Try your anti-keylogger protection

ErikAlbert

You use First defense? The first sectors of disk are still unprotected even in Vista. Does First Defense on reboot cover those first sectors too or is the only way for your setup to stop the MBR rootkit is with Anti-Executable?

Thanks

 

According to my readings at Wilders. FDISR dies when KillDisk attacks. So I really need Anti-Executable to prevent this. Some ISR-softwares are able to survive KillDisk.
Is that for me an excuse to ditch FDISR ? No, because all ISR-softwares are much less than FDISR in possibilities, which I need daily.

How many days have I been infected with KillDisk : 0 days.
Even when Killdisk strikes, I only have to execute plan C+ or plan D+ and I'm back in business. So Killdisk is not a problem anymore.
I consider Killdisk as a very stupid malware, never kill the goose with the golden eggs.

 

Yes, those 4 settings are redundant (just a subset of *). Use the GlobalSettings process group and the

ClosedFilePath/ClosedIpcPath=!<restricted>,*

in their place. This will prevent any execution at all of apps outside your process group.

 

Hi wraithdu

You are a star. just wish the Sandboxie forums were as responsive as this.

Thank you

Terry

 

I just got an interesting piece of information from tzuk, the Sandboxie developer.

This means that if you've got the previously mentioned ClosedIpc/FilePath=!<restricted>,* setting then nothing downloaded via your browser into the sandbox will be allowed to run, not even if it names itself to one of your allowed programs. Pretty slick. Same goes for the =! internet access settings, nothing residing inside the sandbox is allowed to connect, regardless of name.

So to accurately test Sandboxie against keyloggers that would have been downloaded during a sandboxed browsing session, it is necessary to place them inside a sandbox before executing them.

 

Great Thread.

Would the below work as per Registry Containment though or is it missing something or not needed at all.

In all honesty, the new syntax has me learning this all over again.

Please comment and correct where needed. Thanks

 

Seems as though that's the same as just

No?

 

You're right

Thanks wraithdu

This new syntax is my stumbler, i'll keep a closer eye on further uses of it.

EASTER

 

wraithdu,

Just to clarify, are you saying that nothing downloaded via your browser into the sandbox can manipulate the very same browser to connect out?

If so, with a properly configured sandboxie, we can kiss software keyloggers (downloaded during a sandboxed session) goodbye for ever!

soccerfan
Edit: Edited last line.

 

For the benefit of avid SandboxIE users/customers, it would be nice if someone could put all these syntaxed items of coverage all together in one place since i doubt if they can ever be implimented into SandboxIE proper because of so many different configurations users depend on as their choice.

 

This is the case only if you have the appropriate line(s), ie

ClosedIpc/FilePath=!<restricted>,*

If you don't use that, then downloaded programs can still run in the sandbox and perhaps inject code into your already running browser.

 

This is probably a complete mess, but can you recommend what lines need ommitted from those that should be set correctly?

The new syntax is completely foreign to me at this point and i know this is not an accurate configuration by any stretch.

Thanks

 

This should work:

1. Closed/Open*Path settings don't go under global, only sandboxes.
2. I removed the redundant and unreferenced Closed*Path settings. You had a <restricted> group in there as well, which was not defined in your global settings.
3. Removed SbieCtrl from the process group (it never runs sandboxed) and added SandboxieCrypto.exe for IE.

 

Thanks again wraithdu for your oversight into these SB configurations for the newest version.

Some like yourself are really more in tune to accurate placements per importance of coverages in SB.

Really glad to have your generous guidance in these, thats for sure.

 

If there is

ProcessGroup=<restricted1>,iexplore.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,SandboxieCrypto.exe

And

ClosedFilePath=!<restricted1>,*
ClosedIpcPath=!<restricted1>,*
ClosedKeyPath=!<restricted1>,*

These rules are useless because msimn.exe and outlook.exe can't run at all.

OpenFilePath=msimn.exe,%AppData%\Identities
OpenFilePath=msimn.exe,%Local AppData%\Identities
OpenFilePath=msimn.exe,%AppData%\Microsoft\Address Book
OpenFilePath=msimn.exe,*.eml
OpenFilePath=outlook.exe,%AppData%\Microsoft\Outlook
OpenFilePath=outlook.exe,%Local AppData%\Microsoft\Outlook
OpenFilePath=outlook.exe,*.eml
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Identities
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Software\Microsoft\Outlook Express
OpenKeyPath=msimn.exe,HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
OpenKeyPath=msimn.exe,HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express
OpenKeyPath=msimn.exe,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Outlook Express
OpenKeyPath=outlook.exe,HKEY_CURRENT_USER\Software\Microsoft\Office
OpenKeyPath=outlook.exe,HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

 

Interesting. Keep this alive.

FYI, my interest is NOT to leave the <restricted>* in place permanently because obviously it will hinder opening most anything in the sandbox at all as i just discovered.

It's a matter of reaching a balance between which syntax are available for maximum blocking where and when needed to relaxing that restriction where not neccessary.

So then with that in mind, when is it useful to apply
ClosedFilePath=!<restricted1>,*
ClosedIpcPath=!<restricted1>,*
ClosedKeyPath=!<restricted1>,*

And what can we replace where <restricted1> is been in order for the sandbox to carry out allowing executables to run in SB's artificial environment?

 

Hi Wraithdu

Need a bit of help.

I have modified my Sandboxie config to suit your suggestions and the fact that I use several Sandboxes as below:

Global

ProcessGroup=<restricted1>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted2>,wmp.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted3>,thunderbird.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted4>,opera.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted5>,iexplore.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,SandboxieCrypto.exe
ProcessGroup=<restricted6>,msimn.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted7>,popman.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

Sandbox Opera

ClosedFilePath=!<restricted4>,*


Sandbox Firefox

ClosedFilePath=!<restricted1>,*


Everthing works fine as you said it would, EXCEPT that when I try to print in Opera I get an exception fault

"rundll32.exe application error. The application failed to initialise properly 0xcooooo22"

The message appears twice and then continues to print.

The first error message ocurrs when I highlight text for printing the second ocurrs when I press print.

This does not ocurr in Firefox

Any ideas pleas

Thanks

Terry

 

Thanks for the clarification.

It would appear that this is the ideal setup for something like a 'banking session' when one feels most vulnerable. IMO, normal browsing need not have to be so restrictive.

soccerfan

 

Honestly i don't get it why all fuss about this will pay off in real world situations.Is it so difficult to start with a clean fresh Sandbox,go straight to your banking,do your thing and log off.

Sure this config[wraithdu] will kill any serverside nasties also,but is it a real danger these days ?

IMO Most keyloggers reside between the ears.

 

To answer that question, most people have no understanding of the threat, no understanding of how or why the posed solution protects against the threat, or both. That's why all the fuss.

 

Very nice bit of work by wraithdu and good input from mitch and MikeNas.

But, um err, how the hell am I gonna be able to test any malware samples with those settings

Just kidding.

 

Exactly Franklin!

And this is why it's very needed for someone who is well versed in SandboxIE's new syntax to create a write up for everyone to go on.

Tzuk maybe? Wraithdu? MikeNAS?

This is just too important to scatter a coverage here and then several pages over add a coverage there then post a link to the coverage shown to work 2 weeks ago that a new member didn't even know exists!

Tzuk should really create a total HELP file with this app IMHO with detailed explainations on these .imi configs so users don't get hammered when they could have easily added a few lines of the developer's code to prevent it.

This is like running to the grocery every day to see if the latest fresh bread shipment had arrived yet or not.

Wraithdu & MikeNAS is really stepped up front in this and for that it's greatly appreciated.

 

It will probably happen Easter but these things take time.

Maybe a whitelist through Sandboxie's gui :

"Only these Apps can run in the sandbox"

"Only these Apps can use internet resources"

Without a need to edit the .ini maybe?

 

examples please !!

 

That would then probably count as personal attacks, so I'll refrain.