Sandboxie and keyloggers

It is so restrictive that you might consider using it for only one or two sites. For instance; Create a sandbox with that extra secure setting. Name the sandbox OnlyOpera (for instance - you can name it what you want.)
Now make a shortcut to
"C:\Program Files\Sandboxie\Start.exe" /box:OnlyOpera "url for your bank"
(of course put the correct file location in there)
Name it First National Bank and give it an Opera icon and you are looking good.

 

Actually I'm using that setup all the time

 

I think it is working out great for you as you are on Opera. With IE it is just too much, I had to abandon it. But I am happy for you though.

 

This may or may not apply for what you are trying to accomplish - but what about a 'dummy' sandbox that nothing is Forced into. Maybe then that dummy sandbox can give the rights to start.exe, and keep your sandbox still tight.

 

I have tested that. It doesn't work. In my investications I have to set some file access to opera.exe and start.exe.

 

You might be going too tight - maybe a matter for Tzuk? Hey I just remembered what it was about the GUI that confused me b4 - and you demonstrated it in your previous post. You have to already 'know' to add that ! before the opera.exe and set it in the box just as MikeNas described. That's what it was about the GUI that I had forgotten. But all is well.....

 

2008-02-11 20:48:57
ask
Network Activity
TCP/IP
send datagram
C:\WINDOWS\system32\rundll32.exe - attempting dns connection
0.0.0.0 - local ip
192.168.0.1 - remote ip (my router uses DNS relay)
1593 - local port
53 - remote port

While playing around with Sandboxie in dodgy site, installing Cursor program, this alert from Jetico fw occured while attempting activeX download. I blocked the attempt, then it gave me the option to download the file to a selected directory, instead. This just reaffirms my belief in the importance of using a firewall, even while containing browsing material in a sandboxed environment. Nowhere do I have a rule that allows rundll32.exe network access.

Using Sandboxie with SSM and firewall, there is lots of information in the combined alerts to make an informed decison on a file download/install.

As expected, all activity was flushed clean from the sandbox when I chose to do so.

 

Actually you don't need firewall with Sandboxie if there is only one program which can connect to internet.

 

The alert from Jetico indicates to me that rundll32.exe would have connected to the internet if I had allowed it, and especially if I had nothing to monitor outbound connection attempts.

 

Just set that your browser (or anything) is the only program which can connect to internet.

 

MikeNAS,

thank you for that tip I found it under Sandbox settings, set only IE7 as allowed, and no alerts about rundll32.exe trying to connect, as I was taken straight to the option to only download the file (no alerts from Jetico because Sandboxie blocked it). That's a nice feature

 

I'm becoming more and more enthousiastic about Sandboxie.

One question though:

If I set my browser to be the only program that can connect to the internet in Sandboxie, will this automatically deny all internet access to programs outside the sandbox (AV that auto-updates etc)?

 

Of course no. It only affect inside of Sandboxie. Remember that you can setup more sandboxes than one and use different settings.

I have 3 sandboxes and here are quick settings:

1. Firefox is the only program which can run and connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.
2. POP Peeper is the only program which can run and connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.
3. Not a single program can connect to internet. Secure erasing with Eraser (DoD). Blocked file and registry access.

 

Hi MikeNAS, thanks for your reply. What does the above mean exactly? Do I have to add firefox.exe to these lists in Sandboxie in order to obtain this. I don't know Eraser (DoD) so I'm guessing that this is an other application you use?

 

Hi Stijnson, I wouldn't worry too much about tweaking Sandboxie. It's default settings are strong and if you add the setting to only permit internet access to one program, then you should be safe. Theoretically anything that finds it's way into the sandbox may be able to look at your registry or in some files, but if for example Firefox.exe or Iexplore.exe is the only program permitted to call out, then your info is safe from being sent home to the mothership.

I do recommend blocking access to your important personal files. Mine happen to be on other partitions so I just block file access to the partitions. Just remember that if you do this, you can't download or upload from that file or partition with the sandboxed application (while it's sandboxed of course). What I do is move the file to the desktop then to wherever it needs to go. Of course if it's a download I will scan it.

You can block access to your important folders or partitions in Sandbox Settings - Resource Access - File Access then Blocked Access.

I hope this helps,
innerpeace

 

Yeah Eraser is another application to erasing Sandboxie contents. Not needed...

Here is quick blocked file and registry access guide:

1. Sandboxie Settings.

2. Resource Access - File Access - Blocked Access: Add what you like.

3. Resource Access - Registry Access - Blocked Access: Add HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS and HKEY_CURRENT_CONFIG.

 

i think the blocking of file and registry is not needed,afterall also the needed hives for sandboxed app. to function are placed in the registry as kinda of layer,if you logoff session then layer disappear also.So if firefox.exe is the only app. that can connect then any changes are made in sandbox which include the registry[layer]. In sofar its my grasp of Tzuk's explanation but maybe i am wrong so more experienced users can correct me !

 

@Innerpeace, MikeNAS and Huupi: thanks for all your help

@Innerpeace:

This would be Documents etc.? Or other things?

 

Although I'm not an experienced user, I use the file blocking because I don't use the only allow one program internet function yet. There are many others who use it too. I especially like to use it when doing unsafe surfing when my C: partition is virtualized with Returnil. I like my layers, what can I say LOL.

I do understand what your trying to say though about allowing internet access to only one program and that theoretically nothing else can call out, but adding the extra safeguard by blocking access to important files seems like a good idea to me.

@ Stijnson, Yes, before I had 3 partitions, I added My Documents as a file to be blocked. Of course only add it if that is where your important personal files are located. As to how necessary it is when you only allow one application internet access within Sanboxie is going to be debatable. IMO, it wouldn't hurt to block access to them.

innerpeace

 

BTW there's a new rewritten tutorial from Tzuk on his side !