Sandboxie Acquired by Invincea

Big deal, just block aklt.exe and end of story.
But, let's see if it's going to work with my own configuration settings, hopefully Bo Elam will also test this, just give me the link from where did you download these anti-keylogger tests?

 

If you allow aklt.exe Start/Run Access, you are allowing the tool to read what you write. But if you block access to the same file where you wrote before and run the test again, the tool wont read what you write.
Sandbox settings>Resource access>File access>Blocked access, add the file and do the test.

Bo

 

I believe that your statements are true. However, keylogging is a different issue than file access restrictions.

I see that Curt has been asked about my scenario in thread http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19642.

 

In-memory user-mode malware is a significant worry, because many modern systems actually stay up for days/weeks without being rebooted, and with browser tabs, so do the browsers. I know mine do. The malware can be busy scanning all the files available to the user and anything on usb sticks that are inserted. As seen, for some applications, we cannot rely on internet restrictions either.

Sandboxie's ability to partition off areas of disk so they are not accessible is absolutely what you want in this circumstance, because a browser has no business whatsoever in having disk access to your real data - that's just the trusting way the OS offers disk IO, dating back to DOS and before.

While I'd dearly love to have a OS-based MAC which is practical to use (is this not simply a data-table?!), and which would allow a form of disk firewalling, the only practical available solution is Sandboxie (on Windows). I also use VMs extensively for this purpose.

I'm also not clear why people are debating whether multi-level security is a good idea, if I've read the discussion right. We have to assume that any prevention/detection tools will sometimes fail (they do), in which case a sandbox or virtualisation is the next level as a damage containment/limitation process.

Keystroke loggers (and clipboard/screenshot loggers) are indeed a distinct issue (as would be other threats like MITM, MITB), and I think - in the absence of decent control of this by the OS - there are specialist tools such as Zemana (which I use), and perhaps, more importantly, the use of decent 2FA should happen. I do not rely on Sandboxie to protect against this, although it might do sometimes.

 

Okay I though SBIE service enforced sandboz so low processes talk against service running at system IL. I did not see SBIE control being placed between them. When the latter is the case than it is no theoretical disadvantage in terms of IL containment.

 

hi Bo
do i find the separate version here _http://www.sandboxie.com/index.php?AllVersions ?
but can i uninstall c++ 10.0.40219 ?
thanks

 

Hi Mantra, you can get the separate Sandboxie installer for latest stable version from that link. Or you can get it for the latest beta from here.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=48&t=19151

About uninstalling c++ 10.0.40219. Probably can be done but to avoid problems, I suggest you search for the proper way to do it.

Bo

 

I agree. Some of the settings in Sandboxie can help but Sandboxie is not an antikeylogger and I don't expect the program to protect me against them. If I worried about keyloggers, I would use an specialized tool like you do.

Bo

 

OK thanks for testing. And I didn't mean to start a whole discussion, but I was surprised that "hook based" keyloggers could log the whole system even when sandboxed. But I came to the conclusion that apparently I didn't have enough knowledge about how these type of key-loggers work.

As seen in the AKLT tool, you don't have to inject code into other apps (processes) to be able to log keystrokes. Sandboxie will stop code-injection if I'm correct, but it will not stop global/window and low level hooks. Like I said before it's not a big deal, because you can use your HIPS/anti-logger for that, but IMO this could also be implemented into SBIE as an extra feature.

 

Yes good points. SBIE is already capable of blocking most attacks (with extra configuration) and for the ones that it does not protect against you can use HIPS to protect the "sandboxed" apps. After all these years I still think that technically and design-wise, SBIE is one of the most impressive security tools ever made.

 

Rasheed, I tested both of this tools running them in and out of a sandbox a few times each. What I found is kind of strange because either the test results that I experienced are not reliable (perhaps the keylogging test dont really work when running it under the circumstances that I did) or Sandboxie protects more against this kind of malware than I thought.

This is what I experienced. If I run the tools inside a sandbox, at no time the tool reads what I write in a text file that I open unsandboxed. This was the case even when I write something in a file that I dont block access in Sandbox settings. That shouldnt be but thats what I saw time and time again with each tool.

Of course, if I run the tool in a sandbox and then run a browser or a file in the same sandbox, the tool reads whatever I write in the file or the browser. I believe this is how Compu KTed got one of the tools reading what he wrote in the browser.

Bo

.

 

Bo, I would not run any of the so called test tools from rasheed outside the sandboxie! Just telling course I care about you and you having been a good guy to me.

 

The First test I did was to run AKLT.exe (2 functions) outside the sandbox and start browser sandboxed
just to simulate as if you had a keylogger installed. It recorded my keystrokes as I typed into the browser.

The Second test I did was to give AKLT.exe Start/Run Access to simulate if you had a keylogger
running inside the Sandbox while typing into the sandboxed browser. Naturally since I gave it
Start/Run Access it recorded my keystrokes using same 2 functions.

If you add AKLT.exe to 'Forced Programs' in Sandboxie it cancels out the process (message from Sandboxie)
If you add AKLT.exe to 'ClosedFilePath' in Sandboxie and run browser sandboxed it launches
out of the sandbox ready to record your keystrokes when used.
If you add AKLT.exe to ClosedFilePath' in Sandboxie and then right-click on AKLT.exe file
and choose 'Run Sandboxed' then access is denied as shown by screenshot.

If the purpose was to deny access to the keylogger tester then an Anti-exe or HIPS/firewall type
program would accomplish the same thing. Sandboxie is not designed to be a keylogger informer.

NOTE: If my testing methods and conclusions were somehow wrong I welcome correction.

 

Sandboxie can not help against a KL in either of those two tests. Perhaps Internet access restrictions can help on the second test. But SBIE can help if your system is not infected and you use ClosedFilePath settings to block programs running in the sandbox from having access to your personal files and folders. And that is what I tested and indeed, Sandboxie kept the tools from reading what I wrote on files that I have as such.

Bo

 

Hi Jarmo, I tested the tools under Shadow defender. Its OK.

Bo

 

Sorry, for my bad english, WS, because I'm not sure what you were trying to say here.

 

Than what's the conclusion? Did SBIE4 block these keylogger tests and protect the computer or not?

 

@bo elam
Internet Access restrictions did not help. Remember I only allowed the web browser that access. System as far as I know is not infected with the help of Sandboxie and other security measures in place.
I already use Sandboxie blocking (ClosedFilePath) as well as other settings available .

 

Compu KTed, I just test those 2 anti-keylogger tools, you were right, SBIE4 fails these tests even with all the restrictions-and tests themselves say that my protection failed to protect me.

 

Key, for the second test, this is what I am thinking, if you had a real keylogger in the sandbox and is allowed to run, the keylogger is going to log what you type. But can the KL send the the information out of your computer if its not allowed internet access? I would say probably not unless the KL is a malicious browser addon and uses the browser to phone home.

Bo

 

CWS, please remember, I am no expert on any of this things. With this tools, I tested how Sandboxie can help us against keyloggers regarding blocking access to files and folders. And for me, that came out perfect, too perfect maybe. Start run restrictions are easy to test. Programs don't run if they are not allowed to run. This are really the only thing that we can check with toy tools like this ones. To test if a real KL can break internet restrictions, I think we need a real KL for that test. But I doubt the real one would break internet restrictions.

Bo

 

Hi, Bo, I retested again only with tighter configuration, here are my results SBIE4:
Against Spyshelter keylogger tests (http://www.snapfiles.com/get/stt.html) SBIE4 fails everything to protect against, against http://www.snapfiles.com/get/antikeyloggertester.html protects 100% in all of the tests.

However, in all of these tests Internet access restrictions did actually work, so that Keyloggers could not access the Internet.

In order to test these tests, yes you need to allow these tests to start/run, but if you don't enable them to start/run, nothing can be penetrated, than SBIE4 protects 100%.

I still fail to see how can be keyloggers that Mr. Brian is talking about are outside Internet access restrictions and outside of start/run restrictions to protect.

 

Me too, i intepreted your question wrong. What did you wanted to know in regard to Invincea?

 

I wanted to know if it's really true that all the applications inside Sandboxie4 including Chrome (in all Windows, including Windows XP/Vista/7/8/8.1 really run on untrsuted level like Curt claims ("SbieCtrl.exe runs at medium integrity.SbieSvc.exe runs at system integrity. Everything inside the sandbox runs at untrusted integrity (which is lower than "low"),
"SBIE4 itself runs in System/HIGH. " doesn't make any sense. The service runs as System, but that is not Sbie "itself"
What matters are sandboxed apps, and they all run at untrusted integrity under Anonymous Logon with almost zero rights in the host system. That's about as restricted as you can get and still execute.")?

 

CWS, testing screen captures or anything like that, I did not bother to test since SBIE can not do anything about that. If you worry about keyloggers, I think you should use an antikeylogger along SBIE. Me, they don't worry me so I don't use nothing.

Bo