Critique my Security Setup

I know for a fact that Sandboxie stripes admin rights. If you install ChromePlus to someplace other than the default %appdata% folder it will require admin rights to run. If you force it to run in Sandboxie with Drop Admin Rights enabled it will throw up a Path Access Error. As soon as you disable forced programs the error is gone.

 

Perhaps the stipping of the security token in SBIE is different from the standard method. It could be that Tzuk found that not stripping rights from certain areas of the sandbox environment was helpful or just needed to work.

I have never seen any documentation that stated that you could proactively strip a token only to specific objects/containers, nor the reverse, all but specific objects containers. AFAIK the method employed just strips the token outright by group.

Man I love SBIE.

Sul.

 

First, your setup looks solid, and I don't think you need to add anything, but if you want to do so anyway then read on.

Second, I personally prefer lighter active defenses (scanners, etc.), but heavier passive defenses (backups, rollbacks, virtualizers, etc.), so that's one way to go if you want to try something different.

I use KeyScrambler with FF to protect against keyloggers - not sure how real a threat they are, but KS is free and has a good reputation. It's worth considering if you are concerned about keyloggers.

I used to use Emsisoft's A-Squared on demand but switched to their Commandline Scanner (and HiJackFree on rare occasions). I prefer to run quick, smart and deep scans from cmd prompt that log detected malware, but do not quarantine. Then I can then double check the results online with Jotti or VirusTotal. ~80% of the results are false positives in my experience so that's why I log only at first.

Do you have Paragon Backup installed or just on cd/usb? To keep my system lighter, I prefer to run imaging software from boot media only and cold-image my system partition. That said, I do have Drive Snapshot installed since it's tiny and fast, and can create differential backups from smallish hash files, which is convenient when traveling. I think IFW doesn't add any active processes or services to the system either. Also, if speed of backups is an issue, you might want to test Paragon against a few other imaging programs (if you haven't already) - for me Paragon was slow, but YMMV.

Almost last, I recommend Rising PC Doctor for on demand checks simply because it's different from other anti-malware programs and performs certain functions that they do not and which you may or may not like. For example, it checks for "missing" (non-stadard) kb updates that address various security issues. The link is to majorgeeks.com website so that you can see its less than stellar user rating i.e. PC Doc is not for everyone.

And last, a lite virtualizer (ShadowDefender, DeepFreeze, Returnil,...) for on demand use, or a rollback program (Rollback Rx, Comodo Time Machine, ...) would improve your security even further, but you've probably already considered, tried and rejected them.

 

My main focus with the current setup was light yet secure. Im contemplating switching to ChromePlus rather than FF simply because its a faster browser and with Sandboxie browser choice is a moot point.

I have Paragon installed. I won it here with the software give away and usually do a backup or 2 a week to a Seagate Barracuda 1.5TB HD.

Ive tried Shadow Defender and Returnil, but didnt like the whole reboot process. It would be nice if you can switch between virtualization and real time OS features. It seems as if it would be a waste of time to virtualize the OS just to download some obscure program, test it out for a hour or 2, and then reboot to have it all wiped away.

I could give Rising PC Doctor a whirl. I used to use the Rising FW because it was very light, but I encountered random internet lags and drop outs and with the switch to Comodo and then LnS it has disappeared.

 

I was able to access/modify boot.ini doing all of the above.

Though using my LUA without the involvement of sandboxie I could access boot.ini but could not modify it, access was denied.

I believe my permissions are correct, I'm not able to modify any files I shouldn't be able to.
I'm testing all this with a default sandbox, Only the DMR being changed on/off.

But on the forum those links I posted had users asking why they could still modify files and had write access to system folders like what I'm experiencing and Tzuk explained to them it was because the files were actually in c:\sandbox

I don't see anywhere where it says DMR in sandboxie shouldn't be like that.

This is interesting,

It seems to work for me like in those links I posted, If I understand them correctly.
I'm able to modify things in sandboxie because they're not the restricted directories/files.

But then I don't understand why we're not experiencing the same things.



@whitedragon551 - Sorry for being a bit off topic with these posts.

Let me make sure I have the right one http://www.chromeplus.org/
If that's it I'm not getting any errors with DMR in sandboxie on or off.

I did get an error in the past for an opera install with sandboxie DMR but I figured it checked if it had an admin token which it didn't so told me to install from a admin account.

According to the sandboxie forums it does strip admin rights but you should still be able to modify system files/folders because in sandboxie they're actually located in c:\sandbox\etc...\

As long as you don't have any direct/full access settings.

So do I.

 

Gizzy that is the correct browser, but where did you install it? I changed installation paths from the %appdata% folder to the Program Files(x86) folder in Win 7 x64 Pro.

 

I'm not sure if it's changed since you installed it or maybe because I'm using Win XP 32-bit... But for me the default install path was, C:\Program Files\ChromePlus

Since writing to Program Files should be restricted in a Non-admin account I left it as that.

 

When I tried to install it the default location was the %appdata% folder somewhere. I changed it to C:\Program Files (x86)\ChromePlus and I get the error. Perhaps I had a messed up installer and I should try again.

 

Now this is knowledge intensive,technical thread!!

I don't understand half of it,but it is nice.

Is this "The Old Wilders" some of the old guys miss?


respect
rat

 

Hmm. I think I will have to do a more indepth test. Earlier today I tried to access c:\boot.ini in SBIE with the drop rights option enabled, from admin account, and it was denied. Simply changing the drop rights feature to disabled then allowed it. There is certainly a simple answer.

I performed the tests on xp pro, and what OS were you using?

I have a few hair-brained ideas cooking now that I had not thought of before, so the fun shall begin lol.

Sul.

 

You know you can 'commit changes' i.e. not wipe the program away if you like it, right? Besides, a lot programs are such that you may only want the outcome they produce (e.g. scan result of a new antivirus) without the leftovers that a regular install & uninstall would cause.

In my case I have an older desktop that I usually keep on when at home to run various functions (skype phone, downloads, secondary monitor, printing, etc ...) - I used to keep its system partition virtualized by default, but then again, since I didn't use it actively it probably didn't need the protection. (I later stopped virtualizing it to use it for software testing).

 

I'm Using XP Home 32-bit
I tested in a LUA and an admin account.

I'm interested to hear your results, I'll see if I can figure anything out on my end as well, If there's any tests you want me to try I will.

 

Tonight I plan to restore my win7 back on my machine as a default install. Then I will do some testing with fresh accounts and the default box. Maybe some more light will be shed.

Sul.

 

Carrying this SBIE line of thought on here
https://www.wilderssecurity.com/showthread.php?t=271723

Sul.

 

Interesting read. I wonder if I should add the C:Windows folder to read only access.

 

I don't know. When I tested this initially, I was concerned about a simple test to see if the DR feature was doing WITHIN the sandbox what DMR did outside it. I just tested objects in c: such as boot.ini. I did not explicitly test to see if all areas that are supposed to be off limits to a user were upheld or not.

Wait a day or two and see, as I am very curious now as to just what is going on with the DR feature. It may not be what I was expecting, in which case as you say one might do some more configuring based on this knowledge.

Sul.

 

Until the SBIE testing is done any other ideas or comments?

 

You mean add the real %WINDIR% to ReadFilePath? No, you shouldn't since that will "unsandbox" it...

Folks, I really don't get what you are testing here on the other thread but seriously this is getting completely wrong way.

 

No I mean to the Resource Access > File Access > Read only access.

 

That translates to ReadFilePath in sandboxie.ini

 

Ah ok.

 

Ok so a few changes are being considered.

Im considering dropping Avira for on demand and running A-Squared in real time. Anyone have any input on that? Im also considering Rising PC Doctor.

 

@whitedragon

It would seem that when sandboxie strips the token, the real system uses it. So in the case of a setup.exe which requires admin to run, it sees the lack of admin credentials, and disallows installation. I will imagine also that when starting chrome or whatever you were refering to, that it needs admin rights, and checks before allowing something.

If the starting object does not care if admin credentials are present or not for it to execute or be read, then the stripped tokens have no bearing really.

I don't see a need to modify anything unless you want specific effects with sandboxie.

Sul.

 

ChromePlus required admin rights to run if it wasnt installed to the default folder. I have Sandboxie set to drop admin rights and that was what was causing the Path Access Error. Ive since uninstalled ChromePlus and gone in search of another Chrome Based browser without the issues.

Im also using eMClient. I visit a site that doesnt store cookies to go to the last post of a topic your watching so it requires you to visit the site and then visit again to see the last post. Without eMClient being configured properly in Sandboxie I have to view subscribed posts and then find the topic. Any ideas for this issue?

 

No, not really. If the app were storing something and you did not delete the contents of the box, it should operate normally. It sounds like it is supposed to save something somewhere, else functionality starts fresh every time, but then I don't use it so don't know exactly what it is supposed to do.

Sul.