Sandboxie and banking browser configuration

Indeed. While the concept of switching to a dedicated SUA/LUA account for banking and other secure sessions has some merit, it only really helps with user-mode infections. It's true that malware such as Spyeye and Carberp can operate in LUA only, so would be defeated by switching to a dedicated account for banking, but similar malware that has admin rights won't be.

So for me, the only real solution is one of the dedicated anti-loggers in a clean browser run outside of Sandboxie. Approaches such as a Live CD, I'm not interested in.

 

About the screenshot where appears trusteer rapport in the interface of zeus, this never worked.

http://www.trusteer.com/blog/alleged-newmerged-spyeye-and-rapport

The sandboxie documentation says that you can make it compatible with SafeOnline

Somebody remember a guide for banking made by Kees"something"? I don't remember well the username

 

You make very good points. Also don't forget that some of those services where people need to enter credentials may be sharing the same IP with other domains. Windows Firewall with Advanced Security only allows restriction by IP. Not really reassuring in such situations either.

 

Yes, it's possible to make Sandboxie and SOL compatible, but not without diminishing Sandboxie's protection, as the author mentions.

 

Back when I ran SB:

I deleted everything in sandboxie,then I did my banking,shopping etc.When finished,I deleted everything again,never had any issues.

 

I feel safer using Sandboxie alone instead of using Sandboxie together with
applications like Zemana, etc. Doing it this way, I know Sandboxies
protection is not being diminished as its working at its highest level since
there is no potential for known or unknown conflicts.

Bo

 

I agree.

For general web surfing of untrusted websites, I run the browser inside a tightly configured sandbox, working at its highest level, and rely on Sandboxie to isolate and protect the system from possible infection via the browser session. There's no point to weakening Sandboxie's protection by trying to make it compatible with a browser protection utility as no personal data is being entered via the browser that requires protection.

With trusted, secure websites that involve entering sensitive personal data - online banking, shopping, etc - the situation is different. My preference is to do this outside of the sandbox and rely on a browser protection utility to protect the information captured via the browser session. My primary concerns in this case are website verification and isolation of the browser session from the rest of the system.

I can always re-image the system in the extremely unlikely event that it gets infected while banking or shopping online, but I can't re-image my life should identity theft occur if there was an undetected infection already present on the system (unlikely but not impossible). It's all about balancing the risks and costs associated with each scenario if the worst should happen.

 

Yes but maybe is better do it and have the best of 2 worlds

 

I honestly believe that you/we can not have the "best of 2 worlds". We
have to choose one or the other. Choosing/using both can be a disaster.
Personally, I feel safe using Sandboxie but I fully understand the reasons
why Pegr and others prefer and feel safer using something else than SBIE.
I think, mixing this kind of programs should not be done.

Bo

 

Right, there's absolutely no need to supplement SB with another 3rd party app.

 

I agree that browser protection utilities such as Trusteer Rapport and Prevx SafeOnline are fundamentally incompatible with an application sandbox program like Sandboxie, and shouldn't be mixed. Browser protection utilities and application sandboxes create different kinds of wrapper around the browser that are mutually incompatible. The trouble with workarounds designed to overcome this is that it's difficult to know if there are going to be adverse interactions or other conflicts that will prevent each program from working to maximum effectiveness.

Both types of program can be useful providing they're not used together at the same time. That's why I split my browsing into two different scenarios: one using an unsandboxed browser protection utility to guard against the stealing of personal data; and the other using a tightly configured Sandboxie on its own to guard against infection of the system.

What I should have added is that I keep my system partition constantly virtualised using Shadow Defender, so I do get the best of both worlds, as I can protect my personal data and the system at the same time. Partition virtualisation is compatible with both browser protection utilities and application sandboxes, because light virtualisation programs such as Shadow Defender and Returnil work at the disk level, below the level of the file system.

In case anyone asks, there are two reasons why I also use Sandboxie for general web surfing in conjunction with partition virtualisation: 1. Sandboxie also has a comprehensive set of policy restriction features and this is what I was alluding to when I said a tightly configured sandbox; 2. Sandboxie also protects my Firefox profile, which for convenience is located on a non-virtualised data partition.

 

Hi m00nbl00d,

sorry, but this makes no sense to me whatsoever. Please explain how a bank could be assigned the same ip addresses as someone else. Maybe I'm missing the boat here.

 

I never mentioned banks. I mentioned...

Whatever services people may make use of... and whether or not they consider these credentials important to them.

 

Okay, sorry for any misunderstanding. All I was referring to with ip restriction was with the secure login for the particular bank a user may be using for on-line transactions. If a selected browser is restricted to those ip addresses only in the firewall, then this does indisputably add security to the on-line transactions.
Using the built-in Vista/Win7 firewall with advanced security eliminates the need to do so with a 3rd party product.

I'm not exactly sure how this would be done with a sandboxed browser, but I'm sure it's possible with a sandbox dedicated to the "banking-only browser".

Maybe time to experiment in the vm again

 

I was always wondering, when you configure settings in Sandboxie to such level that no malware can access the Internet, and when malware can't start/run, would malware still be able to escape from Sandboxie?
Hmmm...
I do not know if Sandboxie, all by itself, can really protect against banker malware at all (even if you configure that malware can't start/run or block its access the Internet), I somehow don't think that, since these are banker malwares, Sandboxie is for home users. But for internet banking shopping, anyone should get another security layer combined with Sandboxie.

 

It seems unlikely that with a tightly configured sandbox malware would even get a chance to run or access the Internet from inside the sandbox, let alone escape from it. If there were live malware out there that could do this, I'm sure we would have heard about it at Wilders by now. Also, if this were to happen, I'm equally sure that the Sandboxie developer would move very quickly to close any gap in Sandboxie protection, as he is very proactive.

The issue isn't so much whether Sandboxie can protect a clean system but rather what happens if the system has already become infected by some other means. Sandboxie has no control over what is already running on the system, outside of the sandboxed environment. This is the gap in protection that browser protection utilities like Trusteer Rapport and the Identity Protection component of Webroot SecureAnywhere aim to close when banking and shopping online.

 

Sandboxie can keep your computer clean but it's no banking security tool

 

Ok, if this with Sandboxie is true what you said (about SBIE's ability to block start/run of any malware as well as block access to the internet of every malware), than why Sandboxie can't be considered one of banking security tools. All you have to is the tight configuration of Sandboxie, and no malware can access to programs outside the SBIE snd can't access to the Internet and can't even start/run.
I'm a layman when it comes to banking security. but shouldn't SBIE with tight configuration protect against all downloads of all malwares?

 

SBIE can not be considered a banking security tool, because it wont do nothing if the keylogger is already in your machine. SBIE is not a detection tool, I think that's why.

A clean, restricted sandbox will help you against new threats.

In a few days, its going to be a year since I dropped using anything else along a restricted sandbox. To this day, I have not experienced anything that makes me doubt that SBIE is doing what is supposed to be doing. Restricting the sandbox and using multiple sandboxes to separate programs works very well.

Bo

 

But the tests I was talking about was the installation of internet infections. If you didn't know MRG has tested this as well. In SBIE you can remove selected files/folders in Quick recovery, so the installation of any malware is prevented!
What do you think?
Have you ever tried to test SBIE against installation of internet infections on websites such as Malware Domain list and similar?
I was also talking about these kinds of tests.

 

In SBIE you can also apply Drop rights to prevent programs from installing in the sandbox. I run as an administrator so that restriction helps me.

In almost 3 years of using a restricted sandbox, I have never seen anything malicious run or install in my system. To me, a regular, amateur user, that proves that the restrictions work.

When I have gone to MDL is to try something else, not SBIE.

Bo

 

Anyone used both Trusteer and PrevxSOL at the same time any issues observations....Can it be possible for them to co-exist?

 

Anyone used both Trusteer and PrevxSOL at the same time any issues observations....Can it be possible for them to co-exist?

Is Trusteer just 226kb or is there an offline installer that I can download...?

 

AFAIK they are incompatible - you can use one or the other, but not both.

 

Exactly.