Sandboxie Acquired by Invincea

From the Bromium report:

 

So. Sandboxie is not an antikeylogger. Expecting Sandboxie to detect keylogging activity is like expecting a car to fly. Does your car fly, Mr Brian?

Anyway, the way the DefaultBox is designed so anyone can use Sandboxie from day one. Thats the purpose for the DefaultBox. Many of the things that you can do with Sandboxie are not set in the DefaultBox for a reason. In my opinion, making things not restricted so its easy for first time users to use Sandboxie right away after installing it, is the way it should be.

But you, Mr Brian, IF your computer is clean to begin with, Sandboxie makes available all the tools in Sandbox settings for you to make your sandbox as tight as you want it. You can make it so tight (and still very comfortable to use) that the only way a keylogger would have access to your personal files is if you install a malicious addons, don't block access to your personal files or not follow safe practices regarding your sensitive activity.

Bo

 

Yeah it could be the method skilled hacker are using, or they're just using the typical phishing emails and such. I have no idea.

Certainly I was not trying to downplay Sandboxie's effectiveness, only simply stating it and the others mentioned are not "needed", as in not the only security that will work. They are, of course, highly effective and proven in their effectiveness. With your setup, if the NoScript fails you've got Sandboxie ready to play mop up, rather effortlessly in the majority of cases I might add, unless you get hit by something capable of escaping the sandboxed environment. This latter type malware seems pretty rare so far as I'm aware of.

 

@bo elam: Keyloggers log keystrokes. Access to personal files is a separate issue.

 

If the keylogger can not run, it cant log keystrokes.

Bo

 

If I recall correctly, Sandboxie isn't an anti-executable nor an anti-exploit.

 

I honest of god believe that while surfing, to this day, since using both programs together, Sandboxie has not had to play mop up once for NoScript.

Bo

 

That is true but you forgot something. You can restrict the sandbox so only a few programs can run. If you are not infected out of the sandbox, the only way a keylogger can run and do harm to you is if you are pretty dumb and install a malicious addon and then go do sensitive activities.

Bo

 

It goes to show what I've believed for quite some time now, and that is how important and effective script blocking is in the browser. It took me a long time to finally include it permanently in my security arsenal, as I would before always run out of patience dealing with the management it requires, especially in the early going. It sure is worth it, imho.

 

http://www.sandboxie.com/index.php?DetectingKeyLoggers lists various ways a keylogger could become operative in a sandbox.

 

Mr Brian, you are the one who ought to read that link, specially the first and last sentences under "Defending against keyloggers"
http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend
Bo

 

Here's the last sentence:

 

Did you get anything out of the last sentence? I guess not. That sentence is making us Sandboxie users aware how the browser can be hijack, how malware can break a restricted sandbox and use the browser to phone home. Bye.

Bo

 

From Sandboxie, Keylogger & Spyware:

 

I think so. In some cases, the Internet access restrictions would prevent exfiltration, and in some cases it wouldn't. Is your interpretation different than mine?

 

Big deal, if there are keyloggers that don't need Internet access restrictions, they can be forbidden to start/run in the first place, even if they don't need any kind of restrictions, it really does not matter anymore. The newest Angler exploit kit is completely file-less (memory malware/corruption), and it cannot be prevented by both SBIE4's Internet access restrictions and start/run restrictions, and yet SBIE4 does fully protect against this, confirmed by Curt from Invincea.
The same goes for these file-less keyloggers.

 

@CoolWebSearch: Consider this scenario. Your system is clean. You're using a sandboxed browser. You browse a website and Angler exploits a vulnerability. The malware is now running inside the sandboxed browser process itself (start/run restrictions won't stop this, right?). Let's suppose the malware is a keylogger. Now you type some stuff into a word processing document that's not sandboxed. The keylogger running in the browser process could potentially log the keystrokes you typed into the word processing document and exfiltrate that data via the browser process (internet access restrictions won't stop this, right?). Now you close the sandboxed browser and empty the sandbox. The malware is now gone, but the data exfiltration can't be undone.

 

Sandboxie did allow recording keystrokes on this test. Sandboxie 4 with only the
browser having Internet and Start/Run Access. Files and folders restricted and LUA used.
Words were typed into web browser startup page connected to Internet and captured.

Sandboxie isn't designed as a detection type app like e.g., an AV or HIPS program.
You have Anti-keylogger programs you could use.

 

So, everything was blocked with Internet access restrictions and start/run restrictions except the browser itself, right?

Thanks for this, is there anywhere where I can download this test?
I want to check this out just for myself and with my own configuration settings!
It must be from perhaps Zemana or Comodo Firewall leak test or something else?
And did you use perhaps Sandboxie 4.12?
Maybe you should post on the link on Sandboxie forum, so let'ss see what would Curt answer, if you have time for this.
I wonder if DefenseWall, Malwarebytes Anti-Exploit, SpyShelter firewall and AppGuard would protect against these forms of malwares and keyloggers and all other Web browser hijacked attacks (inluding malware payloads)?

So the question remains: against what attacks and against what type of malwares tightly configured Sandboxie 4.12/beta 4.13.5 alpha does not and cannot protect against?

 

I'm not saying this would not bypass SBIE 4.12 but why don't you ask Curt from Invincea the first 2 threads about win32k.sys vulnerability (which is now patched) and Angler Exploit kit, these are threads where you can post this if you want to, I'd like to still hear what Curt from Invincea has to say-most likely he'll say you're right, AT LEAST, I think that.
I wonder if AppGuard, Malwarebytes Anti-Exploit, SpyShelter firewall and DefenseWall would protect against these forms of attacks and these forms of malwares, keyloggers and all other Web browser hijacked attacks (inluding malware payloads)?

So the question remains: against what attacks and against what type of malwares tightly configured Sandboxie 4.12/beta 4.13.5 alpha does not and cannot protect against?

 

Wrong. If you enable Block or Write only access settings on your sensitive files, those settings block programs running in the sandbox (your browser included) from having access to your important files. If you write something in this files, its not logged. Mr Brian, blocking access to a file means none of the programs in the sandbox have any kind of access to the file. Programs in the sandbox can not read what you type, the file can not be upload it or nothing. The file can not even be opened in the sandbox. And you might get a message like this one.



I have a whole bunch of important information written in that text file but you cant see it because I tried to run it in a sandbox where that file can not be accessed. Thats just an example.

Bo

 

WS, can you please confirm what Curt from Invincea said, I posted this here:
Is there any way I can check and double check this:
https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-32#post-2413646
Big thanks in advance.

 

Yes, exactly, I also block notepad.exe and I also block cmd.exe, so let them try to bypass this configuration.

 

CWS, that actually is a notepad file that has a name, it is a very important file for me, Sandboxie also blocks the name of the file. No access means no access at all.

Bo

 

Sandboxie 4.12 used. The browser and aklt.exe had Start/Run Access. You can see by this screenshot the app was sandboxed. Browser sandboxed as well with Internet Access . The others shots I didn't allow aklt.exe Start/Run Access or Internet Access.