Sandboxie and keyloggers

[trjam]

I saw here once where Sandboxie could be configured to stop keyloggers. How? I use IE7.

[Drew99GT]

Bump. Bump.

[mick92z]

There is an article about keyloggers,I dont think Sandboxie can stop all keyloggers installing,but will delete them on emptying the box
http://www.sandboxie.com/index.php?DetectingKeyLoggers

[Hermescomputers]

Even if it did intercept keylogers you would be vulnerable during the "infected" session if you did login to secured sites... It would perhaps remove the keylogger from the system after but it would do nothing as such to prevent it...

I would combine sandboxie with a HIPS or perhaps keyscrambler (I use both + Roboform...)

[Peter2150]

The solution is fairly simple assuming you picked up the keylogger from a source that was sandboxed. Before going to a critical site, log off, and delete the sandbox. Then go do your banking. Keylogger should be gone.

[Hermescomputers]

Quote:

Originally Posted by Peter2150

The solution is fairly simple assuming you picked up the keylogger from a source that was sandboxed. Before going to a critical site, log off, and delete the sandbox. Then go do your banking. Keylogger should be gone.

This while being effective, assumes most users know they have an infection they need to defend against and that they will remember to "Empty" the sandbox before doing their banking... It would be wise to prevent an infection by using an anti key logger together with your sandbox..

Personally I often login to secured sites during sand boxed sessions.

[Peter2150]

Quote:

Originally Posted by Hermescomputers

This while being effective, assumes most users know they have an infection they need to defend against and that they will remember to "Empty" the sandbox before doing their banking...

Not really, I've just gotten in the habit of before banking, closing browser, empty sandbox, and the go to bank site. Not a big deal.

[mick92z]

I think its common sense,if you are entering sensitive info,eg banking,to empty your sandbox prior,I have my sandbox set to delete automatically,upon termination of all sandbox activity,with a warning first,if there are recoverable files.So I dont have to remember to empty it.Also I surf sandboxed with DropMyRights,hopefully a keylogger couldn't run, even sandboxed.Although I'm no expert

[Hermescomputers]

Again, here comes grandma "fully protected" in her brand new sandbox... logging into everything after browsing the web all day... That's what scares me about it. Many users wouldn't think twice about login in, because of impatience or simply because they got into the habit of browsing the web in a sandbox and forget they are doing it... That is why in my recommendation Secured Web browsing I recommend to have one enabled...

[Terror_Eyez]

Hermescomputers, do you actually USE Sandboxie?
It seems like you just have it there as a backup or something.

The reason I ask, is because you don't seem to realize how effective Sandboxie could actually be against keyloggers, without any other kind of protection needed.

I mean for one, you could do the simple method that Peter mentions, which is to just delete the sandbox, and you're done.

Second, you could just set your browser to access the internet, and nothing else, that way, regardless whether a keylogger is running or not in the sandbox, it wont be able to send any of its captured data out to anyone, so you are perfectly safe. I have personally tried this with many keyloggers, ones I've made, and ones i've downloaded, and every single time, regardless if it caught any information or not, it could never actually send the captured data anywhere. So when you delete the sandbox (whenever that may be) the keylogger and its captured data, will be gone, before the data was even able to be sent out to anyone.

Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!

If any of that is too hard for you to do, then maybe you are the grandma here!

[innerpeace]

Quote:

Originally Posted by Terror_Eyez

Hermescomputers, do you actually USE Sandboxie?
It seems like you just have it there as a backup or something.

The reason I ask, is because you don't seem to realize how effective Sandboxie could actually be against keyloggers, without any other kind of protection needed.

I mean for one, you could do the simple method that Peter mentions, which is to just delete the sandbox, and you're done.

Second, you could just set your browser to access the internet, and nothing else, that way, regardless whether a keylogger is running or not in the sandbox, it wont be able to send any of its captured data out to anyone, so you are perfectly safe. I have personally tried this with many keyloggers, ones I've made, and ones i've downloaded, and every single time, regardless if it caught any information or not, it could never actually send the captured data anywhere. So when you delete the sandbox (whenever that may be) the keylogger and its captured data, will be gone, before the data was even able to be sent out to anyone.

Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!

If any of that is too hard for you to do, then maybe you are the grandma here!

Hi Terror_Eyez,

I was waiting for someone to post about only allowing the browser internet access through Sandboxie. It's good to hear that it thwarts keyloggers too. However, what would happen if the keylogger was named firefox.exe or iexplore.exe?

innerpeace

[Empath]

I haven't checked how it appears in the configuration file, but in setting up the single program that can access the internet, you're given the choice of doing it by 'application name' or file name. With the file name you show path. Provided it's entered as a path and app in the configuration file (which I assume, but haven't checked) then you could have all kinds of keyloggers named firefox.exe or iexplore.exe. I wouldn't matter then.

[innerpeace]

Quote:

Originally Posted by Empath

I haven't checked how it appears in the configuration file, but in setting up the single program that can access the internet, you're given the choice of doing it by 'application name' or file name. With the file name you show path. Provided it's entered as a path and app in the configuration file (which I assume, but haven't checked) then you could have all kinds of keyloggers named firefox.exe or iexplore.exe. I wouldn't matter then.

Thanks Empath, I see the setting now. It's in the Sandboxie Control, click Sandbox, expand DefaultBox, click Sandbox Settings, expand Resource Access and then click Internet Access. If you read the two lines below the four buttons, it seems as if it will block the fake files regardless. Maybe Sbie uses a hash check of some kind. This is very interesting.

[chris2busy]

or if you are the only person using the computer you can just save the u/n and PIN in a txt file with a not so obvious name concerning its content and copy-paste with mouce.

[Hermescomputers]

As a few of you have stated there is a way within sandboxie to "configure" a single applications Internet access within the config of the sandbox and it appears to work well.

Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

In my experience anything not "default" is useless with granma!

[Peter2150]

Quote:

Originally Posted by Hermescomputers

As a few of you have stated there is a way within sandboxie to "configure" a single applications Internet access within the config of the sandbox and it appears to work well.

Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

In my experience anything not "default" is useless with granma!

First, I know a member of the forum, who would take exception to that last statement.

Second, correct me if I am wrong, but wouldn't a keylogger, to be effective, really have to either install a driver, or start a service, of some kind. Because if so, case closed.

Pete

[Hermescomputers]

Quote:

Originally Posted by Peter2150

First, I know a member of the forum, who would take exception to that last statement.

Second, correct me if I am wrong, but wouldn't a keylogger, to be effective, really have to either install a driver, or start a service, of some kind. Because if so, case closed.

Pete

Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller.

[Franklin]

The Anti Keylogger Test below shows that keystrokes can be captured when run sandboxed

Is it a worthy test for Sandboxie if set for only the browser to connect even though keystrokes are captured this info can't be sent out?

Quote:

Some trojans includes keylogging functionalities, that can steal confidential information you are typing. To fight this threat, many HIPS software, and also dedicated anti-keyloggers software, now provide anti-keylogger features. However, there is many ways to monitor the keyboard, and few HIPS cover them all.

AKLT is a tool using 7 different methods to monitor your keyboard, and enables you to check your defences. AKLT provides hook based, and hookless/cyclical

AKLT test

[Peter2150]

Quote:

Originally Posted by Hermescomputers

Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller.

Absolutely, but if they come in thru the browser, they are sandboxed, and can't hurt the system. Tested this with some live malware. Sandboxie protected the system.


@Franklin. To answer your question strictly from my point of view. I don't care, if something were to come in thru the browser, and install some keylogger. Before I do anything of significance, I close the browser and empty sandbox. Takes seconds, easy habit to form, and keylogger gone.


Note. I can't help feeling, if this is too difficult for someone to learn, the may well be, unfortunately, doomed to getting themselves in trouble. It's kind of like "Don't open attachments" So simple, but....


Pete

[Hermescomputers]

Quote:

Originally Posted by Peter2150

Note. I can't help feeling, if this is too difficult for someone to learn, the may well be, unfortunately, doomed to getting themselves in trouble. It's kind of like "Don't open attachments" So simple, but....
Pete

Peter I think it's probably because the only people that call me actually willing to pay for my services are usually the desperate ones... I get too see a lot of bad stuff

So I may be more "paranoid" than would be required under the circumstances... However my faith in Joe Average has wanned considerably over the years as I have seen them do the obviously dangerous and actually think it was the appropriate secured measure to do... Still baffles me to this day how the human brain being so powerful can do really such stupid things as some users actually do...

[Peter2150]

Quote:

Originally Posted by Hermescomputers

Still baffles me to this day how the human brain being so powerful can do really such stupid things as some users actually do...

Nothing new really. Just the computer gives them the power to do it quicker. The one I loved was the the British technology weekly, stopping folks at the tube entrances and offering them some quality chocolate if they'd take a survey. Some high percentage were willing to give up their work computer passwords. Duh.

[MitchE323]

To say that a program is useless on the single basis of 'default settings' is beyond the most ridiculous thing I have ever read. TerrorEyes has it right-on as do most of the users here. I have always said that those in the computer-fixit-industry would be the slowest to give SandboxIE credit and the comments here prove that out. Fear mongering that uses 'GrandMas' surfing habits as a basis is becoming more and more prevalent now that a number of new products are supplanting the tired old failed products of the past.

HermisComputers states that because he is worried that Grand Ma is totally inept, he recommends that she visit his site for guidance. Well I went on that site and no one (not just Grand Ma) would be expected to do all that is recommended there.

Fear mongering that leads folks to needless worry creates situations like this; http://forums.wincustomize.com/?aid=175059
And is causing people to 'break' their computers.

Probably followed by a phone call to a computer fix-it guy for help. haha

[muf]

And another thing you could do is install Keyscrambler. Works on both Firefox and IE and is free. Even if a keylogger could log your keystrokes. All it will receive is a load of gobbledygook.

muf

[MitchE323]

Well if I am ever targeted by a keylogger, I am going to treat that threat very seriously. I am going to assume that a Commercial Keylogger is after my information. (note the word Commercial) Can anyone guide me to a freeware anti-keylogger that would be of any help? I've never heard of one.

It's time to cut through the nonsense and provide some qualified answers for people. Otherwise why even have Computer Security as a job or as a hobby? As far as I know SandboxIE is the only product that provides even hope against a commercial keylogger.

[SirMalware]

Has anyone actually tested KeyScrambler to see how effective it really is?