I saw here once where Sandboxie could be configured to stop keyloggers. How? I use IE7.

Bump. Bump.

There is an article about keyloggers,I dont think Sandboxie can stop all keyloggers installing,but will delete them on emptying the box
http://www.sandboxie.com/index.php?DetectingKeyLoggers

Even if it did intercept keylogers you would be vulnerable during the "infected" session if you did login to secured sites... It would perhaps remove the keylogger from the system after but it would do nothing as such to prevent it...

I would combine sandboxie with a HIPS or perhaps keyscrambler (I use both + Roboform...)

The solution is fairly simple assuming you picked up the keylogger from a source that was sandboxed. Before going to a critical site, log off, and delete the sandbox. Then go do your banking. Keylogger should be gone.

-{ Quote: "The solution is fairly simple assuming you picked up the keylogger from a source that was sandboxed. Before going to a critical site, log off, and delete the sandbox. Then go do your banking. Keylogger should be gone." }-

This while being effective, assumes most users know they have an infection they need to defend against and that they will remember to "Empty" the sandbox before doing their banking... It would be wise to prevent an infection by using an anti key logger together with your sandbox..

Personally I often login to secured sites during sand boxed sessions.

-{ Quote: "This while being effective, assumes most users know they have an infection they need to defend against and that they will remember to "Empty" the sandbox before doing their banking... " }-

Not really, I've just gotten in the habit of before banking, closing browser, empty sandbox, and the go to bank site. Not a big deal.

I think its common sense,if you are entering sensitive info,eg banking,to empty your sandbox prior,I have my sandbox set to delete automatically,upon termination of all sandbox activity,with a warning first,if there are recoverable files.So I dont have to remember to empty it.Also I surf sandboxed with DropMyRights,hopefully a keylogger couldn't run, even sandboxed.Although I'm no expert

Again, here comes grandma "fully protected" in her brand new sandbox... logging into everything after browsing the web all day... That's what scares me about it. Many users wouldn't think twice about login in, because of impatience or simply because they got into the habit of browsing the web in a sandbox and forget they are doing it... That is why in my recommendation Secured Web browsing (http://www.hermes-computers.ca/index.php?pid=46) I recommend to have one enabled...

Hermescomputers, do you actually USE Sandboxie?
It seems like you just have it there as a backup or something.

The reason I ask, is because you don't seem to realize how effective Sandboxie could actually be against keyloggers, without any other kind of protection needed.

I mean for one, you could do the simple method that Peter mentions, which is to just delete the sandbox, and you're done.

Second, you could just set your browser to access the internet, and nothing else, that way, regardless whether a keylogger is running or not in the sandbox, it wont be able to send any of its captured data out to anyone, so you are perfectly safe. I have personally tried this with many keyloggers, ones I've made, and ones i've downloaded, and every single time, regardless if it caught any information or not, it could never actually send the captured data anywhere. So when you delete the sandbox (whenever that may be) the keylogger and its captured data, will be gone, before the data was even able to be sent out to anyone.

Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!

If any of that is too hard for you to do, then maybe you are the grandma here!;)

-{ Quote: "Hermescomputers, do you actually USE Sandboxie?
It seems like you just have it there as a backup or something.

The reason I ask, is because you don't seem to realize how effective Sandboxie could actually be against keyloggers, without any other kind of protection needed.

I mean for one, you could do the simple method that Peter mentions, which is to just delete the sandbox, and you're done.

Second, you could just set your browser to access the internet, and nothing else, that way, regardless whether a keylogger is running or not in the sandbox, it wont be able to send any of its captured data out to anyone, so you are perfectly safe. I have personally tried this with many keyloggers, ones I've made, and ones i've downloaded, and every single time, regardless if it caught any information or not, it could never actually send the captured data anywhere. So when you delete the sandbox (whenever that may be) the keylogger and its captured data, will be gone, before the data was even able to be sent out to anyone.

Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!

If any of that is too hard for you to do, then maybe you are the grandma here!;)" }-
Hi Terror_Eyez,

I was waiting for someone to post about only allowing the browser internet access through Sandboxie. It's good to hear that it thwarts keyloggers too. However, what would happen if the keylogger was named firefox.exe or iexplore.exe?

innerpeace

I haven't checked how it appears in the configuration file, but in setting up the single program that can access the internet, you're given the choice of doing it by 'application name' or file name. With the file name you show path. Provided it's entered as a path and app in the configuration file (which I assume, but haven't checked) then you could have all kinds of keyloggers named firefox.exe or iexplore.exe. I wouldn't matter then.

-{ Quote: "I haven't checked how it appears in the configuration file, but in setting up the single program that can access the internet, you're given the choice of doing it by 'application name' or file name. With the file name you show path. Provided it's entered as a path and app in the configuration file (which I assume, but haven't checked) then you could have all kinds of keyloggers named firefox.exe or iexplore.exe. I wouldn't matter then." }-
Thanks Empath, I see the setting now. It's in the Sandboxie Control, click Sandbox, expand DefaultBox, click Sandbox Settings, expand Resource Access and then click Internet Access. If you read the two lines below the four buttons, it seems as if it will block the fake files regardless. Maybe Sbie uses a hash check of some kind. This is very interesting.

or if you are the only person using the computer you can just save the u/n and PIN in a txt file with a not so obvious name concerning its content and copy-paste with mouce.

As a few of you have stated there is a way within sandboxie to "configure" a single applications Internet access within the config of the sandbox and it appears to work well.

Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

In my experience anything not "default" is useless with granma! ;)

-{ Quote: "As a few of you have stated there is a way within sandboxie to "configure" a single applications Internet access within the config of the sandbox and it appears to work well.

Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

In my experience anything not "default" is useless with granma! ;)" }-

First, I know a member of the forum, who would take exception to that last statement.;D

Second, correct me if I am wrong, but wouldn't a keylogger, to be effective, really have to either install a driver, or start a service, of some kind. Because if so, case closed.

Pete

-{ Quote: "First, I know a member of the forum, who would take exception to that last statement.;D

Second, correct me if I am wrong, but wouldn't a keylogger, to be effective, really have to either install a driver, or start a service, of some kind. Because if so, case closed.

Pete" }-

Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller.

The Anti Keylogger Test below shows that keystrokes can be captured when run sandboxed

Is it a worthy test for Sandboxie if set for only the browser to connect even though keystrokes are captured this info can't be sent out?
-{ Quote: "Some trojans includes keylogging functionalities, that can steal confidential information you are typing. To fight this threat, many HIPS software, and also dedicated anti-keyloggers software, now provide anti-keylogger features. However, there is many ways to monitor the keyboard, and few HIPS cover them all.

AKLT is a tool using 7 different methods to monitor your keyboard, and enables you to check your defences. AKLT provides hook based, and hookless/cyclical" }-
AKLT test (http://www.firewallleaktester.com/aklt.htm)

-{ Quote: "Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller." }-

Absolutely, but if they come in thru the browser, they are sandboxed, and can't hurt the system. Tested this with some live malware. Sandboxie protected the system.


@Franklin. To answer your question strictly from my point of view. I don't care, if something were to come in thru the browser, and install some keylogger. Before I do anything of significance, I close the browser and empty sandbox. Takes seconds, easy habit to form, and keylogger gone.


Note. I can't help feeling, if this is too difficult for someone to learn, the may well be, unfortunately, doomed to getting themselves in trouble. It's kind of like "Don't open attachments" So simple, but....


Pete

-{ Quote: "
Note. I can't help feeling, if this is too difficult for someone to learn, the may well be, unfortunately, doomed to getting themselves in trouble. It's kind of like "Don't open attachments" So simple, but....
Pete" }-

Peter I think it's probably because the only people that call me actually willing to pay for my services are usually the desperate ones... I get too see a lot of bad stuff :D

So I may be more "paranoid" than would be required under the circumstances... However my faith in Joe Average has wanned considerably over the years as I have seen them do the obviously dangerous and actually think it was the appropriate secured measure to do... Still baffles me to this day how the human brain being so powerful can do really such stupid things as some users actually do...

-{ Quote: " Still baffles me to this day how the human brain being so powerful can do really such stupid things as some users actually do..." }-

Nothing new really. Just the computer gives them the power to do it quicker. The one I loved was the the British technology weekly, stopping folks at the tube entrances and offering them some quality chocolate if they'd take a survey. Some high percentage were willing to give up their work computer passwords. Duh.

To say that a program is useless on the single basis of 'default settings' is beyond the most ridiculous thing I have ever read. TerrorEyes has it right-on as do most of the users here. I have always said that those in the computer-fixit-industry would be the slowest to give SandboxIE credit and the comments here prove that out. Fear mongering that uses 'GrandMas' surfing habits as a basis is becoming more and more prevalent now that a number of new products are supplanting the tired old failed products of the past.

HermisComputers states that because he is worried that Grand Ma is totally inept, he recommends that she visit his site for guidance. Well I went on that site and no one (not just Grand Ma) would be expected to do all that is recommended there.

Fear mongering that leads folks to needless worry creates situations like this; http://forums.wincustomize.com/?aid=175059
And is causing people to 'break' their computers.

Probably followed by a phone call to a computer fix-it guy for help. haha

And another thing you could do is install Keyscrambler. Works on both Firefox and IE and is free. Even if a keylogger could log your keystrokes. All it will receive is a load of gobbledygook.

muf

Well if I am ever targeted by a keylogger, I am going to treat that threat very seriously. I am going to assume that a Commercial Keylogger is after my information. (note the word Commercial) Can anyone guide me to a freeware anti-keylogger that would be of any help? I've never heard of one.

It's time to cut through the nonsense and provide some qualified answers for people. Otherwise why even have Computer Security as a job or as a hobby? As far as I know SandboxIE is the only product that provides even hope against a commercial keylogger.

Has anyone actually tested KeyScrambler to see how effective it really is?

Well do take into consideration that there are three version's of Keyscrambler.
1. Personal = Only protects your logons at websites

2. Professional = Encrypts everything you type into a web page(this would be the one for protecting your credit card details).

3. Premium = Does everything the Professional version does but includes encryping your e-mail and Microsoft office apps.

Read more. (http://www.qfxsoftware.com/Download.htm)

muf

It doesn't matter how well it works, first you have to determine what it is going to do. Lets say 'Personal' works 100%. Big deal, log-on info only. That is not how most folks descibe the personal version. Most people feel or they imply that the protection that is offered is on a par with what is offered in 'Professional'.
That is because the Firefox description of the plug-in is in my opinion - deceptive.
https://addons.mozilla.org/en-US/firefox/addon/3383
You have to scroll down under the Developers comments and read item two. Laughable.

-{ Quote: "It doesn't matter how well it works, first you have to determine what it is going to do. Lets say 'Personal' works 100%. Big deal, log-on info only. That is not how most folks descibe the personal version. Most people feel or they imply that the protection that is offered is on a par with what is offered in 'Professional'." }-

I totally agree. But if you have already setup your credit cards at the various shopping sites ebay, amazon etc then all you are going to do is log in at those sites so the Personal edition would be fine. If you are intending to create accounts and store your credit card details then the Professional version is the way to go. But if I was going to purchase something from a website i'm not registered to then I would clear the sandbox then submit my details.

muf

All true, but another thing to remember is that with commercial keyloggers, most of them are a package deal - capturing screen shots and all. Logging Instant Messages - logging notepad and Word, the whole bit. An anti-keylogger even if 100% successful against all of that would still leave you very open.

Now the SandboxIE approach is better. Let them do whatever they want to do - but lock'em down so they cant send it. Anyone that touts this or that 'fav anti-keylogger of the day' needs to address screenshots as well.

-{ Quote: "But if you have already setup your credit cards at the various shopping sites ebay, amazon etc then all you are going to do is log in at those sites so the Personal edition would be fine." }-

But if you look at the situation from the standpoint of 'Pure Odds' - that information would have to be stored somewhere. Either on your comp or at the site. And it would be there 24/7/365 and would be at least 'available' to a nastie at all times. AND TO ALL NASTIES (not just keyloggers).

VRS, what the heck are the odds that I pick up a keylogger during that exact very session that I need to type something?

-{ Quote: "All true, but another thing to remember is that with commercial keyloggers, most of them are a package deal - capturing screen shots and all. Logging Instant Messages - logging notepad and Word, the whole bit. An anti-keylogger even if 100% successful against all of that would still leave you very open.

Now the SandboxIE approach is better. Let them do whatever they want to do - but lock'em down so they cant send it. Anyone that touts this or that 'fav anti-keylogger of the day' needs to address screenshots as well." }-
good post, Sandboxie and quit worrying about those pesky keyloggers. Sandboxie is the only app of this type that works as intended. The others are all playing catch up.

-{ Quote: "To say that a program is useless on the single basis of 'default settings' is beyond the most ridiculous thing I have ever read. TerrorEyes has it right-on as do most of the users here. I have always said that those in the computer-fixit-industry would be the slowest to give SandboxIE credit and the comments here prove that out. Fear mongering that uses 'GrandMas' surfing habits as a basis is becoming more and more prevalent now that a number of new products are supplanting the tired old failed products of the past.
" }-

Hello MitchE323,

Well programs are not useless on the basis of "the" defaults, and I am a great supporter of SandboxIE... I recommend it warmly on my web site. Not too many others out there actually do. The issue with default configuration is real though as most product often cater to the most basic protection using defaults...

-{ Quote: "
HermisComputers states that because he is worried that Grand Ma is totally inept, he recommends that she visit his site for guidance. Well I went on that site and no one (not just Grand Ma) would be expected to do all that is recommended there.
" }-

As for grandma... well I deal with users from late teens to late 60s and many cant even use their own keyboards, never mind reprogramming an applications settings... usually that is what they pay me for...mostly so they don't have to do it themselves as they more often than not screw things up... (Their own words usually).

As for my recommendation they are meant to educate about the risks as we know them to be... I also recommend a "Possible" solution to the problem (usually with more than one example) As in HIPS Threatfire or Prevx with a small explanation why... Besides If you where to follow those recommendations your risks of infection or of a breach of system security is probably close to zero... so doing I'm doing my Job as a consultant. Please if you disagree with the risks as I have stated them, do so clearly and explain to me where I am wrong...

-{ Quote: "
Fear mongering that leads folks to needless worry creates situations like this; http://forums.wincustomize.com/?aid=175059
And is causing people to 'break' their computers.
" }-

Fear mongering has nothing to do with my site... I offer the means to "Prevent" having to retain my services to clean up infections that where preventable. I see nasty infections that anti virus and antispyware software pass right over . I see systems so badly infected, the Trojans number in the dozens...
Dont believe me here is one I posted just a few days ago: http://www.wilderssecurity.com/showpost.php?p=1172045&postcount=240
Keep reading on that thread as I have posted many times before and will continue to do so to wake up users like you to the risks involved.

Probably because too many think like you, and have the invincibility concept firmly burnt into their minds until they come crying to people like me to help them save their precious data... :blink:

Also identity theft and the cracking of banking account is real... I dont wish it to you but laugh all you want the risk is real otherwise sites like this one wouldnt actually exist and i would be nothing but a figment of your limited imagination! ;)

-{ Quote: "
Probably followed by a phone call to a computer fix-it guy for help. haha" }-

I will be waiting ;)

-{ Quote: "Also identity theft and the cracking of banking account is real" }-

That sir is exactly my point. It is real. Now guide me to where exactly is the procedure within anything on your website, or even within a single solitary sentence that you have ever posted on any thread in any forum that would prevent that.

-{ Quote: "That sir is exactly my point. It is real. Now guide me to where exactly is the procedure within anything on your website, or even within a single solitary sentence that you have ever posted on any thread in any forum that would prevent that." }-

It is obvious by your statement that you did not take the time to actually read those articles on my web site... Anyways here goes:

I recommend using an anti keylogger in combination with a hips and using Roboform to input the passwords (I also recommend using strong passwords in roboform). A different one for every web site and to keep whatever passwords inside incrypted documents if they for some reasons refuse to use password managers....

Not inputing the password manually effectively can "help" thwart a keylogger interception of keystrokes.. as there is no keystrokes to be intercepted... Products like Roboform use a master password and keep all others within encrypted containers within the system. This when combined together provides a far more secured than any other method I know off... Sandboxie included... However if you combine this technique with using sandboxie.. You are far and above the risks encountered by most users online.

I have written a shortened version focused on Secured Web Browsing (http://www.hermes-computers.ca/index.php?pid=46) alone to address the "Overload" affecting some users when confronted with the large numbers of actual attack vectors facing them... It covers all the basis from user interaction to the sites they visit as well as filtering the sites themselves for possible hostile exposure.

-{ Quote: "I recommend using an anti keylogger in combination with a hips" }-
Sorry I only got that far. Do you actively alert people that the keyscrambler product you had previously recco'd (in your earlier post) had an extreme level of ineffectiveness? Which in turn creates a false sense of security and actually leads to many instances of identity theft? Can GrandMa suddenly handle a HIPS? It's just so on and so on.....

-{ Quote: "Sorry I only got that far. Do you actively alert people that the keyscrambler product you had previously recco'd (in your earlier post) had an extreme level of ineffectiveness? Which in turn creates a false sense of security and actually leads to many instances of identity theft? Can GrandMa suddenly handle a HIPS? It's just so on and so on....." }-

In the case of Keyscrambler, it is of course due to the fact that not too many tools are on the market catering directly to web browser password protection. I advise users to use Roboform for added protection, as the only password in this case (keyscrambler) protects is the master password...

Besides, I also tell in my article that "trusting" any single applications or vendor is not recommended. I recommend using a battery of tools as layers against most attack vectors read my article (in its entirety if you wish for me to continue explaining myself).... See Cyber Self Defense (http://www.hermes-computers.ca/index.php?pid=35) for a more thorough explanation.

for your benefit here is a cut paste of the paragraph in question:

I believe that brand loyalty in this case can often prove counter productive as developers tend to downplay vital weaknesses in their product, and much too often chose to over hype useless features that actually provide little real security benefit to end users while they use far too many system resources slowing everything down.

Currently the best approach is to use multiple layers in our approach to securing the computer. Each layer covering a specific or small group of attack vectors. Also using the right specialized tool or utility covering a specific known threat vector is far superior in my opinion than a huge software suite trying to do it all, as large suite have a tendency to cause problems and usually fail in the end as criminal types eventually figure out it's weakness and successfully bypass its defenses...

Instead I would strongly recommend users take full control of their security, educate themselves, and consider a multi layered approach such as we describe here, and to not only once, but at regular intervals research, re asses, and over haul their existing setup for optimal benefit.

-{ Quote: "In the case of Keyscrambler, it is of course due to the fact that not too many tools are on the market catering directly to web browser password protection." }-
OK thank you. A bit of honesty goes a long way with me. I am good to end it here with no hard feelings. That sentence right there is what has created the need that SandboxIe now fills.

-{ Quote: "OK thank you. A bit of honesty goes a long way with me. I am good to end it here with no hard feelings. That sentence right there is what has created the need that SandboxIe now fills." }-

Keep in mind, the purpose of this article is to educate my customer base of the risks and the tools available to mitigate those risks... Sandboxie is a great tool and I am the first to acknowledge this. However no tool is perfect and provides 100 % protection as all of them have vulnerabilities...

You are still downplaying it. Let's get our hands dirty. What would you do with these two? Each of these payloads can be delivered via disk (a family member) or email (with no visable attachment) or through web browsing (not Spectorsoft, but the bad guys have the same capability) One is a mere $99 and the other $69. I can handle them just fine with SandboxIE.
http://www.spectorsoft.com/products/Spector_Windows/index.html
http://www.eblaster.com/

-{ Quote: "You are still downplaying it. Let's get our hands dirty. What would you do with these two? Each of these payloads can be delivered via disk (a family member) or email (with no visable attachment) or through web browsing (not Spectorsoft, but the bad guys have the same capability) One is a mere $99 and the other $69. I can handle them just fine with SandboxIE.
http://www.spectorsoft.com/products/Spector_Windows/index.html
http://www.eblaster.com/" }-

Hey, I'm not downplaying anything... I'm simply saying that eventually someone will find a way around any security technology... It has never failed.

Besides as I have said, I have a lot of "Faith" in sandboxie... great tool. :)

Allright, that's cool. Hey with your computer know-how and my blind persistence, let's be constructive. lol As I understand it, each of these products and others like them are freely sold on the open market. They have an insane ability to capture literally everything you do and email it out. They do keystrokes, screenshots etc.

What's more, traditional A/V and A/S products (esp freeware) do not even scan for them - as it is considered 'A Parents Right To Know' and 'An Employers Right As He Owns The Computer'. But they freely sell them to anybody! What is the privacy minded world going to do?

In my mind if the current policy among A/V and A/S ware is not to even scan for them - I figure well what is the use of even using those products at all. I am not blinded by what is out there, or have some illusion of invincibility. It's the opposite, I want something that works - period.

My simple opinion is for computer security minded folks to stop all of the useless 'Firefox with No-Script and Key-Scrambler with or without Roboform' BS and lets start paying attention to what is real - and these products are the type that are real and are behind the increasing levels of identity theft.

Without downplaying the importance or effectiveness of sandboxes or other means to prevent the unsolicited transmission of keylogged data, why has no one in this thread mentioned the use of a properly configured two-way firewall? Does it not work? If not, please explain.

-{ Quote: "
My simple opinion is for computer security minded folks to stop all of the useless 'Firefox with No-Script and Key-Scrambler with or without Roboform' BS and lets start paying attention to what is real - and these products are the type that are real and are behind the increasing levels of identity theft." }-

I guess, I cant please everyone no matter what I do to help...
Fact is the internet is a cesspool of individuals who would do nothing better than screw u in any which possible way they can get away with, and for the sheer pleasure of it...

I visit websites daily that try to install things in the background... so no script is a must and perhaps the only effective method to "prevent" those scripts from installing... I will certainly never vouch for a single application that work as an easy button/magic bullet as there simply are none...

As for using a firewall, any darn idiot on this side of the galaxy should already know that shouldn't they? ...Well actually no matter what some of you may think, I meet the ones who think they are even unnecessary...

So in the interest of all those that actually need to know, I wrote those articles... Be damned if some don't like it because they think their products are the second thing next to sliced bread or if they are pissed because I'm putting a monkey wrench in their pet botnet!

-{ Quote: "Without downplaying the importance or effectiveness of sandboxes or other means to prevent the unsolicited transmission of keylogged data, why has no one in this thread mentioned the use of a properly configured two-way firewall? Does it not work? If not, please explain." }-
There is some explanation provided here.
http://www.spectorsoft.com/products/eblaster_windows/help/v50/webhelp/Firewalls.htm

Hermis, I never said not to use a firewall. And everything in your last post is a walk in the park for SandboxIE - without giving up 20% of the web.

-{ Quote: "Without downplaying the importance or effectiveness of sandboxes or other means to prevent the unsolicited transmission of keylogged data, why has no one in this thread mentioned the use of a properly configured two-way firewall? Does it not work? If not, please explain." }-

Firewalls alone are currently inadequate as some new MBR rootkits are apparently transmitting through undetected.
Here is a working example described: http://www2.gmer.net/mbr/

-{ Quote: "
My simple opinion is for computer security minded folks to stop all of the useless 'Firefox with No-Script and Key-Scrambler with or without Roboform' BS and lets start paying attention to what is real - and these products are the type that are real and are behind the increasing levels of identity theft." }-
I just wanted to say that execution control blocks all those keyloggers probably.
And NoScript is far from useless, but in the end you can think whatever you want.

SandboxIE, incredibly simple and powerful, one of my favorites of all times, is not the only solution, and it doesn't have the answer for all the problems.

-{ Quote: "There is some explanation provided here.
http://www.spectorsoft.com/products/eblaster_windows/help/v50/webhelp/Firewalls.htm" }-

Thanks, though I already know the basics of software firewalls and how they can be configured to restrict network acces to trusted programs. I just wanted to know if some of these keyloggers can somehow bypass them.

-{ Quote: "Firewalls alone are currently inadequate as some new MBR rootkits are apparently transmitting through undetected.
Here is a working example described: http://www2.gmer.net/mbr/" }-

Thanks Hermes. In an effort to sift through all the techno mumble jumble of the page, I did a search for the words "firewall", "undetected" , "detected" and "bypass" with no success. Is there some evidence that the rootkit can bypass a properly configured firewall?

-{ Quote: "
Thanks Hermes. In an effort to sift through all the techno mumble jumble of the page, I did a search for the words "firewall", "undetected" , "detected" and "bypass" with no success. Is there some evidence that the rootkit can bypass a properly configured firewall?" }-
The problem isn't in the configuration, the firewall is completely bypassed, it doesn't process the packets.

-{ Quote: "The problem isn't in the configuration, the firewall is completely bypassed, it doesn't process the packets." }-


Okay, thank you. I will attempt to find info on how this happens, only because I'm curious and feel the need to know :)

Googled "rootkit firewall bypass driver", got this (www.blackhat.com/presentations/bh-usa-06/BH-US-06-Tereshkin.pdf). I'm going to read it myself.
An obvious note: this doesn't happen if SandboxIE is in the picture, since no rootkit should install. Perhaps that's what you were really thinking of above?

-{ Quote: "An obvious note: this doesn't happen if SandboxIE is in the picture, since no rootkit should install. Perhaps that's what you were really thinking of above?" }-

No, I was/am just curious if a rootkit once installed (assuming a non-sandboxed system) could transmit user data past a properly configured two-way firewall. Thanks for the link. I will take a look.

SpectorSoft is the largest monitoring company worldwide. Some malware may destroy your machine, but other items can destroy you. That is the danger with key loggers. Everyone has a right to privacy. It is not just banking information. Letters to your girlfriend that end up with your wife, 'dark' sites that you visit, and yes banking information also. And a thousand other things that rightly or wrongly, we are all guilty of.

If you handle your computer security from the bottom towards the top, then yes no-script is great. But if you handled it from the top towards the bottom and if SandboxIE was the very first security product installed why would I be concerned with scripts?

What’s more, the premise of the discussion is that it needs to work with GrandMa, and with 'default settings'. Well, SandboxIE right out of the box handles 100% of all scripts just dandy. No-script requires user interaction. You can't have this thing both ways.

If the recommendations were stated as "Use keyscrambler but be aware of what it does not do in relation to what is really out there" or "Use no-script but be aware that there are more good scripts than bad ones" then that would be fine. But read the earlier posts in this thread. That is not what was presented.

SandboxIE handles the SpectorSoft products just fine and it also handles scripts just fine. Also active-x is no problem at all. But oh yeah that's right, no product does it all.

I don't use keyscrambler. Yes, i start from the obvious, the firewall, then downwards. All keyloggers are blocked from execution on my computer. No matter who uses it.
Regarding NoScript, read about XSS (http://www.wilderssecurity.com/showthread.php?t=174195&highlight=elio). User interaction with NS? With me, rare.

If there's a keylogger running in the sandbox, is it not suppose to appear in the Sandboxie Control? Just curious...

-{ Quote: "Okay, thank you. I will attempt to find info on how this happens, only because I'm curious and feel the need to know :)" }-

Simply put it loads before the operating system actually does.
This allows it to operate without requiring a process running, it doesn't need a registry entry either. These simple elements invalidate 100 % of current known PC based defenses.

The only method one could intercept it, is from an external network traffic/protocol analyzer listening to the infected node to identify it's packets during transmit & receive. This actually does require one to already know what he, she's looking for otherwise it simply gets lost in the noise...

I cant explain better that this.

-{ Quote: "If the recommendations were stated as "Use keyscrambler but be aware of what it does not do in relation to what is really out there" or "Use no-script but be aware that there are more good scripts than bad ones" then that would be fine. But read the earlier posts in this thread. That is not what was presented.
" }-

Oh... please, like in every product recommendation we have to describe every single function and it's idiosyncrasies... Get a grip! :)

Users also have a responsibility to research the products they use to know why and how to use them... We are simply providing them with appropriate tools to help them. Even if it displeases some...

Besides in my world there are no "Certainties" and Products are not infallible... thus the multiple layer recommendation.

I think your argument is not much more than an attempt at strife or a simple act of despair... either way the only valid guidance is still to use layers... it's safe, time and experience proven and it works...

Man, I purposely 'exaggerated' it to make the point. It was rhetorical. haha

-{ Quote: "Man, I purposely 'exaggerated' it to make the point. It was rhetorical. haha" }-

I figured you where just having fun pulling my chain... ;)

It's all good but here is the thing - the OP states a concern on keyloggers and wonders about SandboxIE. What I am trying to say is "Hey man, look at this SpectorSoft stuff - what anti-keylogger out there can protect you from this?" The answer is that none of them can - except sandboxie.

To then hear that KeyScrambler Personal would be somehow a better choice because of some slight of hand with RoboForm.......well, it's all here for the reading.

-{ Quote: "It's all good but here is the thing - the OP states a concern on keyloggers and wonders about SandboxIE. What I am trying to say is "Hey man, look at this SpectorSoft stuff - what anti-keylogger out there can protect you from this?" The answer is that none of them can - except sandboxie.

To then hear that KeyScrambler Personal would be somehow a better choice because of some slight of hand with RoboForm.......well, it's all here for the reading." }-

It is not what I said at all... I said that layers, of HIPS (which will intercept any executable loading) in combination with a Browser dedicated anti keylogger and Roboform all running inside sandboxie will prove effective to near 100 %. What you are trying to say is that sandboxie is all that is needed... Big difference.

No were in any of my recommendation do I advice reliance on any one products... In fact as I hope you have read in my articles: I advice users to "Educate themselves" and "To do their own research" and "To over All their security setups at regular intervals...

Anyone reading this will be upset if they are looking for an easy button that you can click to get all for no efforts... It simply doesn't work that way... You are taking everything I wrote out of context just to argue... You must be a retiree or something? :D

I think the only hope most users may have against those spectorsoft type utilities is to use a HIPS... as a preemptive protection otherwise you need to scan and hunt...

-{ Quote: "Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

In my experience anything not "default" is useless" }-
Wow, well with that logic, security products are usless then since they aren't default on windows!

-{ Quote: "Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller." }-
But all that you mentioned, does require a driver to function...

-{ Quote: "And another thing you could do is install Keyscrambler. Works on both Firefox and IE and is free. Even if a keylogger could log your keystrokes. All it will receive is a load of gobbledygook." }-
KeyScrambler is useless, you can use this one file to just descramble the scrambled keystrokes, and you've got the untouched, unscrambled keystrokes.
Whats so safe about that?

-{ Quote: "As far as I know SandboxIE is the only product that provides even hope against a commercial keylogger." }-
Yep thats true, cause not just can Sandboxie block and remove keyloggers, but A/Vs, although can sometimes successfully detect keyloggers, will never detect commercial keyloggers though cause they are added to the "whitelist" in the A/V. Who knows what else those A/Vs aren't detecting (due to either not be added to the signatures, or being whitelisted...)

-{ Quote: "Has anyone actually tested KeyScrambler to see how effective it really is?" }-
Again, easily descrambled, so it's not effective...

-{ Quote: "But if I was going to purchase something from a website i'm not registered to then I would clear the sandbox then submit my details." }-
I would always do that, even if I was or wasnt registered to...

-{ Quote: "All true, but another thing to remember is that with commercial keyloggers, most of them are a package deal - capturing screen shots and all. Logging Instant Messages - logging notepad and Word, the whole bit. An anti-keylogger even if 100% successful against all of that would still leave you very open." }-
Exactly!!
Most other programs that "block" keyloggers, can only block the keylogging part of the keylogger (even then, it doesn't always work...) but in Sandboxie, go ahead, run the keylogger all you want, and go ahead and even let it take screenshots, hell go ahead and decorate your desktop just so it will look good in the screenshots.
Doesn't matter though, cause in the end, when I am done with my session, I am deleting the sandbox, and all those screenshots, keystrokes, etc are gone, before anyone was able to get their hands on them...
It's like a security camera, sure, it can record all the data it wants, but if you commit a crime, the camera records you, and then you take the tape before anyone can get their hands on it, well then, nobody is going to see anything...

-{ Quote: "what the heck are the odds that I pick up a keylogger during that exact very session that I need to type something?" }-
Exactly, keyloggers are pretty damn rare to come across anyways, especially on the net.
Most times, if a keylogger is installed onto your pc, it is because it was bundled inside of some program/setup file that you ran, but the keyloggers can't just auto install themselves when you visit a webpage (except maybe in FF)...

-{ Quote: "good post, Sandboxie and quit worrying about those pesky keyloggers. Sandboxie is the only app of this type that works as intended. The others are all playing catch up." }-
Thats right, and it's funny, cause you are the OP of this thread and even you realize that!

-{ Quote: "I recommend it warmly on my web site. Not too many others out there actually do." }-
Really? I see it recco'd all over the place! You should try broadening your horizons and look elswhere other than just at Wilders.

-{ Quote: "Besides If you where to follow those recommendations your risks of infection or of a breach of system security is probably close to zero... so doing I'm doing my Job as a consultant." }-
What makes your recommendations so great? What makes you think that if someone sets their pc up based on your recommendations, then their PC will be perfect?
I wouldn't trust someone elses setup (I am not talking about you, I mean everyone), I have my PC setup based on my own personal experience, from over 12 years of PC usage and it has worked out just fine for me.

-{ Quote: "Probably because too many think like you, and have the invincibility concept firmly burnt into their minds until they come crying to people like me to help them save their precious data... " }-
Man you should let down on your ego, it's getting a little big. This has nothing to do with invincibility, it has to do with finding what works just fine for you, nothing more!

-{ Quote: "I recommend using an anti keylogger in combination with a hips and using Roboform to input the passwords (I also recommend using strong passwords in roboform). A different one for every web site and to keep whatever passwords inside incrypted documents if they for some reasons refuse to use password managers....

Not inputing the password manually effectively can "help" thwart a keylogger interception of keystrokes.. as there is no keystrokes to be intercepted... Products like Roboform use a master password and keep all others within encrypted containers within the system. This when combined together provides a far more secured than any other method I know off... Sandboxie included... However if you combine this technique with using sandboxie.. You are far and above the risks encountered by most users online." }-
Ha, you could just use Opera in conjunction with Sandboxie, and its even more secure than that setup!

-{ Quote: "I have written a shortened version focused on Secured Web Browsing alone to address the "Overload" affecting some users when confronted with the large numbers of actual attack vectors facing them... It covers all the basis from user interaction to the sites they visit as well as filtering the sites themselves for possible hostile exposure." }-
Or just run the browser sandboxed, then if/when you do encounter a large number of actual attacks, just terminate the box, and delete the data, done...

-{ Quote: "In the case of Keyscrambler, it is of course due to the fact that not too many tools are on the market catering directly to web browser password protection. I advise users to use Roboform for added protection, as the only password in this case (keyscrambler) protects is the master password...
" }-
You don't need keyscrambler for that, most mondern day browsers (except FF, it hasn't caught up yet) can do that for you...

-{ Quote: "Besides, I also tell in my article that "trusting" any single applications or vendor is not recommended. I recommend using a battery of tools as layers against most attack vectors read my article (in its entirety if you wish for me to continue explaining myself).... See Cyber Self Defense for a more thorough explanation." }-
Oh god, the layer approach again, it doesn't work, layering started out in the late 90s when people got scared that current security products would become ineffective against the onslaught of viruses that started out, so instead of waiting for 1 good program, they decided to install another bad program, and another one, and another one. So now we are at the point to day where people just say "Oh just install 20 things and call it layering"!
It doesn't really work, it is just a pyscological thing, thats all.
I mean, if you were to put a guard in front of the white house, then decide that isn't enough, and so you put another guard there, and another one til you've got 250 guards around the white house, it still won't matter though if all 250 of them are all drunk and passed out, then you're going to sneak pass them real easily.

Same with multiple security programs, it doesn't matter how much you put on, if they can't detect the viruses, your screwed...

-{ Quote: "Hey, I'm not downplaying anything... I'm simply saying that eventually someone will find a way around any security technology... It has never failed." }-
Yeah, but there is no need to put 7 other things on though. Use that one program, and if/when it is bypassed, then continue using it until you find a new program. No need to put 7 other things on as "layers" though...

-{ Quote: "My simple opinion is for computer security minded folks to stop all of the useless 'Firefox with No-Script and Key-Scrambler with or without Roboform' BS" }-
TY!

-{ Quote: "Without downplaying the importance or effectiveness of sandboxes or other means to prevent the unsolicited transmission of keylogged data, why has no one in this thread mentioned the use of a properly configured two-way firewall? Does it not work? If not, please explain." }-
No, none of the F/Ws work for crap, they haven't since about 2002...

-{ Quote: "I visit websites daily that try to install things in the background... so no script is a must and perhaps the only effective method to "prevent" those scripts from installing... I will certainly never vouch for a single application that work as an easy button/magic bullet as there simply are none..." }-
Actually there is no need for No-script. Most browsers today (maybe even the new FF?) can easily block scrips, contents, plugins, etc.. Much more then NS can..

-{ Quote: "As for using a firewall, any darn idiot on this side of the galaxy should already know that shouldn't they? ...Well actually no matter what some of you may think, I meet the ones who think they are even unnecessary..." }-
Yep, they are unnecessary, just like UAC in Vista, does nothing and is just an annoyance. "IE is trying to access the internet, oh whatever should I do??"
...Please, if I opened IE, obviously it should be connecting to the net, and I don't need a program to tell me that...

-{ Quote: "Hermis, I never said not to use a firewall. And everything in your last post is a walk in the park for SandboxIE - without giving up 20% of the web." }-
Exactly, use Sandboxie, it only takes up a mb of HD space, 7 mb of ram, and only 3 CPU, and sucks up none of your bandwidth, plus no conflicts to hell!

-{ Quote: "Thanks, though I already know the basics of software firewalls and how they can be configured to restrict network acces to trusted programs. I just wanted to know if some of these keyloggers can somehow bypass them." }-
Yeah they can, easily, which is why most people don't want to use them anymore, or even worse, I know people who are running multiple F/Ws, then they wonder why their network frequently stops working, and they get all kinds of BSODs??

-{ Quote: "Is there some evidence that the rootkit can bypass a properly configured firewall?" }-There is no properly configured F/W, all F/Ws fail at the hands of a virus, trojan, rootkit, etc..

-{ Quote: "No, I was/am just curious if a rootkit once installed (assuming a non-sandboxed system) could transmit user data past a properly configured two-way firewall. Thanks for the link. I will take a look." }-
Yes it can, hell, even ad-ware can transmit through a "properly configured" fw... or 2, or 3...

-{ Quote: "Regarding NoScript, read about XSS. User interaction with NS? With me, rare." }-
No-Script can't block most XSS, the only ones it can are the "known" ones, most cross-scripts out there though will slip right through NS without you realizing it..

-{ Quote: "If there's a keylogger running in the sandbox, is it not suppose to appear in the Sandboxie Control? Just curious..." }-Yes it will...

-{ Quote: "Simply put it loads before the operating system actually does.
This allows it to operate without requiring a process running, it doesn't need a registry entry either. These simple elements invalidate 100 % of current known PC based defenses.

The only method one could intercept it, is from an external network traffic/protocol analyzer listening to the infected node to identify it's packets during transmit & receive. This actually does require one to already know what he, she's looking for otherwise it simply gets lost in the noise...

I cant explain better that this." }-
I know what you mean, but if you had it sandboxed, then it wouldn't be able to load before the OS, no matter what it installs, cause it is constrained to the sandbox, where it can't auto-load, before or after the OS... All you have to do is just delete the box, simple as that.

-{ Quote: "Users also have a responsibility to research the products they use to know why and how to use them... We are simply providing them with appropriate tools to help them. Even if it displeases some..." }-
Contradiction? You want people to research their own products, and find their own program(s) to use (like I did), but then you say that you are offering them the "appropiate tools"? What makes those the appropiate tools out of everything out there?
Reminds me of that old Ford saying; "You can have it any color you like, as long as it's black"!

-{ Quote: "I think your argument is not much more than an attempt at strife or a simple act of despair... either way the only valid guidance is still to use layers... it's safe, time and experience proven and it works..." }-
It's is not safe, it only makes you think so. It is not experience proven, since people constantly point out "Omg, I am running, this, this, that, this, this and that with this turned on and a rootkit, and 3 trojans made it through, what happened?" I mean hell, you even said yourself, you get people all the time riddled with viruses. If the layer approach worked, you'd have no customers..
Oh and last, no it does not work, as stated.

-{ Quote: "It is not what I said at all... I said that layers, of HIPS (which will intercept any executable loading) in combination with a Browser dedicated anti keylogger and Roboform all running inside sandboxie will prove effective to near 100 %. What you are trying to say is that sandboxie is all that is needed... Big difference." }-
And what makes what you say 100% perfect, compared to what someone else says??
3 years, just Sandboxie (except for the first 4 months when I had 3 other things installed), and I have had no problems.
'nuff said!

-{ Quote: "No were in any of my recommendation do I advice reliance on any one products... In fact as I hope you have read in my articles: I advice users to "Educate themselves" and "To do their own research" and "To over All their security setups at regular intervals..." }-
Why do you keep referring to your articles or site?
So because your article says not to use one program, then your recommendations must be followed? Big ego man...

-{ Quote: "I think the only hope most users may have against those spectorsoft type utilities is to use a HIPS... as a preemptive protection otherwise you need to scan and hunt..." }-
Or run it in a sandbox?
You keep missing the concept. There is no need to scan and hunt (which is what renders an A/V useless) and there is no need to detect a keylogger, cause it can't do anything in the first place (in a sandbox) cause in the end, it is gone, plus so is everything it did, without anyone seeing what the keylogger did, and without any permanent damage, etc...

So sorry for the long post guys, I had no idea it would be this long, I just had to go through 2 pages of quotes cause I like to get it all done at once (like Sandboxie, ha)! ;)

Terror_Eyez, have you ever tried DefenseWall? Compare it to Sandboxie.

I can't believe i actually read up to this part. What a long post! :P
-{ Quote: "
No-Script can't block most XSS, the only ones it can are the "known" ones, most cross-scripts out there though will slip right through NS without you realizing it..
" }-
So what your saying is, besides that NS is no good for XSS (do you actually have something to show me, or just empty words?), that one should throw the towel, or better, believe that SandboxIE or Opera fixes the problem. It could, with a rigid discipline (flushing the sandbox over and over to originate new sessions when needed), concerning many things one does online..
I just ask a bit more thought into this...

-{ Quote: "Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!" }-

How I can do that with Sandboxie?

-{ Quote: "How I can do that with Sandboxie?" }-

Easy, just run your browser sandboxed. Open up the Sandboxie Control. Right mouse click your browser file and select program settings. it's the fourth one down you choose.

muf

Whew! Quite a read indeed!

All i might add is already been spoken on infinite times before and is still repeating. SandboxIE is one really tough bird and it's almost funny how users continue to jocky with apps from one to another to pile on the beef and some with total blind trust in AV's/AS's only and completely miss the mark entirely of the rock hard benefits of virtualization. Some still do.

An artificial environment is the best place to sit while the activity takes place in front of your view while reveling in confidence of the security that in but a press of the button, P00F!

Back to Zero! again, ya just gotta luv SandboxIE and other virtuals for some. LoL

Thank you, muf. I didn't know about that option in Sandboxie. There's a lot I don't know about it yet. It seems as if the more I learn, the more I find out new things Sandboxie can do.

I do admit to a sort of layered approach....kind of.....maybe. I also run Returnil 2008 Premium and I have DeepFreeze. Between them, I think I'm fairly good to go just about anywhere I want safely.

-{ Quote: "Easy, just run your browser sandboxed. Open up the Sandboxie Control. Right mouse click your browser file and select program settings. it's the fourth one down you choose.

muf" }-

Do you mean this?

This program is the only program in this sandbox that can access the Internet.

That's not what I ask. I mean only program which can run in that sandbox.

I don't think this is possible in the current feature set. besides, sandboxie always run it's start.exe, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe.

Not to veer very far OT, let's hypothetically assume that a file infector virus lands in the sandbox and goes straightway to ALL exe's (inside containment)to modify/corrupt common compilation files.

I want to assume SandboxIE would exhibit immunity from such an attack on it's executables but which is it? I employ a HIPS in the sandbox to intercept such an attempt. Does SandboxIE support itself under such this challenge?

I sandboxed IE and proceeded to one of known aggressive drive-by sites that throw some pretty mean darts at IE to bypass on to it's pre-programmed course of disruptions.

Any thoughts, real results?

Thanks

If that virus can bypass Sandboxie then it can do some nasty things. Otherwise:

It can't access to my hard drive -> blocked
It can't access to my registry -> blocked
It can't connect to internet -> blocked

It can just wait that I close my sandbox and Eraser cleans it totally.

-{ Quote: "If that virus can bypass Sandboxie then it can do some nasty things. Otherwise:

It can't access to my hard drive -> blocked
It can't access to my registry -> blocked
It can't connect to internet -> blocked

It can just wait that I close my sandbox and Eraser cleans it totally." }-

As evident with my question, i too am fairly new to this superb program so i'm cautiously overviewing any potential break-out possibilities, but if i read it all right, no matter what, just like a Vmware, any/all file activity is limited to applying approaches to ONLY duplicate/artificial containment environment and is for all practical purposes TRAPPED within the borders of the Sandbox PERIOD!

Is this an accurate assumption? Because if so the percentages are incredibly favorable that any and all sandboxed activity is helplessly LOCKED in this parallel environment/field with no alternative to exercise any genuine control to the rest of the unsandboxed state of the genuine system.

As Tzuk evidentily said somewhere,you are not protected from a keylogger that is already on your system.I still don't get it how this keylogger can bypass my sandboxed browser !?!?!

Guess its my misconception about the true intent of Sandboxie cause i am pretty new to all this.

Huub.

Hi Huppi

I think the KEY factor in any of this hinges on getting ahead of that possibility beforehand. After that the Sandbox is a parallel/duplicate copied mirror image and ANY files and/or activity are kept within these borders. I think the mere mention of any expectation that a security app can deal with malware AFTER it's already landed in the field of your REAL system is not at issue here, because programs like SandboxIE or any good security program needs be positioned and active FIRST. Otherwise it's a matter of dealing with an AFTER-THE-FACT intrusion which of course contradicts the very purpose of any security app or in this case virtualization/sandboxing.

-{ Quote: "Hi Huppi

I think the KEY factor in any of this hinges on getting ahead of that possibility beforehand. After that the Sandbox is a parallel/duplicate copied mirror image and ANY files and/or activity are kept within these borders. I think the mere mention of any expectation that a security app can deal with malware AFTER it's already landed in the field of your REAL system is not at issue here, because programs like SandboxIE or any good security program needs be positioned and active FIRST. Otherwise it's a matter of dealing with an AFTER-THE-FACT intrusion which of course contradicts the very purpose of any security app or in this case virtualization/sandboxing." }-

Sure checked/scanned for these nasties beforehand is obvious to do.If you at least to get Sandboxie protect a pristine system,otherwise its useless to rely on Sandboxie cause as Tsuk said............installed keylogger has unrestricted access to the Web

But it still puzzle me how an installed keylogger can reach out to bypass Sandboxie ??

-{ Quote: "Hi Huppi

I think the KEY factor in any of this hinges on getting ahead of that possibility beforehand. After that the Sandbox is a parallel/duplicate copied mirror image and ANY files and/or activity are kept within these borders. I think the mere mention of any expectation that a security app can deal with malware AFTER it's already landed in the field of your REAL system is not at issue here, because programs like SandboxIE or any good security program needs be positioned and active FIRST. Otherwise it's a matter of dealing with an AFTER-THE-FACT intrusion which of course contradicts the very purpose of any security app or in this case virtualization/sandboxing." }-

Sure checked/scanned for these nasties beforehand is obvious to do.If you at least to get Sandboxie protect a pristine system,otherwise its useless to rely on Sandboxie cause as Tsuk said............installed keylogger has unrestricted access to the Web

But it still puzzle me how an installed keylogger can reach out to bypass Sandboxie ??

I think you may misunderstand Sandboxie and how it works. When you run your browser sandboxed then anything that comes through the sandboxed browser will remain in the sandbox. It can't get to your 'real' system. If you were already infected with a keylogger before installing sandboxie then that would be active in your 'real' system and will be functioning outside of sandboxie. It is not able to circumvent sandboxie as it was never run through it in the first place. You must understand that Sandboxie does not sandbox your system it sandboxes application's that you choose to run sandboxed.

Hope this helps.

muf

Interesting thread. I'll have to revisit sandboxes. For some reason I could not get sold on them in my previous, albeit brief, trialing of them, Sandboxie being one of them and I forget the other. Seems to me there was some instability issue I had with Sandboxie at the time. However, it is clear from this thread they are an excellent browsing companion :)

-{ Quote: "As evident with my question, i too am fairly new to this superb program so i'm cautiously overviewing any potential break-out possibilities, but if i read it all right, no matter what, just like a Vmware, any/all file activity is limited to applying approaches to ONLY duplicate/artificial containment environment and is for all practical purposes TRAPPED within the borders of the Sandbox PERIOD!

Is this an accurate assumption? " }-

Yes. I've tested it against all the crud I have, and it's protected the computer. I've even tested Outlook in the sandbox, and that solves the email problem

First let me state this: I am a great supporter of sandboxie. It is probably my favorite security tool.

This being said: One of the problems I have with selective virtual environment is that because of their dynamic nature they tend to be bypassed by the users themselves... Problem is if they manage to get infected while outside the sand box they will have no other means of recovery and no warning they are even infected. Not to mention that due to ignorance they may actually release an infection from the sandbox thinking it's a legitimate and clean program. Thus infecting the system
(if as some advise here sandboxie is used as the only security tool, then this user is in serious trouble indeed).

CASE IN POINT: I have worked on two systems yesterday, both infected with a rootkit. Both system had Sandboxie, one even had returnil + several other security tools... Including the latest NOD 32 v.3 the other infected PC had AVG AV Free, and both had Prevx 2.0...

See this post: http://www.wilderssecurity.com/showpost.php?p=1177759&postcount=243

Claims that sandboxie or any other system is the "Perfect" tool is ludicrous... as one must take into consideration the users and their idiosyncrasies. I think it is unfair and a great disservice to anyone to make the outrageous claims some make in this thread...

-{ Quote: "Terror_Eyez, have you ever tried DefenseWall? Compare it to Sandboxie." }-
Yes I have, why do you ask?

-{ Quote: "So what your saying is, besides that NS is no good for XSS (do you actually have something to show me, or just empty words?)" }-
Im not saying it is NO good for XSS, I am just saying that all XSS is based off of one of 3 attacks. And NS has a problem with the most frequently used attacks (and the more advanced XSS) thats all...

-{ Quote: "that one should throw the towel, or better, believe that SandboxIE or Opera fixes the problem." }-
Im not saying to get rid of FF and/or it's NS extension, I am just saying that for example, Opera can block all this stuff that NS can block, plus more, without needing 3rd party tools which could easily be disabled through an attack...

-{ Quote: "It could, with a rigid discipline (flushing the sandbox over and over to originate new sessions when needed), concerning many things one does online.." }-Well there is no need to overdo it, just use the sandbox over and over as much as you want, until you feel that it should be cleaned, then just dump it. No need to dump it after every XSS you come across (although you could if you want to)

-{ Quote: "
Not to veer very far OT, let's hypothetically assume that a file infector virus lands in the sandbox and goes straightway to ALL exe's (inside containment)to modify/corrupt common compilation files.

I want to assume SandboxIE would exhibit immunity from such an attack on it's executables but which is it? I employ a HIPS in the sandbox to intercept such an attempt. Does SandboxIE support itself under such this challenge?

I sandboxed IE and proceeded to one of known aggressive drive-by sites that throw some pretty mean darts at IE to bypass on to it's pre-programmed course of disruptions.

Any thoughts, real results?

Thanks" }-

You are correct, Sandboxies files are immune, cause you have to remember, although start.exe, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe might be running, they are running sandboxed! ;)

-{ Quote: "If that virus can bypass Sandboxie then it can do some nasty things. Otherwise:

It can't access to my hard drive -> blocked
It can't access to my registry -> blocked
It can't connect to internet -> blocked

It can just wait that I close my sandbox and Eraser cleans it totally." }-
Exactly, with all 3 things blocked off to keyloggers (or other nasties) what could they do?

-{ Quote: "
As evident with my question, i too am fairly new to this superb program so i'm cautiously overviewing any potential break-out possibilities, but if i read it all right, no matter what, just like a Vmware, any/all file activity is limited to applying approaches to ONLY duplicate/artificial containment environment and is for all practical purposes TRAPPED within the borders of the Sandbox PERIOD!

Is this an accurate assumption? Because if so the percentages are incredibly favorable that any and all sandboxed activity is helplessly LOCKED in this parallel environment/field with no alternative to exercise any genuine control to the rest of the unsandboxed state of the genuine system." }-
That is 100% correct, it is like a VM, everything is just locked inside the sandbox, anything and everything it does is stuck inside the sandbox, no matter what!

-{ Quote: "Sure checked/scanned for these nasties beforehand is obvious to do.If you at least to get Sandboxie protect a pristine system,otherwise its useless to rely on Sandboxie cause as Tsuk said............installed keylogger has unrestricted access to the Web

But it still puzzle me how an installed keylogger can reach out to bypass Sandboxie ??" }-
It cant...
just refer to mufs post...

-{ Quote: "Yes. I've tested it against all the crud I have, and it's protected the computer. I've even tested Outlook in the sandbox, and that solves the email problem" }-
Same here, I have tested it against some of the worse viruses out there, keyloggers, trojans, spyware, adware, rootkits, etc..
Nothing can get through! I have tried my hardest cause I actually want to see it get bypassed once, just so I can say "finally", but it never happens, Sandboxie is as hard as a rock!

I'm really interested in trying out Sandboxie.
I don't surf a lot, but I guess browsing in a Sandbox will probably be the best way to start, right?

If I download movies with Newsleecher (DVD5, so most of the time 90x50MB rar files), can I do that in Sandboxie as well? Where does it leave all the files and how can I ultimately get them on my HD?

-{ Quote: "...If I download movies with Newsleecher (DVD5, so most of the time 90x50MB rar files), can I do that in Sandboxie as well? Where does it leave all the files and how can I ultimately get them on my HD?" }-
You have to recover/write the files to your drive but you could sandbox your mediaplayer.

/C.

-{ Quote: "You have to recover/write the files to your drive but you could sandbox your mediaplayer.

/C." }-

So downloading the files doesn't necessarily have to go through Sandboxie? I burn them to DVD (after compiling them with WinRar). Which of these actions should go through Sandboxie?

-{ Quote: "

CASE IN POINT: I have worked on two systems yesterday, both infected with a rootkit. Both system had Sandboxie, one even had returnil + several other security tools... Including the latest NOD 32 v.3 the other had AVG AV Free, and both had Prevx 2.0...

" }-

Okay, so there are not very clever people. What on earth did they do.

-{ Quote: "Okay, so there are not very clever people. What on earth did they do." }-

I have no idea... only that they did have a load of crap for me to mop... :dry:
More than likely they allowed the infection to escape the sandbox... thinking it was something good as usual.
What kills me is that all these "Other" layers still missed the infection in the first place... that is really bothering me actually.
Considering these are the best tools we currently have available to secure these environments...

-{ Quote: "I think you may misunderstand Sandboxie and how it works. When you run your browser sandboxed then anything that comes through the sandboxed browser will remain in the sandbox. It can't get to your 'real' system. If you were already infected with a keylogger before installing sandboxie then that would be active in your 'real' system and will be functioning outside of sandboxie. It is not able to circumvent sandboxie as it was never run through it in the first place. You must understand that Sandboxie does not sandbox your system it sandboxes application's that you choose to run sandboxed.

Hope this helps.

muf" }-

Yes, but how get the installed keylogger it to the web if the only gateway is the sandboxed browser ? Are there more ways out for stuff like that.
I can set my browser as the only app. in a particular sandbox the right to connect,all others not, so its my understanding that anything other then my browser are denied to connect also even the most remotely bad code aka keylogger. For me it isn't obvious have a hard time to get the idea.

-{ Quote: "I
More than likely they allowed the infection to escape the sandbox... thinking it was something good as usual.
What kills me is that all these "Other" layers still missed the infection in the first place... that is really bothering me actually.
Considering these are the best tools we currently have available to secure these environments..." }-

I think it just goes to prove my feeling: The worst tools in good hands will protect you, and the best tools, in inept hands can't protect you.

I fear my friend you won't see a slack in business.

Huupi: lets assume Sandboxie is perfect, no flaws.
The user himself can still go ahead and recover the keylogger from the sandbox and execute it outside Sandboxie's scope.
If the user already had a keylogger before installing Sandboxie to begin with, it will work without interception. Sandboxie protects what is outside the sandbox from the inside, but not the other way.
-{ Quote: "
Im not saying it is NO good for XSS, I am just saying that all XSS is based off of one of 3 attacks. And NS has a problem with the most frequently used attacks (and the more advanced XSS) thats all...


Im not saying to get rid of FF and/or it's NS extension, I am just saying that for example, Opera can block all this stuff that NS can block, plus more, without needing 3rd party tools which could easily be disabled through an attack...

Well there is no need to overdo it, just use the sandbox over and over as much as you want, until you feel that it should be cleaned, then just dump it. No need to dump it after every XSS you come across (although you could if you want to)
" }-
Not every XSS (how could i detect it anyway?). I mean everytime i wanted to login in.

Can you give me a link or two demonstrating/discussing Opera's effectiveness against XSS? I would be delighted to read that.
I have asked for that info a few times before, and searched, with no luck -in fact i've read the contrary, that Opera did nothing to prevent it.
I would be more than happy to find out that Opera is secure concerning XSS.

There are some keylogging techniques which work fine inside Sandboxie.

-{ Quote: "There are some keylogging techniques which work fine inside Sandboxie." }-

If i have to believe the working of SB then its not a problem.

Wow, Terror_Eyes that was ... complete. Just one thing, the setting you mention here I do not believe can be set through the GUI.

-{ Quote: "Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!" }-

That is what I call the 'Extra Secure' setting and really needs a user to understand and plan his system correctly. Tzuk has discussed it here;
http://sandboxie.com/phpbb/viewtopic.php?p=10424#10424
caution; you will find that some things that you might require for normal surfing can not work with this setting. It is restrictive.

-{ Quote: "You keep missing the concept." }-
That is it in a nutshell - it is strategically planning the security of your computer. True it is not for GrandMa but the OP is TrJam and he is no GrandMa and all of us are the ones discussing this - we are not GrandMas. That is a distraction that leads to never being able to make any kind of decision of any kind. Too many bases need to be covered. We are discussing our computers; others are discussing 'Their customers computers'. It's a different burden.
mitche323

-{ Quote: "If i have to believe the working of SB then its not a problem." }-
Yup, purge the sandbox and start a new fresh session before doing anything sensitive.

-{ Quote: "That is what I call the 'Extra Secure' setting and really needs a user to understand and plan his system correctly. Tzuk has discussed it here;
http://sandboxie.com/phpbb/viewtopic.php?p=10424#10424
caution; you will find that some things that you might require for normal surfing can not work with this setting. It is restrictive." }-

Thanks a lot! I tried to find that all day :D

-{ Quote: "Wow, Terror_Eyes that was ... complete. Just one thing, the setting you mention here I do not believe can be set through the GUI.



That is what I call the 'Extra Secure' setting and really needs a user to understand and plan his system correctly. Tzuk has discussed it here;
http://sandboxie.com/phpbb/viewtopic.php?p=10424#10424
caution; you will find that some things that you might require for normal surfing can not work with this setting. It is restrictive.
" }-
Aha, thats what it was!
Tanks for posting that, I thought it could be done from the GUI since I already had it set, but I must've done it from the ini myself... ::)

You can do that with GUI.

-IPC Access:
-Blocked Access:
*
The list above applies to !opera

EDIT: Now I have to only figure how to block all file accesses. Even portable Opera needs Documents and Settings folder so there isn't any easy block command. Also have to remember that Start.exe needs rights too.

Yes Mike you are correct!:D I just learned how to do that. ;)

Another way from the gui. Say you fire up IE. THen open the sandboxie window. You will see IE right there, Just right click it, and you can set it so it's the only one accessing the internet. Used carefully it is powerful protection.

-{ Quote: "Another way from the gui. Say you fire up IE. THen open the sandboxie window. You will see IE right there, Just right click it, and you can set it so it's the only one accessing the internet. Used carefully it is powerful protection." }-

Peter2150 I know that and using that too. BUT BUT... I still want that not a single program except opera.exe can run so I use that IPC Blocked Access too.

It is so restrictive that you might consider using it for only one or two sites. For instance; Create a sandbox with that extra secure setting. Name the sandbox OnlyOpera (for instance - you can name it what you want.)
Now make a shortcut to
"C:\Program Files\Sandboxie\Start.exe" /box:OnlyOpera "url for your bank"
(of course put the correct file location in there)
Name it First National Bank and give it an Opera icon and you are looking good.

-{ Quote: "It is so restrictive that you might consider using it for only one or two sites. For instance; Create a sandbox with that extra secure setting. Name the sandbox OnlyOpera (for instance - you can name it what you want.)
Now make a shortcut to
"C:\Program Files\Sandboxie\Start.exe" /box:OnlyOpera "url for your bank"
(of course put the correct file location in there)
Name it First National Bank and give it an Opera icon and you are looking good." }-

Actually I'm using that setup all the time :D

I think it is working out great for you as you are on Opera. With IE it is just too much, I had to abandon it. But I am happy for you though. :D

-{ Quote: "Also have to remember that Start.exe needs rights too." }-
This may or may not apply for what you are trying to accomplish - but what about a 'dummy' sandbox that nothing is Forced into. Maybe then that dummy sandbox can give the rights to start.exe, and keep your sandbox still tight.

-{ Quote: "This may or may not apply for what you are trying to accomplish - but what about a 'dummy' sandbox that nothing is Forced into. Maybe then that dummy sandbox can give the rights to start.exe, and keep your sandbox still tight." }-

I have tested that. It doesn't work. In my investications I have to set some file access to opera.exe and start.exe.

You might be going too tight - maybe a matter for Tzuk? Hey I just remembered what it was about the GUI that confused me b4 - and you demonstrated it in your previous post. You have to already 'know' to add that ! before the opera.exe and set it in the box just as MikeNas described. That's what it was about the GUI that I had forgotten. But all is well.....

2008-02-11 20:48:57
ask
Network Activity
TCP/IP
send datagram
C:\WINDOWS\system32\rundll32.exe - attempting dns connection
0.0.0.0 - local ip
192.168.0.1 - remote ip (my router uses DNS relay)
1593 - local port
53 - remote port

While playing around with Sandboxie in dodgy site, installing Cursor program, this alert from Jetico fw occured while attempting activeX download. I blocked the attempt, then it gave me the option to download the file to a selected directory, instead. This just reaffirms my belief in the importance of using a firewall, even while containing browsing material in a sandboxed environment. Nowhere do I have a rule that allows rundll32.exe network access.

Using Sandboxie with SSM and firewall, there is lots of information in the combined alerts to make an informed decison on a file download/install.

As expected, all activity was flushed clean from the sandbox when I chose to do so.

Actually you don't need firewall with Sandboxie if there is only one program which can connect to internet.

-{ Quote: "Actually you don't need firewall with Sandboxie if there is only one program which can connect to internet." }-

The alert from Jetico indicates to me that rundll32.exe would have connected to the internet if I had allowed it, and especially if I had nothing to monitor outbound connection attempts.

Just set that your browser (or anything) is the only program which can connect to internet.

-{ Quote: "Just set that your browser (or anything) is the only program which can connect to internet." }-

MikeNAS,

thank you for that tip :thumb: I found it under Sandbox settings, set only IE7 as allowed, and no alerts about rundll32.exe trying to connect, as I was taken straight to the option to only download the file (no alerts from Jetico because Sandboxie blocked it). That's a nice feature :)

I'm becoming more and more enthousiastic about Sandboxie. :)

One question though:

If I set my browser to be the only program that can connect to the internet in Sandboxie, will this automatically deny all internet access to programs outside the sandbox (AV that auto-updates etc)?

-{ Quote: "I'm becoming more and more enthousiastic about Sandboxie. :)

One question though:

If I set my browser to be the only program that can connect to the internet in Sandboxie, will this automatically deny all internet access to programs outside the sandbox (AV that auto-updates etc)?" }-

Of course no. It only affect inside of Sandboxie. Remember that you can setup more sandboxes than one and use different settings.

I have 3 sandboxes and here are quick settings:

1. Firefox is the only program which can run and connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.
2. POP Peeper is the only program which can run and connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.
3. Not a single program can connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.

-{ Quote: "Blocked file and registry access" }-

Hi MikeNAS, thanks for your reply. What does the above mean exactly? Do I have to add firefox.exe to these lists in Sandboxie in order to obtain this. I don't know Eraser (DoD) so I'm guessing that this is an other application you use?

Hi Stijnson, I wouldn't worry too much about tweaking Sandboxie. It's default settings are strong and if you add the setting to only permit internet access to one program, then you should be safe. Theoretically anything that finds it's way into the sandbox may be able to look at your registry or in some files, but if for example Firefox.exe or Iexplore.exe is the only program permitted to call out, then your info is safe from being sent home to the mothership.

I do recommend blocking access to your important personal files. Mine happen to be on other partitions so I just block file access to the partitions. Just remember that if you do this, you can't download or upload from that file or partition with the sandboxed application (while it's sandboxed of course). What I do is move the file to the desktop then to wherever it needs to go. Of course if it's a download I will scan it.

You can block access to your important folders or partitions in Sandbox Settings - Resource Access - File Access then Blocked Access.

I hope this helps,
innerpeace

Yeah Eraser is another application to erasing Sandboxie contents. Not needed...

Here is quick blocked file and registry access guide:

1. Sandboxie Settings.

2. Resource Access - File Access - Blocked Access: Add what you like.

3. Resource Access - Registry Access - Blocked Access: Add HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS and HKEY_CURRENT_CONFIG.

-{ Quote: "Hi MikeNAS, thanks for your reply. What does the above mean exactly? Do I have to add firefox.exe to these lists in Sandboxie in order to obtain this. I don't know Eraser (DoD) so I'm guessing that this is an other application you use?" }-

i think the blocking of file and registry is not needed,afterall also the needed hives for sandboxed app. to function are placed in the registry as kinda of layer,if you logoff session then layer disappear also.So if firefox.exe is the only app. that can connect then any changes are made in sandbox which include the registry[layer]. In sofar its my grasp of Tzuk's explanation but maybe i am wrong so more experienced users can correct me ! ;)

@Innerpeace, MikeNAS and Huupi: thanks for all your help

@Innerpeace:
-{ Quote: "I do recommend blocking access to your important personal files" }-

This would be Documents etc.? Or other things?

-{ Quote: "i think the blocking of file and registry is not needed,afterall also the needed hives for sandboxed app. to function are placed in the registry as kinda of layer,if you logoff session then layer disappear also.So if firefox.exe is the only app. that can connect then any changes are made in sandbox which include the registry[layer]. In sofar its my grasp of Tzuk's explanation but maybe i am wrong so more experienced users can correct me ! ;)" }-
Although I'm not an experienced user, I use the file blocking because I don't use the only allow one program internet function yet. There are many others who use it too. I especially like to use it when doing unsafe surfing when my C: partition is virtualized with Returnil. I like my layers, what can I say LOL.

I do understand what your trying to say though about allowing internet access to only one program and that theoretically nothing else can call out, but adding the extra safeguard by blocking access to important files seems like a good idea to me.

@ Stijnson, Yes, before I had 3 partitions, I added My Documents as a file to be blocked. Of course only add it if that is where your important personal files are located. As to how necessary it is when you only allow one application internet access within Sanboxie is going to be debatable. IMO, it wouldn't hurt to block access to them.

innerpeace

BTW there's a new rewritten tutorial from Tzuk on his side !