Sandboxie and keyloggers

Discussion in 'sandboxing & virtualization' started by trjam, Jan 7, 2008.

Thread Status:
Not open for further replies.
  1. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Sure checked/scanned for these nasties beforehand is obvious to do.If you at least to get Sandboxie protect a pristine system,otherwise its useless to rely on Sandboxie cause as Tsuk said............installed keylogger has unrestricted access to the Web

    But it still puzzle me how an installed keylogger can reach out to bypass Sandboxie ??
     
  2. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Sure checked/scanned for these nasties beforehand is obvious to do.If you at least to get Sandboxie protect a pristine system,otherwise its useless to rely on Sandboxie cause as Tsuk said............installed keylogger has unrestricted access to the Web

    But it still puzzle me how an installed keylogger can reach out to bypass Sandboxie ??
     
  3. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I think you may misunderstand Sandboxie and how it works. When you run your browser sandboxed then anything that comes through the sandboxed browser will remain in the sandbox. It can't get to your 'real' system. If you were already infected with a keylogger before installing sandboxie then that would be active in your 'real' system and will be functioning outside of sandboxie. It is not able to circumvent sandboxie as it was never run through it in the first place. You must understand that Sandboxie does not sandbox your system it sandboxes application's that you choose to run sandboxed.

    Hope this helps.

    muf
     
  4. wat0114

    wat0114 Guest

    Interesting thread. I'll have to revisit sandboxes. For some reason I could not get sold on them in my previous, albeit brief, trialing of them, Sandboxie being one of them and I forget the other. Seems to me there was some instability issue I had with Sandboxie at the time. However, it is clear from this thread they are an excellent browsing companion :)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes. I've tested it against all the crud I have, and it's protected the computer. I've even tested Outlook in the sandbox, and that solves the email problem
     
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    First let me state this: I am a great supporter of sandboxie. It is probably my favorite security tool.

    This being said: One of the problems I have with selective virtual environment is that because of their dynamic nature they tend to be bypassed by the users themselves... Problem is if they manage to get infected while outside the sand box they will have no other means of recovery and no warning they are even infected. Not to mention that due to ignorance they may actually release an infection from the sandbox thinking it's a legitimate and clean program. Thus infecting the system
    (if as some advise here sandboxie is used as the only security tool, then this user is in serious trouble indeed).

    CASE IN POINT: I have worked on two systems yesterday, both infected with a rootkit. Both system had Sandboxie, one even had returnil + several other security tools... Including the latest NOD 32 v.3 the other infected PC had AVG AV Free, and both had Prevx 2.0...

    See this post: https://www.wilderssecurity.com/showpost.php?p=1177759&postcount=243

    Claims that sandboxie or any other system is the "Perfect" tool is ludicrous... as one must take into consideration the users and their idiosyncrasies. I think it is unfair and a great disservice to anyone to make the outrageous claims some make in this thread...
     
    Last edited: Feb 7, 2008
  7. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    Yes I have, why do you ask?

    Im not saying it is NO good for XSS, I am just saying that all XSS is based off of one of 3 attacks. And NS has a problem with the most frequently used attacks (and the more advanced XSS) thats all...

    Im not saying to get rid of FF and/or it's NS extension, I am just saying that for example, Opera can block all this stuff that NS can block, plus more, without needing 3rd party tools which could easily be disabled through an attack...

    Well there is no need to overdo it, just use the sandbox over and over as much as you want, until you feel that it should be cleaned, then just dump it. No need to dump it after every XSS you come across (although you could if you want to)

    You are correct, Sandboxies files are immune, cause you have to remember, although start.exe, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe might be running, they are running sandboxed! ;)

    Exactly, with all 3 things blocked off to keyloggers (or other nasties) what could they do?

    That is 100% correct, it is like a VM, everything is just locked inside the sandbox, anything and everything it does is stuck inside the sandbox, no matter what!

    It cant...
    just refer to mufs post...

    Same here, I have tested it against some of the worse viruses out there, keyloggers, trojans, spyware, adware, rootkits, etc..
    Nothing can get through! I have tried my hardest cause I actually want to see it get bypassed once, just so I can say "finally", but it never happens, Sandboxie is as hard as a rock!
     
  8. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I'm really interested in trying out Sandboxie.
    I don't surf a lot, but I guess browsing in a Sandbox will probably be the best way to start, right?

    If I download movies with Newsleecher (DVD5, so most of the time 90x50MB rar files), can I do that in Sandboxie as well? Where does it leave all the files and how can I ultimately get them on my HD?
     
  9. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    You have to recover/write the files to your drive but you could sandbox your mediaplayer.

    /C.
     
  10. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    So downloading the files doesn't necessarily have to go through Sandboxie? I burn them to DVD (after compiling them with WinRar). Which of these actions should go through Sandboxie?
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, so there are not very clever people. What on earth did they do.
     
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I have no idea... only that they did have a load of crap for me to mop... :cautious:
    More than likely they allowed the infection to escape the sandbox... thinking it was something good as usual.
    What kills me is that all these "Other" layers still missed the infection in the first place... that is really bothering me actually.
    Considering these are the best tools we currently have available to secure these environments...
     
  13. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Yes, but how get the installed keylogger it to the web if the only gateway is the sandboxed browser ? Are there more ways out for stuff like that.
    I can set my browser as the only app. in a particular sandbox the right to connect,all others not, so its my understanding that anything other then my browser are denied to connect also even the most remotely bad code aka keylogger. For me it isn't obvious have a hard time to get the idea.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think it just goes to prove my feeling: The worst tools in good hands will protect you, and the best tools, in inept hands can't protect you.

    I fear my friend you won't see a slack in business.
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Huupi: lets assume Sandboxie is perfect, no flaws.
    The user himself can still go ahead and recover the keylogger from the sandbox and execute it outside Sandboxie's scope.
    If the user already had a keylogger before installing Sandboxie to begin with, it will work without interception. Sandboxie protects what is outside the sandbox from the inside, but not the other way.
    Not every XSS (how could i detect it anyway?). I mean everytime i wanted to login in.

    Can you give me a link or two demonstrating/discussing Opera's effectiveness against XSS? I would be delighted to read that.
    I have asked for that info a few times before, and searched, with no luck -in fact i've read the contrary, that Opera did nothing to prevent it.
    I would be more than happy to find out that Opera is secure concerning XSS.
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    There are some keylogging techniques which work fine inside Sandboxie.
     
  17. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    If i have to believe the working of SB then its not a problem.
     
  18. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Wow, Terror_Eyes that was ... complete. Just one thing, the setting you mention here I do not believe can be set through the GUI.

    That is what I call the 'Extra Secure' setting and really needs a user to understand and plan his system correctly. Tzuk has discussed it here;
    http://sandboxie.com/phpbb/viewtopic.php?p=10424#10424
    caution; you will find that some things that you might require for normal surfing can not work with this setting. It is restrictive.

    That is it in a nutshell - it is strategically planning the security of your computer. True it is not for GrandMa but the OP is TrJam and he is no GrandMa and all of us are the ones discussing this - we are not GrandMas. That is a distraction that leads to never being able to make any kind of decision of any kind. Too many bases need to be covered. We are discussing our computers; others are discussing 'Their customers computers'. It's a different burden.
    mitche323
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yup, purge the sandbox and start a new fresh session before doing anything sensitive.
     
  20. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Thanks a lot! I tried to find that all day :D
     
  21. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    Aha, thats what it was!
    Tanks for posting that, I thought it could be done from the GUI since I already had it set, but I must've done it from the ini myself... :rolleyes:
     
  22. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    You can do that with GUI.

    -IPC Access:
    -Blocked Access:​
    *​
    The list above applies to !opera​

    EDIT: Now I have to only figure how to block all file accesses. Even portable Opera needs Documents and Settings folder so there isn't any easy block command. Also have to remember that Start.exe needs rights too.
     
  23. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Yes Mike you are correct!:D I just learned how to do that. ;)
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Another way from the gui. Say you fire up IE. THen open the sandboxie window. You will see IE right there, Just right click it, and you can set it so it's the only one accessing the internet. Used carefully it is powerful protection.
     
  25. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Peter2150 I know that and using that too. BUT BUT... I still want that not a single program except opera.exe can run so I use that IPC Blocked Access too.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.