Ask HN: How can I security-sandbox email attachment opening?
What I want is to have a service open all of my email attachments before I do. If it's a RAR, ZIP, PDF, DOCX etc. then it gets opened in the normal applications, as do the archive contents. And this takes place in a similar environment to our desktop environment which is undetectable as a sandbox.
Then I get a report of any unusual disk or network activity that occurred. For example I don't expect opening a RAR file to cause network activity[1]
We're happy to pay what it takes for this kind of thing, and I suspect a lot of people are. Is there such a service out there?
[1] https://digital.nhs.uk/cyber-alerts/2023/cc-4370
Comments
I'd love something that would do this locally in browser using WASM. Like a OSX build with little snitch pre-installed.
theoretically you could spin your own program that sends all attachments to VirusTotal? i think they have a premium API, and they open/run files in a sandbox (or multiple) on top of just virus scan (see "Behavior" tab)
I also have this question, on Linux.
You can use a VM, but that’s a pain.
I know of a few companies that front-end their email with ProofPoint [1] but I have no idea how much it costs, probably a lot. It can quarantine anything suspicious. It also lets the admin know who clicked on what links in emails. It rewrites links to its own tracking endpoint It also doubles as a DLP Data Loss Prevention meaning it can be taught to look for organization specific data that should not be in email. It can also give you reports on who is receiving the most abusive emails meaning they may be targeted by attackers.
start here: https://github.com/freedomofpress/dangerzone
i've never used it, but i've been meaning to check it out. at least it should give you a jumping off point for further investigation.
if that is insufficient, use proofpoint.
for archives that are tickling bugs, you have to use a similar technique. it's not enough to analyze them and send them on as-is. you have to unpack in a sandbox (which will be detectable, no 2 ways about it, but the question is will anyone expend enough effort to detect -- no, not for your use case, seeing as how you're asking the question at all), process with dangerzone or dangerzone-like tool, then re-archive it and let the user see only that new archive.
I use VirusTotal’s sandboxing tools/reports and graphs for this kind of thing, and their free API limits are suitable for many needs, although there are limits to individual upload size in the tens of MB on the web, which are somewhat higher if using CLI iirc, but not by much. I think their paid offerings may raise these upload size limits.
Are we talking a Windows environment? I'm sure there are commercial solutions, but I think sandboxie could achieve something similar (don't know how secure it is considered).
If you can chose your system QubesOS may be interesting. It would be interesting if Qubes developed the capability to have non local VMs transparently (they wouldn't necessarily need to be virtualized).