Question regarding BD SafePay or Sandboxie and infection

Discussion in 'other anti-malware software' started by GrammatonCleric, Aug 3, 2012.

Thread Status:
Not open for further replies.
  1. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    So assume I have been infected with a keylogger or an info stealing trojan. The infection is already on the system and it's resident.
    Now I open my browser via BitDefender SafePay or via Sandboxie. So will whatever info I type into those browsers be protectedo_O
    I don't see how. I mean those browsers are virtualized processes by either BitDefender or Sandboxie but they do not virtualize my keyboard inputs so whatever I type goes through raw windows and then into the Virtualized Browsers so they resident malware will still see the infection.
    It's only if my system is Clean and if I visit a malware site with the virtualized browsers then the malware will be isolated from seeing what I type in real environment.

    So unless I got the idea wrong, I don't see how BitDefender SafePay or Comodo Virtual App thingy (in CIS 6) or Sandboxie can protect your information from being stolen in already infected machine. What I see that technology as a method to prevent being infected via a drive-by download but only if the machine is clean. Even if one gets a drive-by infection while browsing in virtualized browser and then goes to the banksite while in the same browser then they still get compromised.

    Please help me understand if I am wrong about this.
     
  2. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    1.Sandboxie can not block "keylog and screenlog" done by sandboxed processes.

    2.Avast safe zone is another good choice.
     
  3. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    I can only speak for Sandboxie, if you are infected prior to installation, then yes, it's useless. Even if you are infected after installation, apparently, its possible for malware to transmit personal data, while browsing with an infected sandbox. To avoid this, it would be necessary to apply restrictions to the sandbox,eg what can run, and what can access the internet, etc
    When i do online banking, i do it unsandboxed, and use trusteer rapport. This is because T.R is incompatible with sandboxie. If my system was already compromised, sandboxie would be of no use anyway
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    GrammatonCleric, when using SBIE, in addition to what mick said, apply File Access > Blocked Access restrictions to block personal files from being stolen by programs running in the sandbox.
    http://www.sandboxie.com/index.php?ResourceAccessSettings#file

    Its also wise to do banking in a fresh browser, when you finish banking, close the browser. None of this will help if your system or one of your browser addons has allready being infected by a keylogger. You should know, Sandboxie is not an anti keylogger, the best way that SBIE helps against keyloggers is when you delete the sandbox but SBIE will not warn you about a KL doing what it does. If you got infected by one while browsing, it will be gone when you delete the sandbox. Thats Sandboxies role.

    Bo
     
  5. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    Oh I know that.
    That's why I am amazed about how many Security Companies are coming out with Sandboxing method and calling it the holy grain to infections and how you can be safe by doing banking in a Sandbox.
    i.e.
    BitDefender SafePay
    Comodo 6 beta Sandbox Enviroment
    Kaspersky Sandbox

    etc.

    Just wanted to make sure that I am not missing something.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Yeap, there are few "active" sandbox technologies combining isolation and keylogger protection. One is virtualization option in ZA Extreme (for IE and FF).
     
    Last edited: Aug 8, 2012
  7. camarie

    camarie Registered Member

    Joined:
    Aug 17, 2012
    Posts:
    12
    Location:
    RO
    That's why virtual keyboard (VK) is for. When you type a password, PIN etc. (and not only) you can click on VK button - this will open the VK widget and you click on some images representing keyboards. These pseudo keys does *not* send synthesized keyboard messages that can be intercepted by a keylogger, but rather sends the keycodes directly to the browser editable field (INPUT TYPE=PASSWORD HTML elements, usually). You are not restricted to those, you can also use VK manually for any kind of keyboard input element. One can verify with Spy++, for example (and tests were done here at Bitdefender, obviously :) ) if character/keydown messages are generated and a keylogger can intercept them - and they are not generated, of course.

    There is also an extra layer of protection. Assume your system is infected and there is a keyboard hook installed by some malware (BTW, this is what AV/disinfection is for :)). Safepay runs in a separate desktop, which does *not* allow hooks from other desktops, so even if your explorer in the Default desktop is infected, it won't be able to hook a process in the Safepay desktop. Also, Safepay (as any other BD process) is protected by the SelfProtect mechanism as well, as are the files and registry settings.

    Safepay has also its own location for its cookies and local storage, which is protected in the same way as well.

    However, if you're talking about kernel mode infection, then the system is completely compromised and the attacker can do anything, nobody will say otherwise. This is why the BD installer scans the system when installing, so what you describe here is the initial install scan does not find the malware. Which, I admit, can be possible, nobody's perfect, but at least should raise a warning flag and a future update will bring the removal signature.

    You're not wrong - although, I repeat, regular scanning for malware such as infected/malware browser extensions or plugins, especially if you suspect an infection, is recommended.
    But Safepay also handled this by adding some more protection layers:
    - Safepay uses WebKit and Chromium. Extension mechanisms are far more restrictive than, for example, those on IE or Firefox, where, once an extension is installed, have access on everything
    - browser (Chrome) extensions: are not loaded. So even Chrome have a compromised extension, Safepay does not load *any* extension. That means you can't play Angry Birds in Safepay, which is obviously since it is meant to be a more secure browser, not *the* primary browser for day to day use
    - plugins (NPAPI plugins): initially Safepay denied all. Later, Flash was allowed because of the overwhelming amount of Flash present on banking pages (and sadly, preventing pages to work normally...) but no other plugin is allowed (media, Office, Skype, Java etc.). This minimizes greatly the possibility of a rogue dll plugin which could make Win32 calls with the same context as current user
    - downloads: are not allowed (and users complains about this...). A future version will control the downloaded files by having a safe file zone, scan them, and then move to the existing secure location (perhaps mounting a file vault and saving them there - we don't have the full implementation details yet).
    - traffic light scans HTTP and HTTPS traffic for incoming malware (virus, phising, spam etc.) and blocks the page if URL is compromised

    Hope this clarifies a little your concerns, and, without trying to sell you a false sense of security, describe the main defense layers existing in Safepay and other components. I realize what I wrote (except the VK feature and disabling keyboard hooks in the separate desktop) is not addressing keyboard logging which seems to be your main concern, but maybe you have now a better image on how this works.

    Regards,
    Cristian
     
Thread Status:
Not open for further replies.