by mx.google.com with ESMTPS id
g10si5580986icw.25.2011.11.21.10.53.47 (version=TLSv1/SSLv3 cipher=OTHER)
; Mon, 21 Nov 2011 10:53:49 -0800 (PST)
Received-SPF: neutral (google.com: 67.192.241.165 is neither permitted nor
denied by best guess record for domain of hectorg@us.shuttle.com)
client-ip=67.192.241.165;
Authentication-Results: mx.google.com; spf=neutral (google.com: 67.192.241.165
is neither permitted nor denied by best guess record for domain of
hectorg@us.shuttle.com) smtp.mail=hectorg@us.shuttle.com
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp26.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id AC847801D6 for
<xxxx@gmail.com>; Mon, 21 Nov 2011 13:53:47 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp26.relay.dfw1a.emailsrvr.com
(Authenticated sender: hectorg-AT-us.shuttle.com) with ESMTPA id 843D4800C0
for <xxxx@gmail.com>; Mon, 21 Nov 2011 13:50:33 -0500 (EST)
From: "Hector Garcia" <hectorg@us.shuttle.com>
To: <xxxx@gmail.com>
Subject: Shuttle Computer Group
Date: Mon, 21 Nov 2011 10:50:32 -0800
Message-id: <2F35AB3F24EC4E3F922B3B7BA6F998AE@us.shuttle.local >
X-Mailer: Microsoft Office Outlook 11
Thread-index: AcyofnI8lWcmopP/R6+DxDSvwydvyw==
X-MIMEOLE: Produced By Microsoft MimeOLE V6.0.6002.18463

Thanks again for your help. I hope that Horlicks (still being made?) ushered you into dreamland!
smallbiz

Was this reply relevant?
+0
-0
Maurice Joyce RE: Sandboxes: Real or Imaginary?
Handling Contributor 22nd Nov, 2011 17:15
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Looks like one of your protection systems has zapped the attachment which appears to have come from
"Hector Garcia" <hectorg@us.shuttle.com>

Do U know this person/organisation? If not then just clear the Infected Items folder at some stage. If U do know the sender U should contact him & ask for exact details of this mail.

Who/what could have zapped it?

1. It looks like U use Verizon Web Mail. Their Corporate anti viral protection may well have removed the data before it was called forward by Microsoft Outlook for U to read.

2. Your own protection (MSE)system could/would inspect it & reduced it to rubble.

3. The programme U have installed that created the folder Infected Items(could be MSE)may have neutralized it.

In a nutshell, it was one of those that shredded the mail not Outlook, which proves your systems are working well.

In the true sense of the word Outlook does not have a sandbox. It does however have extra tools that fully protect U and it is HIGHLY UNLIKELY U will ever be tempted to open something viral.

1. As U know Microsoft frequently issue MS Office Definitions via Windows Update. This updates your Junk & malicious link filters within Outlook.

2. Outlook also has safety devices build in - details are here if U have not seem them before (it does say it applies to Outlook 2010 but 2007 is the same)

http://office.microsoft.com/en-us/outlook-help/how...

Click all the hyperlinks in the document for a full description of all the devices.

3. If U are asking if the dormant mail in the Infected Items folder is a threat the answer is no. Set up a rule to empty the folder on Outlook exit.

Hope I have not confused the issue - explaining all the features of Outlook is almost impossible but this hopefully has answered your questions.

From what U describe, the methods used to maintaining your PC,look watertight. U are bound to get the odd piece of "oddball" mail. If U do not recognise the sender or the details are not in your address book just block future transmissions from the individual or organisation.

As a throwaway point RSS feeds via Outlook are safe to use provided U approve the sites. Microsoft have many feeds with very helpful information. This is a good starter to trial if U want to have a go:
http://www.microsoft.com/athome/community/rss.xml

I know U like Cyberclip - this RSS feed will keep U fully up to date with security issues:
http://krebsonsecurity.com/

Hope this helps.





--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+3
-0
smallbiz RE: Sandboxes: Real or Imaginary?
Member 22nd Nov, 2011 17:38
Score: 16
Posts: 19
User Since: 26th Sep 2009
System Score: N/A
Location: N/A
Maurice: this is a gracious and totally complete overview and response.
I'll follow your advice, and later today I'll visit the links you have provided.

Is there a link by which I can tell Secunia that you're doing a great job and should be recognized for your speed and diplomacy when counseling idiots like me?

Thanks from smallbiz (USA)
Was this reply relevant?
+0
-0
Maurice Joyce RE: Sandboxes: Real or Imaginary?
Handling Contributor 22nd Nov, 2011 18:22
Score: 12325
Posts: 9,575
User Since: 4th Jan 2009
System Score: N/A
Location: UK
How kind. - nice to hear U are happy. That alone is reward enough.

Secunia Officials do read Forum posts.& I am sure will pick up your kind comment.

I will lock this thread for U in a few hours time unless U post back asking for it to be left open.

This will protect your mail box from update emails from Forum "tag on" posts & spammers.

You can of course lock your own threads yourself. Just click the ACCEPT button in the post of the helper who offered U the best solution/advice to solve your problem.

Secunia Support can always reopen threads by applying by email to: support@secunia.com





--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1809 Build 17763.404
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0

This thread has been marked as locked.