Safe Admin & Chrome

Discussion in 'other anti-malware software' started by Kees1958, Apr 3, 2011.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I thank you for your answer, Kees! As I know your knowledge is very good among these policity oriented applications, I regard your input as extremely valuable! Once again, thanks.
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I would be, if I knew more about it :D ;) To end my hair pulling, however, I've gone back to FF4 with ABP, NoScript, and BetterPrivacy. I have firefox forced to run in Sandboxie, direct access to its entire profile (I am not enabling scripts over and over again for the same sites), with the new experimental x64 protection enabled. I'm also running Avast 6 with all shields, and Malwarebytes real-time protection. I believe this setup provides good enough protection, I can press the other members of family to learn to get along with NoScript, and, more importantly, I can end this debacle and get on with business :thumb:

    I'm not going to argue with anyone over any chinks in my armor, lol. You, Kees and a few others here know a heck of a lot more than me about this stuff. But, it boils down to having Ft. Knox-like protection and causing me headaches, or state-police building-like protection and being able to surf in peace with minimal testing and tweaking. I'm just, at the end of the day, a state police-protection kind of guy :D
     
  3. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    I like the first tutorial but it seems that I'm tired of logging in every time. Everything just resets.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Are you talking about blocking third-party cookies? To be honest, I don't access that many websites requiring a login, but those few that do, blocking third-party cookies have no effect on having to constantly login.

    In fact, I have all cookies blocked. I never had problems with this approach.

    But, if for some reason if you're such problems with third-party cookies, then you can create a white-list, and they will never be blocked again. All others remain blocked.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You must have blocked all cookies then. Setting a block on 3rd party cookies won't make you do that, it just blocks all those ad and tracker cookies.
     
  6. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    What should be the "proper" settings for me then?
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Make sure Chrome isn't clearing all cookies on exit. Leave the following box unticked;

    Untitled.png
     
    Last edited: Apr 4, 2011
  8. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    Alright and thank you! ;)
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Damn... --safe-plugins makes Microsoft Silverlight* not work. Not that many web sites may be using Silverlight-based videos, still... Microsoft's websites do... :shifty:

    Java makes Chrome/Chromium crash... :eek: Something already mentioned by user dw426

    I guess we should use a different profile just for Silverlight videos and Java. :ouch: Google could allow to set exclusions to the --safe-plugins command switch... o_O

    -edit-

    * I noticed this behavior in Chromium... using different builds. I don't have Chrome to test, right now.
     
    Last edited: Apr 10, 2011
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    With the greatest amount of respect due to Kees and other incredibly smart, helpful people here, these "tweaks" to the registry, the turning off and on of special protections like EMET, and so on, just aren't worth the headaches like this. For people with the true desire to play with things, and those with far greater experience, it's good to have these options. For the remainder of us, honestly, lol, just toss your browser of choice into Sandboxie and be done with it.

    Getting on the internet and using a computer (outside of obvious work-related issues), shouldn't be a chore nor a tiresome tweak-fest, all the while wondering "Am I safe enough?" We all have a responsibility to keep malware off our systems and to keep computing safe for us and our families. But, we shouldn't have to be so worried that we put ourselves through hell whitelisting this, restricting that, having two linkscanners checking every single place we go, having WOT plaster our screens with icons that may or may not be accurate, and I could go on.

    Sorry if I took your post off topic Moon :D It's just that I see posts like this every day here, where that extra step towards 100% ends up biting the user. I feel confident in saying that all a user needs to stay safe, and, most important, happy on the internet, is the following:

    1. A brain. This doesn't mean knowing every last process running on your system, how to tell malware from legitimate files. It means, and I don't understand why this is made so hard, look at the URL you are typing out. It means understanding that those flashing ads on the web are commercials, just like on TV. And, just like on TV, if what it says doesn't make sense, it's a scam (Do you really think you'll win an expensive gadget by clicking on an ad?). It means not responding to an email you didn't ask for from somewhere or someone you've never heard of. Do you ever write back to the junk mailers in your home mailbox? Why would you do it with your email?

    2. A good, well known anti-virus/anti-spyware. No, it won't detect everything without fail, but neither will anything else.

    3. A way to keep your system "static", yet still be able to download things, bookmark those really cool websites out there that are supposed to be taking your time instead of security setups taking it, and just enjoy what the internet has to offer. This is where Sandboxie comes in. When you step into the world of Sandboxie, you take back control...safely, and without issues like Moon here is experiencing.

    You allow things to run or not run, no program is going to tell you what you can and can't do, and you're not going to be switching profiles to do one thing, and switching back to another profile to do something else. You're not going to turn this on and that off, only to have to turn this off and that on again. Sandboxie is simple to deal with and simple to understand. Is there some set-up involved? Yep! But, here's a secret: If you go through your every day routine of using your computer, like downloading a file, printing, using your plugins like Java and Flash just once, Sandboxie will tell you exactly what needs to run (and in some cases needs internet access). All you have to do is allow just the processes that are needed for your every day activities, and Sandboxie is done and ready to protect you.

    Did you download something malicious as you surfed around? Ooh, that sucks...wait, no it doesn't. Why? Well, thanks to you running through your normal routine while setting Sandboxie up, that little bugger will just have to sit there and twiddle its thumbs...because it can't run or execute. Cool, right? And you didn't even have to answer a pop-up about .dll injections or anything. Hot dog!

    Alright, let's get this back on track. Moon, I don't know what to tell you really. As you told me, with Flash and the PDF reader already sandboxed, safer plugins isn't needed. With Java and Silverlight, well, you're inside Chromes/Chromiums sandbox, and so far it's pretty tight, so I wouldn't worry too much over it. If you feel two profiles are necessary, go for it.
     
  11. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294

    This right here ^^


    Keep it simple people!!
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Keep it simple, just don't use the --safe-plugins tweak of Chrome. Disabling the external plug-ins shoudl be enough (internal flash and pdf are sandboxed by default).


    Let's be realistic and keep it simple, just four reg-files and a one time Chrome optimisation.
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    While these things are not really the easiest way to do for $average_user, the howtos by Kees1958 have been extremely useful for me, implemented many of the ideas in Active Directory + GPO environment. There is a big difference there, if something is restricted or not allowed, users usually need to take it as fact of life and move on, or reasonably explain why do they need this or that relaxed. Also, being able to do this via internal Windows means saves $$$$ :p
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's the thing, AFAIK it isn't sandboxed by Chrome's sandbox. Java simply will crash with an explicit low integrity level applied to chrome.exe (which will make every other object started by it inherit the low level as well), and will also crash with the --safe-plugins switch.

    With Java, we have no other solution than running it with a medium integrity level/high integrity level (whether or not we use a standard user account/administrator account w/o UAC). I'm afraid the solution is for Oracle to make Java work in a sandbox as well, just like Adobe Reader X. Until then, you can only mitigate attacks, by whatever means, like using Sandboxie.

    As for Silverlight, it will run fine with a low integrity level, so no issues here. Quite funny actually, --safe-plugins breaks Silverlight, but not the low integrity level. :argh:

    Anyway... these sort of stuff is more for people like us who like to test things. :D If they happen to work fine... maybe we'll deploy it to relatives, at least. I have!!! :shifty:

    I was actually testing all this Java thing due to a relative. The IRS web site uses Java, so I need to make a profile just to access this web site... It will be placed in a secondary standard user account, dedicated to sensitive tasks, so no problem. lol
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I shouldn't have said Java and Silverlight are protected by Chromes sandbox, obviously that isn't technically correct. Though doesn't Chrome mitigate the danger because the exploit would have to still deal with Chromes security? Maybe I've misunderstood Chromes sandbox all this time, but it always seemed to me that an exploit had to break through that sandbox, whether the exploit was targeting an un-sandboxed application or not.

    @ Kees/others: I wanted to take a moment to make it clear my previous post wasn't about "pooh-pooh'ing" the various tweaks and extra protection you and others have graciously shared. My long-winded point was that these extra steps can introduce other issues, as experienced by Moon. And, if it isn't understood what is going on and why, a user can run into more trouble.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Chrome's sandbox is enforced by the following:

    * Obviously, it also applies to Windows 7.

    Regarding Silverlight, the low integrity level is not an issue... So, one of the three parts of the sandbox chain is what breaks Silverlight. I can load Silverlight videos running Chromium with an explicit low integrity level (which is even more restricted than its "default" sandbox).

    Applying the --safe-plugins will make the plugin work within what's it called the target (you may also call it the children processes). This target process is what runs in the low integrity level (part of the sandbox's chain). But, I have my doubts that this part of chain is the one breaking Silverlight plugin, because as I mentioned, I can run it just fine with a low integrity level.
    But, as you can see Chrome's sandbox isn't restrained to the low integrity level thing. There are 3 more parts in this chain. One or all of them are what breaks Silverlight.

    The same could be said for Java, I guess. But, in Java's case all 4 parts of Chrome's sandbox chain seem to break Java.

    So, if we can't force Java to run within Chrome's sandbox (which is not just the low integrity level), then it runs outside the sandbox - it will run within the broker, which is the what we can call of parent process, and it's the process that allows the target/children process to interact with parts of the O.S running with a higher integrity level, which otherwise couldn't do it, and it would break functionality.

    Now, this broker process runs with a medium integrity level/high integrity level (the latter if the user runs an administrator account w/o UAC). This means that anything started by the parent process will inherit its permissions. Now, you can see that Java will be running with such permissions as well.

    Maybe I'm forgeting something, and there's been a long time since I first read many info regarding Chrome's sandbox :argh: , but I think all this makes Java run outside Chrome's sandbox? (I'm saying this basing myself on the fact that --safe-plugins forces plugins to run inside the sandbox (which is constituted with 4 parts), and it obviously breaks Java, which we are forced to run it outside the sandbox... so... is it totally naked (regarding Chrome's sandbox protection)?

    I hope I'm not bringing more confusion. :oops: But, by making these sort of questions it also helps me to understand, and if I'm wrong others can correct me, and that way I learn something new and won't be misleading others. :ouch:

    P.S: I guess these situations is one of the reasons that made Google work together with Adobe for a specific sandboxed Flash plugin, so that it runs protected by Chrome's sandbox, without issues. The same for the built-in PDF plugin.

    -edit-

    Here's some reading about Chromium/Chrome's sandbox. -http://dev.chromium.org/developers/design-documents/sandbox -http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's not too confusing (though my lack of knowledge regarding all these techie terms works against me). What seems to be the case is that such plugins like Java and Silverlight are not made safer with Chrome, simply because they run out of the control of Chromes sandbox and security measures. It's like Sandboxie, if you run something outside of Sandboxie, what can it possibly do to protect you? Chromes security evidently then shines when something attacks the browser itself, or plugins that are contained within the sandbox.

    Otherwise, all bets may be off, which, really, would make perfect sense. It can't protect what it can't control.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well confusing or not, just to show how strong safe-admin is SBIE and Comodo Poc does not come through
     

    Attached Files:

  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Do you know if that bug with Chrome integrity levels (being both medium sometimes) has been fixed?

    It seems you're running Chrome with its "standard value", and not an explicit low IL?
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    -edit-

    It seems NOT!!

    I had to test something with Chromium latest build, and I ran it normally (that is, no explicit low integrity level applied), and it ran with MEDIUM integrity level!

    How come Google developers cannot reproduce this security bug?! Kees, do you still remember the issue report link Sully and you started over Chromium issue reports page? They HAVE to fix it! It's insane...
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I seen it again the other day too, on Chrome and latest Chromium build.

    Sul.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    How many months have passed since you discovered this issue and reported it? :rolleyes:

    I'm starting to believe that the only way for Google to solve this security bug, for once and for all, is if we bring it to the attention of the media. They will be forced to make a move.

    I believe they simply don't wan't to be seen as developers who weren't capable of properly implementing the sandbox. This would be bad PR, if you ask me. I wouldn't want it to come out and would deny that I could reproduce it. :blink:
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Chrome developers say it is a error in Process Explorer. The sandboxes are started from the medium level integrity first instance, somehow Process Explorer captures the start to late and assigns the level of the first (instance) of Chrome as being the integrity level.

    On my request whether I could get the tool they were testing with, I have never received and asnwer :oops:

    The reason I am using it again is just to download stuff while 1806 is on and I know it is a PoC or malware. IE9 is my main browser now, I like the anti-tracking capabilities and the new download reputation cloud service. Although it has False Positives. FP's are dramatic when the programs runs on your PC and the AV deletes it, when you are downloading it can't cause any harm (it is not installed yet, so can't mess up the integrity of your installed programs).

    I do agree they (the devs from Chrome/Chromium) have an awkward way of handling these issues (they think for you, so you are not supposed to ask questions).
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Process Explorer... they say... Yet, it properly shows IE8/IE9 integrity levels... same for Adobe Reader X. But, not with Chromium/Chrome o_O What is so special about the way Chromium/Chrome handles the integrity levels o_O :blink:

    Maybe we should take this supposed to be a bug to the attention of the Process Explorer (Sysinternals) developer(s), and see what they come up with. :rolleyes:

    ...

    I'll also start a new issue report regarding this integrity level situation, and will ask if they can assist me with a tool capable of properly showing the integrity levels. I'll also mention that Process Explorer is more than capable to properly reveal IE and Adobe Reader X integrity levels.

    If they refuse to share whatever tool they use to show integrity levels, then they are hiding what we know to be true, IMHO. :blink: Why wouldn't they share a tool capable of properly revealing integrity levels, if Process Explorer can't? :rolleyes:

    I must say I'm looking at IE9 as a serious browser now. But, I want this integrity levels thing clarified once and for all. Because, if there's a bug in Chromium/Chrome's way of handling the integrity levels, then Google in acting shamefully, and I can assure you I won't be supporting Chromium project anymore, and already regret the fact I sent them a proper translation to my language... It was buggy. Even Google Chrome has an awful translation! :-*
    Are they using Google Translator? :argh:

    Tell me about it. They killed a command line flag from Chromium/Chrome dev channel, which is an important one, IMHO. While others that users can handle from within the UI just damn fine, remain. :thumbd:

    They said they understand my views, but won't promise to bring it back. There goes nearly a month, so... :(
     
  25. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    keep us posted will y'a?

    here, with UAC on and a Standard User account all the tabs for IE8 and Chrome shows a Low Integrity level.

    the top process for both Chrome and IE8 is Medium.

    only difference i see between IE8 and Chrome is that Chrome sometimes runs rundll32 at Medium.
    IE8 does not seem to need it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.