Please allow me just one Sandboxie question...

Sandboxie only helps to contain malware downloaded by your browser. If you visit a compromised site, acquire some malware, and then go banking, your data is potentially vulnerable. However, if you acquire the malware, shut down the browser, clear the sandbox, and start the browser again, you'll be fine.

Sandboxie is more about protecting the system from browser-based malware than protecting the data within your browser.

 

Some Sandboxie settings worth considering for optimal security if, for example, Chrome browser is used:

Code:

Program start >> Forced Programs: [chrome.exe]

Restrictions >> internet Access: Chrome.exe

Restrictions >> Start/Run Access: Chrome.exe

Applications >> Web Browser >> Google Chrome: [+] Force Google Chrome to run... 

Delete >> Delete Invocation: Automatically delete contents of sandbox

This is if you insist on using Sandboxie for Internet banking.

 

This is only partially true, from my collegues' experiences I can safely say that properly configurated Sandboxie will easily handle all kinds of attacks, but it depends how tight and properly configured Sandboxie really is.
Any more experienced Sandboxie user will tell you that.

 

I was curious about a keylogger already installed and running in the real system, so I installed and started Zemana's test keylogger found here: -http://www.zemana.com/LeakTest/keylogger-test.aspx under my appdata directory, ran as administrator, then opened Chrome sandboxed then started typing random characters on my bank's login page, and the keylogger records the keystrokes flawlessly. In conclusion and I'm sure what most people suspected is that Sandboxie can't protect in this case when malware is already installed in the real, non-sandboxed environment. Jetico firewall did, however, alert me to its connection attempts (indirect relativeness).

Trying this or a similar experiment in a vm, and the keylogger installed and running on the real system did not record the keystrokes from the browser running in the vm.

 

Sandboxie creates a virtual environment in which most anything can run, but nothing (relatively) can escape to the host system.

If your host system has a virus/etc, then your sandbox does also. That is not a 100% true statement, as there are ways to configure SBIE more radically, but for most it will be true.

The benefit of using Sandboxie is that what happens in the browser or other internet facing app stays there. It isn't a security program, but it brings security by not allowing the system to be compromised by applications that might normally do so.

There are some settings in Sandboxie that can be used that will bring a little security to the sandboxed environment, such as DropRights and restricting processes that run or have network communications. However, this doesn't change what Sandboxie is doing, which is maintaining a virtual environment that is always segregated from the host environment.

If you start out with a clean system, and always do certain activities in a sandbox, then your system will remain clean. If you delete the sandbox environment prior to visiting a bank website, then your sandbox environment is also clean. At this point, if you go nowhere but your bank website, how safe do you think you are?

Users who browse in the same sandbox they bank with, and don't know for sure the host OS is clean prior to using a sandbox don't really know what the score is. How safe is that?

Sandboxie has quite the reputation here.. and rightfully so. It is a stellar application which has yet to be seriously compromised. The developer is very active and usually very fast at fixing any issues. It has the proverbial 1000 and 1 uses it seems. But, it is not a security program. It will not keep you safe simply because you use it. You have to understand what it does, and does not do. When you do understand how to use it, it can radically change how and what you do because it is an enhancement like no other.

IMO anyway.

Sul.

 

I don't know what's the big deal here, you have to open this keylogger test sandboxed to not get your security compromised.
Open it on a real, non-sandboxed system, and than you're infected, the party is over.
The best option to me when sandboxed malwares (including keyloggers) couldn't do anything inside Sandboxie and couldn't even start/run to do any damage because I restricted start/run of any application except only a few.

 

Absolutely and agreed

My test was just to illustrate the fact that keystrokes are still present on the real system when browsing and typing in the sandboxed environment, and therefore a keylogger installed and running in the real system captures them. However, in the VM guest environment, the keystrokes are present only in the virtual guest environment, so the same keylogger on the real host machine does not capture them.

These are simply facts. They are not meant to diminish the merits of Sandboxie (I use it with confidence to sandbox Chrome on two different pc's), but rather just food for thought.

Obviously if the host machine is discovered infected, there's no point anyway going any further with any approach until the infection is removed.

 

First of all I'm not saying SBIE is all powerful, I'm just trying to establish its weakness here, are you sure it's true that sandboxed keylogger downloaded inside sandbox with restrictions will still send keystrokes on the net?

So, Sandboxie is still vulnerable to keyloggers despite they are sandboxed and with all the restrictions?
I didn't know that, until now.
What about download keyloggers inside Sandbox instantly inside the sandbox first and not on the real system would that change everything, would keylogger still be able to send infomration on the net?

When you configure Sandboxie for any malware to block the internet access and to block its start/run, plus when you block the very download to your sensitive files like shared documents, my documents and D: partition do you still say keyloggers would leave traces on the real system despite they are downloaded inside sandbox and restricted to gain any access and still send information on the net?

It seems to me that you have to first download keyloggers to your real system first than run them sandboxed (but again how can you run them sandboxed when they are, and not first download them while they are always inside sandbox?
But than that's the problem with the user I guess, if he/she opens file outside the sandbox that is malicious...
So it appears that keyloggers are truly Sandboxie's weaknesses?

I wonder how does DefenseWall deal with keyloggers, do keyloggers still send their keystrokes on the net despite they are untrusted and or when they are on the real system and than they are started to run in untrusted zone?

 

If Sandboxie is configured with restrictions to allow nothing but the browser, for example, to run and access Internet, then no, keyloggers within the sandboxed environment should not be a threat, because they won't be allowed to run in the first place.

As per my comment above

I'm only talking about a keylogger downloaded, installed and running on the real system as being an issue, because keystrokes made when browsing in the sandboxed environment are being captured by the keylogger. This is not the case when browsing within a vm guest machine. Keystrokes made within the vm stay in the vm and are not present on the Host machine, therefore a keylogger on the host (real) machine can not capture them.

Basically this means:

Don't allow the real system to become infected with malware.

Would Sandboxie not even be more awesome if it could contain keystrokes within its sandboxed environment?

 

I thought Sandboxie's restrictions solve this problem of Sandboxie's awesomeness in containing keystrokes (of course if they are inside the sandbox). My question is who in the world would want to start and run keyloggers on the real system in the first place? I don't know anybody so I really don't know why is such a big deal.
I also remember when I killed installed keylogger by deleting its code (but that was when I didn't have much of the protection and also I didn't have Sandboxie for protection either.
My computer is 100% clean and I'm absolutely sure, because I reinstall it from scratch every 3 months.
Unless there is some bug inside Sandboxie properly configured Sandboxie will defeat any malware, including keyloggers, as tested by others with 1000s of different malware samples.

 

I don't perceive keystrokes being contained within Sanboxie's environment. I can start the keylogger in the real system before the sandboxed browser or after it and the keystrokes I type in the fields of the sandboxed browser are always recorded by the keylogger.

Umm, people with malicious intent looking to steal a user's personal and sensitive info

 

I was asking about the downladed sandboxed keylogger with all the restrictions.
And second, I was talking about average users who download files from the net, who would want to start unknown file from risky websites (so why not download them inside thew sandbox with restrictions), none is that stupid...

 

Understood. As I mentioned earlier, if the enhanced restrictions are in place for the sandbox, the keylogger in the sandboxed environment should be a non-issue.

Probably you are right that the average person using Sandboxie isn't going to do this. I'm only talking theoretically about a keylogger or similar malicious program that somehow, maybe via driveby download, infiltrates the real system if Sandboxie isn't used at the time. I'm not suggesting it's likely going to happen, only that under the right circumstances where the user is, for whatever reason, being careless and does not have other security provisions in place, it could happen.

There are supposedly, and even likely, keyloggers that can install with user's limited rights, so one might want to consider other security provisions such as anti-executables application firewalls, EMET, a combination of the above or something else altogether, unless the user can be sure that Sandboxie with additional restrictions will always be used when browsing online, and even then, there is the opportunity to recover downloaded sandboxed content - malicious or not - so one needs to exercise caution here.

In the end, I think it has to come down to only the user's decision: "do I install this or not?" There should be no surprises or unexpected scenarios leading to a compromise. With my keylogger experiment, I believe it simply means: how to prevent this scenario from happening?

 

I think that is SBIE101.

In my opinion, knowing and understanding what SBIE doesn't do is more important than knowing what it does.

Bo

 

Perhaps you could expand on that for me please Sul, I am not being rude, you are too clever for that

 

Installing Sandboxie does nothing to the users or groups on your machine. It adds no security enhancements. It creates no boundries nor uses white or black lists of what processes are safe or not.

What it does do is keep whatever you run within it from changing the real system. If you download a virus or trojan into the sandbox, it stays there. Usually that virus or trojan is as effective within the sandbox as the real system. If you get a keylogger in the sandbox, it can do as much damage as one in the real system. There are some settings you can use to mitigate this of course. But in a general view, Sandboxie is only virtualizing what you do from the host.

If you download a file and execute it in the sandbox, it is contained, but not controlled. If it is a virus/trojan/keylogger, it runs without question, more or less. A security app would traditionally stop this by indicating the file is tainted (AV) or that it wants to do something nefarious like install a hook (HIPS) or maybe that it wants to phone home to some bot net site (firewall). Sandboxie doesn't care.

If you execute a downloaded file that you recovered from a sandbox to the real system, Sandboxie does nothing to prohibit this. The file could be the worst sort of danger, and Sandboxie cares not, because it is made for virtualization, not security.

Now, none of this is to say you cannot use Sandboxie as part or nearly all of your security scheme. You can, and I have. It can be very effective. But you have to understand that the only security Sandboxie brings you is keeping your system clean if you use it all the time, and the ability to delete the sandbox environment. So, your system stays clean and your virtual environment stays clean, so all you need to worry about is what you do inbetween that keeps things clean.

Sul.

 

Agreed, as users who are more proffesional about Sandboxie's restrictions are satisfied as Sandboxie with restrictions has never let anyone down, I can talk for my experience and for other more experience users, those who have 100% clean systems (Frankilin and Buster tested thousands of all forms of malware samples against Sandboxie and its restrictions).

I was saying all this because I consider myself as an average user. The problem with many average users of Sandboxie is that they don't know its real power in all the restrictions you set for the virtual environment.
My main problem with my own character is that I always like to dig deeper and deeper explore fully any application I use, this is why I frequently visit these kinds of forums where or I simply google it to find it.

Yes, I used to be a very dumb and completely careless kid 10 years ago when it comes to computers, I didn't know what is firewall or an antivirus, but I learned only after my entire system was infected with tons of all forms of malware. However this was the perfect opportunity to learn more about computers themselves and the computer's security.
I used to let malware install on my real system (no virtual box) just for the purpose of testing, I can 100% guarantee you that the best anitmalware/antivirus/antispyware products could not get rid of all of specimens.
I needed to install at least 6 or 7 different top antimalware/antivirus and etc. products to completely eliminate all of malware samples running ad doing havoc on my computer.
Yes, this was extremely risky.
Than I found out about Sandboxie eventually, and I said ah this is just another virtualization software avast has it too as well as many other prducts.
But what I did find out is that none of these virtualization softwares can match Sandboxie's true power with all the restrictions and configurations, plus the Tzuk is instantly responsive and you wait for the fix only several days.
This is why I'm angry when none is testing Sandboxie on its fullest (of course users it throroughly), but none of these claimed experts for security do not want to test sandboxie's maximum power.

Cheers.

 

Don't forget about restrictions and configuration in general which are they key for Sandboxie's hidden true power.

 

It is true that the different ways to configure Sandboxie can make it very powerful. This can provide a measure of restrictions for the sandbox environment. And some, like forcing an application to open in a sandbox, can help keep the system clean because if it starts in a sandbox it stays there.

But in the end, Sandboxie won't protect you from yourself. If you don't start an app in a sandbox and get a nasty, too bad. If you download a file into the sandbox, then recover to real system and execute it, you are on your own. If you start app in a sandbox, and get a nasty in that sandbox, without certain settings in place for the sandbox, things happen as they please.

The extra settings you can use for Sandboxie, when used creatively, really can lead to better security, but it isn't Sandboxie itself that creates the security, but rather how you do things differently in order to play on what Sandboxie can do.

I am a fanboy of Sandboxie, without a doubt. Its kinda strange to be stating the opposite in a way lol.

Sul.

 

That was the thing I was talking about. a file or a process inside the Sandboxie that is restricted to do anything will fully protect you against even keyloggers since you can block your sensitive data being spread across the internet, but outside the sandbox the story is over, although people are not that stupid to open the file just like that.
I only have router firewall, windows xp firewall and configured Sandboxie for protection, I always browse sandboxed firefox, internet explorer and everything else.
I never download any kind of file at all.
Prevention is the key here not detection, and that is the area where Sandboxie does best, better than any other product.

 

I told you before, I ll tell you again, protecting sensitive data is not under Sandboxies scope. Please read Tzuks post in this recent thread. It cant be any clearer than that.

http://www.sandboxie.com/phpbb/viewtopic.php?t=14026&highlight=keylogger

Blocking personal files and folders using the restrictions: for me, it is more than enough as I am not worried about nothing in my computers being stolen but if one day something gets out, I am not going to blame SBIE. Why? because Sandboxie is not an anti keylogger and I am aware of that.

Bo

 

To support what bo has already pointed out, a good read here:

http://www.sandboxie.com/index.php?DetectingKeyLoggers

It seems pretty clear one might want to incorporate some form of AE and/or firewall protection as well. Thanks for pointing this out, bo I had thought that the additional restrictions enabled in Sandboxie would virtually eliminate the threat that key loggers pose, and in their FAQ section:

makes it clear that it is not absolute protection at all, and not to rely solely on SB to protect against these.

 

So you're saying that blocking D: partition and all of my personal documents, my shared documents from getting touched by sandboxed keyloggers (all forms of keyloggers) will not help at all...
It also means that if sandboxed keylogger (I'm talking about all forms of keyloggers) cannot start run in the first place it will still steal information, although it was downloaded inside the sandbox in the first place...
And yes my computer system is 100% clean, so why be worried about something that can send sensitive data on the net?
I have always wondered if DefenseWall protects against sending sensitive data across the net and against all forms of keyloggers who are downloaded to your computer and are either trusted or untrusted.
I guess it can because of its HIPS and both inbound and outbound firewall...

 

I guess I am having a hard time understanding where this thread is going.

Sandboxie does not make your system safe. It helps to keep it safe if you use it.

In the end, IMO it isn't about sandboxie or any settings for sandboxie, but about your ENVIRONMENT. So as to the original question - if your environment is clean, then yes, Sandboxie can be used. You don't even need any special settings. Just delete the sandbox, go to the bank website and do your stuff, then delete the sandbox when you are done.

Sul.

 

Well, I'm 100% sure that my computer is 100% clean, after all I do reinstall from scratch every 3 months.
And yes I was talking about when your computer system is 100% clean.