Sandboxie Acquired by Invincea

I'm not sure if that will help, but that also isn't the point. The point is that SBIE does not protect against "low level" keyboard hooks. This was a design choice of Tzuk and Invincea, and not a bug, what I initially thought. But of course a firewall and HIPS would stop key-loggers no matter if they run inside or outside the sandbox, so no big deal.

 

As you can see on the SBIE website, the only form of malwares that are not on the list are simply keyloggers, so basically, SBIE cannot protect against keyloggers, however, from those tests from Zemana and Spyshelter, keyloggers will bypass SBIE4's protection, but only if you enable them to start/run, and these tests are equivalent of real keyloggers that are allowed to start/run, if you restrict them to start/run/execute, no damage can ever be done in the first place, since all the keyloggers cannot start/run/execute in the first place.
But the question remains: which forms of keyloggers can bypass SBIE4, even when you disable them to start/run/execute in the first place?
Can SBIE4 protect against all forms of keyloggers?
And can HIPS and firewalls help against all forms of keyloggers?
Or it is a waste of time and money.

Also, the good thing about SBIE4 is also the fect it can block all the applications so that malwares, including keyloggers cannot communicate/compromise the security of applications in all drives/drivers on computer, and therefore this is one of ways how exactly SBIE4 can protecft against all forms of malware.

 

In general, I believe that there are two cases in which unwanted code can run inside of a sandbox:
1. You decided to run something that you thought was goodware, but it wasn't goodware.
2. A vulnerability in a sandboxed program is exploited. In those cases where the payload is a separate .exe, start/run restrictions could stop the payload. In those cases where the payload runs inside of the sandboxed goodware .exe that got exploited, start/run restrictions won't stop the payload from running.

 

True, very true, however the latest statement from Curt from Invincea encourages that they have tested SBIE4 itself, by someone else, some independent security company regarding exploiting SBIE4 and its code, and the short answer from Curt was: Nothing has been exploited (Bo Elam can help you with more information on this).
Of course they cannot talk about the details.
However, the first scenario is the only true danger: you think something as good runs inside sandbox, but guss what it isn't, this is where SBIE4 will definitely get bypassed by keyloggers, only keyloggers (because, so far I have seen on Sandboxie's website that you can start/run/execute/dll inject every other form of malware inside SBIE4, without getting worried of being infected).

 

@ CoolWebSearch

Don't take this the wrong way, but you keep asking the same questions, which have already been answered, I don't get it. We already came to the conclusion that SBIE does not protect against certain type of keyloggers, especially when they are running outside the sandbox. Inside the sandbox you can stop them with start/run restrictions. Also, a specialized anti-logger/HIPS like Zemana and SpyShelter should stop these kinda attacks.

 

Yes, thank you for confirmation, I'd like to use an anti-keylogger but I don't know which one, didn't you say that both Zemana and Spyshelter are like dinosaurs (meaning they will not be upgraded anymore, or very soon)?
So, which anti-keylogger I should use any recommendations?

 

@ CoolWebSearch

No, that was some other person, but it's up to you, just take them for a test-drive, is my advice.

 

How do start/run restrictions stop the techniques from post #881 if they happen within a sandboxed process?

 

Buffer Overflow Protection?

 

Experiment: I installed Winamp 5.12 in a Windows XP x86 SP3 virtual machine. (I initially tried using a Windows 7 x64 virtual machine, but Winamp apparently doesn't work correctly in Win 7 x64.) I installed Sandboxie 4.12. I started Winamp sandboxed. Then I used sandboxed Winamp to open a booby-trapped file that exploits Winamp. The exploit (a publicly available proof-of-concept) opens Calculator as a demonstration. Calculator is run sandboxed (i.e. there are two "[#]" in the Calculator window title). This demonstrates that bad code can be run by an exploited sandboxed goodware program in the latest version of Sandboxie on Windows XP.

 

Version 4.13.7 is going to be out soon. Hopefully it takes care of issues that some people are having running Firefox under Sandboxies latest betas. This issues are related to Flash. Apparently one of Chromes recent fixes had the side-effect of causing problems using Flash in Firefox under SBIE.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=48&t=19151&start=180

Bo

 

There seems to be some confusion here. Hopefully this will clear things up once & for all.
Tests I conducted involve installing the keylogger testing apps on OS.
Using Sandboxie 4 and Pale Moon (Firefox fork) to test.

Browser is the only app that is allowed "INTERNET ACCESS" in Sandboxie restrictions.
No "START/RUN " access is allowed, except for the browser in Sandboxie restrictions.
"ClosedFilePath" is used in Sandboxie for the Keylogger testers. (.exe files)

Browser is sandboxed and connected to Internet.
Keylogger testers are running in background.
Keylogger apps are able to capture keystrokes when I type into the browser. (launched outside of Sandboxie)
Keylogger tester is not able to function when KL file is placed in Sandboxie "Forced Programs". (process cancels out)
Keylogger tester is not able to function when I choose KL file to "RUN SANDBOXED". (access is denied)

Firewall is set to monitor inbound/outbound connections. Nothing to report regarding KL connections.

Conclusion: IMO Sandboxie performed what it's designed to do. If you want "TOTAL KEYLOGGER PROTECTION"
then there are several apps available as mentioned in thread.

 

I tested Anti-Keylogger Tester 3.0 vs. typing into Notepad. Sandboxie 4.12 (free version) was installed; all settings used for Sandboxie were the default settings.

Results:

A) Win 7 x64 with SP1 virtual machine:
A.1)
Notepad - not sandboxed
Anti-Keylogger Tester - not sandboxed
Keys were logged on 6 of 7 test methods. Will use those 6 successful test methods for the rest of Win 7 x64 tests.

A.2)
Notepad - sandboxed
Anti-Keylogger Tester - not sandboxed
Keys were logged on 6 of 6 tests.

A.3)
Notepad - not sandboxed
Anti-Keylogger Tester - sandboxed
Keys were logged on 0 of 6 tests.

A.4)
Notepad - sandboxed
Anti-Keylogger Tester - sandboxed (in same sandbox as Notepad)
Keys were logged on 6 of 6 tests.

B) Win XP x86 with SP3 virtual machine:
B.1)
Notepad - not sandboxed
Anti-Keylogger Tester - not sandboxed
Keys were logged on 7 of 7 test methods.

B.2)
Notepad - sandboxed
Anti-Keylogger Tester - not sandboxed
Keys were logged on 7 of 7 tests.

B.3)
Notepad - not sandboxed
Anti-Keylogger Tester - sandboxed
Keys were logged on 7 of 7 tests.

B.4)
Notepad - sandboxed
Anti-Keylogger Tester - sandboxed (in same sandbox as Notepad)
Keys were logged on 6 of 7 tests.

Note that A.3 had very different results than B.3.

I couldn't test a keylogger in one sandbox vs. Notepad in a different sandbox because the free version of Sandboxie doesn't allow more than one sandbox to have programs running at a given time.

 

XP OS AFAIK doesn't support integrity levels. Vista and above OS do.

If you allow the Keylogger tester file Start/Run Access in Sandboxie, force it to run sandboxed (Forced Programs)
& you have set Block File Access (ClosedFilePath) of the Keylogger <name>.exe file Sandboxie will
cancel process.

If you allow only Notepad Start/Run Access in Sandboxie and apply "Forced Programs" to KL tester
file Sandboxie will cancel process. (ClosedFilePath setting has been removed)

If you run notepad in one sandbox and KL tester in different sandbox (both sandboxes have Start/Run Access applied)
then KL tester will capture keystrokes in notepad because it's allowed Start/Run Access.
In this case all you would have to do is apply Start/Run Access to another program other than the KL
tester, apply Forced Programs and Sandboxie will again cancel process.
Also you could remove Forced Folders setting, add ClosedFilePath to KL tester file, right-click on
KL tester file, (exe) choose 'Run Sandboxed' from list, select the sandbox and again Sandboxie will
cancel process or deny access depending on if you created several sandboxes and which one you clicked on.

 

But SBIE4 does actually provide total keylogger protection, since if an sandboxed keylogger cannot start/run to bypass/infect anything at all.

The only applications that I know and frequently updated/upgraded are Zemana and Spyshelter, and that's it.
Sure, I can use DefenseWall personal firewall but only 32-bit systems, it protects against everything that is mentioned inside this entire thread, but I'm curious what other solutions I have regarding keylogger protection.

 

If keylogger got installed outside SBIE (system got infected by unsandboxed app) then SBIE can't protect protected apps from key logging. Anti keyloggers OTOH could protect protected apps from those keyloggers.

 

Exactly, this is all true, but thank goodness, right now I'm experienced enough to know what applications are safe and which are not, however I do use Malwarebytes antimalware and Hitman Pro on demand, just in case.

 

I thought hitman Pro. Alert does not protect at all against anything, it just gives you warnings
And than, after Hitman Pro alert detected and alerted you about exploits/malwares, than you have to detect them delete them with Hitman Pro?

Well, SbiE4 will also block installation if you kow how to do it, unless you start/run/execute them outside SBIE4, however AppGuard, like nVT Exe radar pro, also will not allow any kind of execution of anything/any exploit/malware at all.

P.S.: Why did you stop using SBiE4 and switched to Shadow Defender?

 

I believe that's not correct. Posts 909, 910, and 881 (among others) address the claim that malware can't run unintentionally in a sandbox.

 

Hi Pete, I think the slow down that you are experiencing using Sandboxies latest betas its probably due to a conflict with another program. This could be with another security program or Flash. Right now we know some users are having problems visiting webpages with Flash content. You could for testing purposes, uninstall Flash to see if it makes a difference. My browsing is perfect using Firefox in XP and W7. But I don't have anything that can conflict with Sandboxie. And to make Flash work better with Firefox and Sandboxie, I have been disabling plugin container (XP) and Protected mode (W7) ever since the earliest SBIE version 4 betas came out. For me, that makes things better.

Bo

 

Brian, Sandboxie is not an anti keylogger. And if your computer is infected by one, you are dead. That is for sure. But in the 6 years that I used SBIE, I never seen anything that's not allowed to run, run in the sandbox. To me, that is worth plenty more than your assumptions that Sandboxies restrictions are weak as cow piss. I told you before, go to MDL and see if you can find any keylogger there that bypasses that restriction. Its a boring test but you wont find any malware there that does that. Sandboxie has many features that put together make things extremely hard for malware to escape the sandbox or do its thing within the sandbox. If you were a SBIE user, you would know that this things work.

I know you wont stop making it sound like SBIE is weak but your posts about SBIE in this thread bother me because when someone who is new to SBIE reads them, he might decide not to use the program and will never know what he is missing.

Bo

 

@bo elam: It may surprise you to learn that I used Sandboxie for years in the past. Anyway, it's better to attack the evidence than the messenger. Please list any technical details that I've been wrong about. There is one: Sandboxie start/run restrictions are a form of anti-executable, IMHO, if I understand it correctly.

 

4.13.7 is out. Hopefully this version takes care of the issues that some users are having running Firefox, Flash and Sandboxie.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=48&t=19151#p101901

Bo