Paranoid Fish Tests Sandbox Protection Programs

Whenever I have to download new programs from no-so-trustworthy sources, I first test them with VirusTotal which performs a virus scan using more than 50 different antivirus scanners, then I try to run them inside Sandboxie which runs them inside a protected sandbox so that they cannot make changes to the Windows’ Registry or other files, and if these programs fail to run inside Sandboxie then the last resort is to run them inside the VirtualBox. But some malicious programs can detect if you are running them inside a sandbox protection program or inside VirtualBox (or some other similar virtualization software like Virtual PC or VMWare) and show their good behavior in these conditions. But as soon as you run them in normal environment, they act differently and load the malicious code.

How can you know if your sandbox protection is not revealing information about its existence to the malicious programs? Well, someone has created an open-source cross-platform for that called Paranoid Fish. This command line program tests the security provided by the sandbox protection programs (and also that of the virtualization software like VirtualBox).

Paranoid Fish

You can download a pre-compiled EXE file for the Paranoid Fish from their GitHub webpage. Or you can compile your own EXE using the source code provided by the developer. In any case, you have to launch the program inside sandbox protection. It will show the types of detection that worked in red color. Running in the latest version of Sandboxie produced the following results:

Paranoid Fish

But some methods used by Paranoid Fish are very confusing and can produce incorrect results. For example, the mouse activity method relies on the user not using their mouse – if the mouse pointer is moved within a 1.5 seconds time duration then it will think the program is running inside a sandbox. Similarly, if it finds number of CPU cores to be less than one then it assumes that it is running inside a sandbox – this method will fail on computers with single-core processors.

While the methods used by Paranoid Fish could be confusing and misleading, it can give you an idea that your sandbox protection program could also be detected by a smart malicious program. However, it is designed for program developers or malware researchers only who may want to test their malware testing environments using this program.

You can download Paranoid Fish from https://github.com/a0rtega/pafish/.