I'm not sure if SSM or Malware Defender would have issues with Sandboxie. OA HIPS if not setup correctly would at least for me sometimes have issues with Sandboxie although OA has an exclude list option and Sandboxie has a template for Online Armor. Could of been my setup of security apps. Running one HIPS and no other security app that has a HIPS component I agree should be avoided.
I haven't worked with the 4.X versions of SandBoxie but I don't think it would be that much different. The SandBoxie processes and service will need to be permitted as will its ability to launch and terminate child processes. As far as what it needs to function is concerned, SandBoxie wouldn't need to be treated any differently than anything else. The prompts will tell you what it needs. Beyond that, the additional protection options that SSM or MD can apply can add quite a bit of protection to SandBoxie's components. That's one of the biggest advantages of layering separate, freestanding applications as opposed to security suites. Being separate, they don't share components, processes, etc that allow an attacker to target the entire package. They can be configured to defend and reinforce each other. Example, SSM can protect Kerio from being terminated, suspended, or altered via instructions sent from another application. SSM can even restart it if it crashes. At the same time, Kerio can protect SSM from any attacks from the internet by making it unreachable, effectively removing it from the attack surface. With some work and study, a good HIPS could protect SandBoxie in much the same fashion. When approached in this manner, the protection provided by the total package is far more than would be expected from the sum of its parts. It takes time, effort, and a lot of learning but it's well worth the effort, especially if you like the older operating systems that aren't spyware in disguise.
Thanks act for the files. I just had a very quick glance at the notepad file. I'm going to be taking this VERY VERY slow and I'm going to be asking some questions. The Windows Help File opened no trouble. Looks like lots of reading there. So...last night I did a (Wilders) search on SSM = 20pages of threads. I started at page 20 and those were 2011. Finished the relevant threads just in time as serious brain fade set in . OK guys. First question: What are hooks? Edited to add: What exactly is meant by child/parent.
I'll setup a test to see if SSM will be similar in child processes when using Sandboxie. I am currently using version 4 of Sandboxie. I should get alerted to see what processes are needed. I'll post when done with test.
The simplest way to explain them won't be technically accurate by any means but will give you a general idea. An API can be regarded as part of an instruction set that enables communications and instructions between one component or executable and another. They can have sources and destinations. The hooks set by an application like SSM on an API can be viewed as a point where the instruction to or from a specified application is intercepted and diverted to the HIPS. There it is checked against the ruleset to determine if it's an allowed activity. If it is allowed, the instruction is sent to its original destination. If it's not a permitted activity, the command either stops at the HIPS or triggers another function as defined by the HIPS. The actual process is much more complex than this and will vary a lot depending on the function of the particular API that's hooked. This was just the simplest way that I could think of to explain them. This is part of the relationship between different processes on a PC, specifically one process starting or being started by another. Your desktop for example is run by Windows Explorer (explorer.exe). When you click on the browser icon on your desktop (lets say PaleMoon for this example), palemoon.exe starts. In this example, palemoon.exe is a child process of explorer.exe. Explorer.exe is its parent process. On XP, the Kerio firewall engine (PERSFW.EXE) runs as a service. Its parent process is services.exe. When you click on Kerio's tray icon, PERSFW.EXE launches PFWADMIN.EXE, the administration interface for the firewall. Here the firewall engine is the parent process for the administration interface. PFWADMIN.EXE is its child process. If you have Process Explorer handy, open it and set it to the tree view as show below. In this image, services.exe is a child process of winlogon.exe and the parent process for the SandBoxie service (SbieSvc.exe), Kerio (persfw.exe), and 3 instances of svchost.exe. In the above image, explorer.exe does not appear to have a parent process. This is because its parent process, userinit.exe, a child process of winlogon.exe has already terminated. On a PC that's just idling, there's several chains of processes. The default-permit design of Windows allows most any process to launch most any other process. The newer versions restrict this with permissions, different types of accounts, security levels etc. For the most part, it's still a default-permit based operating system. The parent-child settings allow you to specify which other executables each application or executable is allowed to start. You don't want your browser to be able to launch the registry editor or a command prompt, just as you wouldn't want a guest user to be able to install a keylogger or a remote access trojan. At some point, most every type of malware will require a process to function or to install it. That process can be unique to the malware or it can be the malicious use of a system process. By restricting what can run and how (and by who) system executables can be used, the ability of an attacker to infect that machine is severely limited. IMO, once the initial learning curve is managed, it is much simpler to keep track of 50 or 100 known good processes or executables than it is to keep up with possibly millions of malware variants.
Using Palemoon and Sandboxie. Note: Set Enhanced Security Permission to high (ESP) in PC Tools. Set to prompt for permission. Note: SSM will probably give you more prompts and more detailed info than listed here. Note: SSM would need to be used to compare info. Windows Explorer wants to start another app with parameters: C:\Program Files\Sandboxie\Start.exe Action: Allow Write to virtual memory: C:\Program Files\Sandboxie\Start.exe Application Path: C:\Program Files\Sandboxie\sbiesvc.exe Action: Allow Child application path: C:\Program Files\Pale Moon\Palemoon.exe Child accessing the network Application Path: C:\Program Files\Sandboxie\Start.exe Action: Allow Child application path: C:\Program Files\Pale Moon\Palemoon.exe Child accessing the network Application Path: C:\Program Files\Sandboxie\sbiesvc.exe Action: Allow Child application path: C:\Program Files\Pale Moon\Palemoon.exe Child accessing the network Application Path: C:\WINDOWS\system32\services.exe Action: Allow Child application path: C:\Program Files\Pale Moon\Palemoon.exe Child accessing the network Application Path: C:\WINDOWS\system32\winlogon.exe Action: Allow Child application path: C:\Program Files\Pale Moon\Palemoon.exe Child accessing the network Application Path: C:\WINDOWS\system32\smss.exe Action: Allow Pale Moon is trying to modify or control the system Extended Event hooking Target Application Path: System Idle Process Application Path: C:\Program Files\Pale Moon\Palemoon.exe Action: Block? Note: Action is set to allow when using apps that may require this. (e.g. HitmanPro.Alert) Sandboxie Control trying to modify or control another app Event Type: Start another app with parameters Command Line: /box: DefaultBox delete_sandbox_silent Target application path: C:\Program Files\Sandboxie\Start.exe Application Path: C:\Program Files\Sandboxie\sbiectrl.exe Action: Allow Note: Sandboxie is set to delete sandbox automatically on browser session end. (Sandboxie setting) Sandboxie Start trying to modify or control another app Event Type: Start another application with parameters Command Line: /delete <path of DefaultBox> Target Application Path: <path of CCleaner> Application Path: C:\Program Files\Sandboxie\Start.exe Action: Allow Note: CCleaner is set to delete contents of sandbox. (Sandboxie setting) Note: CCleaner is optional app.
Just wondering on Malware Defender. Do you remember what version you installed and did it BSOD on reboot? I tested MD version 2.8.0.0001 and it installed without any issue. Also looked at Kerio again and found 12 kernel mode code hooks . EAT Hook (4) IAT Hook (7) Inline Hook (1)
It's been quite a while since I tried MD. I don't remember which version it was and doubt that I still have it. I think it was on reboot that it would BSOD.
Regarding DHCP rules for Kerio 2.1.5. On the virtual XP, only 2 rulea are necessary. The first is for outbound UDP, local port 68. The remote IP is 255.255.255.255 (broadcast IP) remote port 67. Windows uses the broadcast IP when it doesn't know the gateway IP of the device it's connecting to. The device responds with its gateway IP, which is used in the 2nd rule described below. The 2nd rule is UDP, for both directions, local port 68. The remote address is the gateway IP of the device the PC is connected to. This uses remote port 67. Load these 2 rules, restart Windows. Restart the device you're connected to. Release and renew the connection. If you've configured the DNS servers to also be assigned by DHCP, you may see prompts for those. If there are no other prompts for ports 67 and 68, you've allowed all that's needed for those devices. If desired, you can follow the 2 DHCP rules with a 3rd that blocks all other UDP traffic to and from those ports and set it to alert. This rule will alert to several types of MITM attacks that involve other hardware.
Do have a image backup in case I get BSOD. I don't know between SSM and MD which program would be easier to work with. I set MD in " normal mode " just to get an idea of the prompts and setting up rules. There is a ton of settings to work with, but can be overwhelming with all the popups. Learning mode is available.
IP Address, subnet mask and the default gateway in Windows network connections set manually. DNS servers are static to. Rule shown here is below other DHCP rules.
Retested Malware Defender and was able to reboot. (learning mode) Switched to normal mode and some prompts here.
If you've manually configured the PCs IP address and DNS servers, there should be no need for DHCP traffic at all or for rules to allow it. If you plan to continue using manually set IP addresses, the DHCP service serves no purpose and can be disabled. Regarding that last rule, I'd rename it "Other DHCP Block" instead of UDP block. I'd expand the rule to include both TCP and UDP and set both the local and remote ports to include 67 and 68. If you're staying with manually configured IPs, I'd disable the DHCP permit rules. I'd suggest keeping those DHCP permit rules in case you ever switch back or hook to another network. I'd leave the blocking rule enabled. If something manages to turn the service back on or tries to use those ports for another purpose, you'll be alerted. Although I haven't seen it for the DHCP ports, I have seen malware that uses the DNS ports for its traffic. On most systems, that traffic would be allowed. The same could easily apply to the DHCP ports.
Made changes and kept DHCP rules, but back again to disabled. DHCP Client Service is disabled. DNS block rule in place. Here is DHCP rule as suggested.
Pale Moon still bombarding me with Kerio alerts. These IP addresses I think are servers for Pale Moon. (blocklist, addons etc.) IP address range: 162.159.252.211-162.159.255.211 Single IP Address: 198.41.247.211
Unless you're specifically blocking those IPs, those look like normal outbound browser traffic. That IP resolves to Cloudflarenet.
Which IP numbers does palemoon.org use? Should I not block these? https://www.robtex.net/en/advisory/dns/org/palemoon/
You might consider reviewing about:config for hostnames and URLs. In an attempt to identify what hosts Palemoon contacts. The related preferences will shed light on what feature/purpose is involved. Be sure to look into crash reports and the URL used for that. In some Mozilla related apps that has been specified separately. You could address phone home behavior by changing those preference values/URLs. Are you sure you want to nuke the blocklist? Are you sure you want to nuke program and/or addon update checks/installs? You can be selective, if you want to. Even if you don't go that way, the above information will show you which hosts will be contacted and you can investigate to see which CDNs, netblks, etc are involved. If you block IP Address ranges for one purpose (Palemoon phone home you don't want), you could end up blocking other purposes which you do want. Do you want to visit the main website? Does that website and/or a Palemoon feature use a CDN that is used by some other sites you don't want to break? You probably want to research this stuff rather than guess.
@TheWindBringeth Already have changed some of the about:config settings for hostnames and URL's. I'm trying to stop any "phoning home". I update browser and any addons manually and when I feel that is needed. If I'm not doing any of those things then I want the browser only connecting to sites I specifically am interested in going to.
Seems you might have left a pref untouched or something is built in. If the later I'd like to know what you find. This was hastily prepared, but might help: Code: // Palemoon-Portable-25.3.1.win32.exe // Mozilla marketplace.firefox.com // dom.mozApps.signed_apps_installable_from addons.mozilla.org // multiple prefs aus3.mozilla.org // app.update.certs data.mozilla.com // toolkit.telemetry.server pfs.mozilla.org // pfs.datasource.url setup.services.mozilla.com // services.sync.jpake.serverURL snippets.mozilla.com // browser.aboutHomeSnippets.updateUrl support.mozilla.org // browser.mixedcontent.warning.infoURL www.mozilla.com // browser.geolocation.warning.infoURL www.mozilla.org // multiple prefs // Palemoon addons.palemoon.org // multiple prefs blocklist.palemoon.org // extensions.blocklist.url pmsync.palemoon.net // services.sync.serverURL start.palemoon.org // browser.startup.homepage www.palemoon.org // multiple prefs // Other 30boxes.com // gecko.handlerService.schemes.webcal add.my.yahoo.com // browser.contentHandlers.types.0.uri (rss) compose.mail.yahoo.com // gecko.handlerService.schemes.mailto ip-api.com // geo.wifi.uri mail.google.com // gecko.handlerService.schemes.mailto mozsocial.cliqz.com // social.whitelist now.msn.com // social.whitelist mixi.jp // social.whitelist www.facebook.com // social.manifest.facebook www.mibbit.com // gecko.handlerService.schemes (irc & ircs) The DNS lookup would reveal hostname. Which could also be spotted if logging is enabled. I have a "block and lock URL" type function in my autoconfig file that sets values to something like http://127.0.0.1:7777/Firefox/blocked?pref={preference name}. So if my local webserver is awake, its logs will reveal which specific preferences were used. Not difficult to setup. Good luck!
For "calling home" by internet applications like browsers, a firewall is the wrong tool. This needs to be fixed at the browser. The settings for my copy of PaleMoon won't help you much. I'm running the last version that will work on my modified 98 system. Haven't installed it on XP.It will be easier to separate the "call home" connections from those initiated by a website if you set the browser to open a blank page or a local page of links. Back in the dialup days, I started using a page of links as my homepage. This way I could launch the browser without initiating an internet connection. If the dialup started, either an infection or a "call home" feature was responsible. Except for applications where the call home IP is hard coded, blocking it by IP will probably not be effective for any length of time. IPs change, including those used for calling home and are usually obtained via DNS. A lot of the features that call home are pure garbage. Some of them are useful. Disabling them is a bit of a tradeoff. You have to decide which ones are important to you. Even on virtual systems, I got tired of hunting down all of the reasons and ways a browser could call home and having to repeat the process every time it was updated. I stay with versions I know.
The settings probably needed fixing in the browser AFAIK. The IP's can change as noone mentioned. Pale Moon IP's 162.159.252.211-162.159.255.211 198.41.247.211 // 198.41.128.0-198.41.255.255 (Cloudflarenet mentioned post# 416) 31.7.184.106 Subdomains: forum.palemoon.org, addons.palemoon.org, relmirror.palemoon.org Mozilla IP 63.245.216.132 addons.mozilla.org extensions.blocklist.enabled (default is true) could be setting off Kerio alerts. Used to when running IE browser set it to blank page IIRC. Haven't done that with Pale Moon. UPDATE: Set Pale Moon on startup to show blank page. // internal file (about:logopage) Some of TheWindBringeth list is already blocked with proxy filter. Will do further investigating.
Thanks for the list. IP address for addons.mozilla.org shows up in firewall log along with addons.palemoon.org, blocklist.palemoon.org and palemoon.org. Other IP addresses 93.184.215.191 and 198.41.247.211 in log also.
Kerio alerts have settled down so it seems. Refining the rules and noticed when selecting browse button under application in Kerio filter rule iexplore.exe is nowhere to be found. (copy & paste)
The thread New SMB flaw affects all versions of Windows is the incentive for this post, since MS won't be fixing this on XP. Part of this attack involves exploiting Windows services that are not needed by most users but are running by default. In this instance, it's port 445 which is also open by default, listening for incoming connections. This post is a quick how-to guide for closing all of the default listening ports on XP-SP3. The test platform is a virtual XP-Pro, SP3. This how-to does not require disabling DHCP. It does not address all of the unnecessary or undesired services (like remote registry), only those that open ports. This task is made simpler by using 3 freeware utilities. These are: WWDC.exe aka Windows Worms Doors Cleaner. Originally from firewallleaktester(dot)com by gkweb, it's available here. The file hashes are MD5 999f6e5c8d5c81f48afbdab7f8777323 SHA-256 df40f41072aeb634e639b7666104e424fc2a7a6ed758f43e239cf0a06aa3b2d0 These match the hashes of my original copy. From GRC, pick up a copy of the DCOMbobulator and the UnPlug n' Pray utilities. While WWDC includes the functions of these GRC utilities, they are more thorough in their protection. On the test platform, the following ports were open by default: 123 UDP 135 TCP 137 UDP 138 UDP 139 TCP 445 UDP 445 TCP 500 UDP 1026 UDP 1027 UDP 1031 TCP 1900 UDP 4500 UDP On some systems, port 5000 may also be open. It takes about 7 separate steps to close all of the open ports. Please make a system backup before proceeding. At the very least, make a registry backup using ERUNT. If you have Kerio or another firewall installed, allow all of the connections initiated during the use of the utilities mentioned. First item, NetBIOS ports. Go to the control panel, network connections. Highlight the local connection icon and right click properties. On the connection properties interface, select Internet Protocol (TCP/IP) then click properties. Click on the "Advanced" button. On Advanced TCP/IP Settings, click on the WINS tab. Select Disable NetBIOS over TCP/IP, then click OK, OK, Close. Reboot. After rebooting, ports 137, 138, and 139 will be closed. Next item, UPnP aka Universal Plug and Play. GRC's UNPNP.EXE utility is more effective than the UPnP component of WWDC. If you're using Kerio while running this utility, you'll see a couple of unusual prompts. They'll be to 224.0.0.22 protocol 2, unknown event. Allow them. This utility disabled the SSDP discovery service and closes ports 1900 and 5000. Reboot. Next item, DCOM RPC, port 135, also used by Windows Messenger, not to be confused with MSN messenger. GRC's DCOMbobulator will close this port. Move to the DCOMbobulate Me tab and select Disable DCOM. The information on the "am I vulnerable" tab applies only to the exploits and threats that were known at the time. Like the current SMB exploit, that can change at any time. Why leave an open hole in your attack surface? If this port remains open after rebooting, use the messenger component of WWDC to finish the task. Next item, port 445, RPC Locator. When combined with the NetBIOS changes, the RPC Locator component of WWDC will close port 445, the last of the ports used for sharing files. When running WWDC, you may see a notice on the NetBIOS component. After running the RPC Locator component, run the NetBIOS component and select the default option. The more severe option of completely disabling the service will also disable many 3rd party firewalls, including Kerio. The default option is sufficient for the NetBIOS ports. Reboot. Next item, port 123, Windows time service. Unless you absolutely need to have your PCs time synced, this service is unnecessary. Disabling internet time from the control panel applet does not disable this service or close port 123. Only by disabling the Windows Time service itself can this port be closed. IMO, the obtaining of internet time does not require a listening port. The time requests are initiated by your PC. 3rd party utilities like AnalogX Atomic Time Sync accomplish this function without leaving a port open. I question why the system clock would need to receive unsolicited connections from the web. The last few ports are closed by disabling services manually. Go to the control panel, administrative tools, Computer Management. Expland Services and Applications, then select services. Find the IPSEC Services. Stop the service, then disable it. This will close ports 500 and 4500. Find the Application Layer Gateway service. Stop the service, then disable it. This will close the last default ports. Reboot. After rebooting, there should be no ports open. If there is, another application or service that isn't part of the default configuration is responsible and will need to be tracked separately. Test your system to make certain that everything works. The physical and virtual XP units available to me all work properly with these changes. I have no laptops or units that depend on wireless connections to test. These may require changes.
