Sandboxie and keyloggers

Googled "rootkit firewall bypass driver", got this. I'm going to read it myself.
An obvious note: this doesn't happen if SandboxIE is in the picture, since no rootkit should install. Perhaps that's what you were really thinking of above?

 

No, I was/am just curious if a rootkit once installed (assuming a non-sandboxed system) could transmit user data past a properly configured two-way firewall. Thanks for the link. I will take a look.

 

SpectorSoft is the largest monitoring company worldwide. Some malware may destroy your machine, but other items can destroy you. That is the danger with key loggers. Everyone has a right to privacy. It is not just banking information. Letters to your girlfriend that end up with your wife, 'dark' sites that you visit, and yes banking information also. And a thousand other things that rightly or wrongly, we are all guilty of.

If you handle your computer security from the bottom towards the top, then yes no-script is great. But if you handled it from the top towards the bottom and if SandboxIE was the very first security product installed why would I be concerned with scripts?

What’s more, the premise of the discussion is that it needs to work with GrandMa, and with 'default settings'. Well, SandboxIE right out of the box handles 100% of all scripts just dandy. No-script requires user interaction. You can't have this thing both ways.

If the recommendations were stated as "Use keyscrambler but be aware of what it does not do in relation to what is really out there" or "Use no-script but be aware that there are more good scripts than bad ones" then that would be fine. But read the earlier posts in this thread. That is not what was presented.

SandboxIE handles the SpectorSoft products just fine and it also handles scripts just fine. Also active-x is no problem at all. But oh yeah that's right, no product does it all.

 

I don't use keyscrambler. Yes, i start from the obvious, the firewall, then downwards. All keyloggers are blocked from execution on my computer. No matter who uses it.
Regarding NoScript, read about XSS. User interaction with NS? With me, rare.

 

If there's a keylogger running in the sandbox, is it not suppose to appear in the Sandboxie Control? Just curious...

 

Simply put it loads before the operating system actually does.
This allows it to operate without requiring a process running, it doesn't need a registry entry either. These simple elements invalidate 100 % of current known PC based defenses.

The only method one could intercept it, is from an external network traffic/protocol analyzer listening to the infected node to identify it's packets during transmit & receive. This actually does require one to already know what he, she's looking for otherwise it simply gets lost in the noise...

I cant explain better that this.

 

Oh... please, like in every product recommendation we have to describe every single function and it's idiosyncrasies... Get a grip!

Users also have a responsibility to research the products they use to know why and how to use them... We are simply providing them with appropriate tools to help them. Even if it displeases some...

Besides in my world there are no "Certainties" and Products are not infallible... thus the multiple layer recommendation.

I think your argument is not much more than an attempt at strife or a simple act of despair... either way the only valid guidance is still to use layers... it's safe, time and experience proven and it works...

 

Man, I purposely 'exaggerated' it to make the point. It was rhetorical. haha

 

I figured you where just having fun pulling my chain...

 

It's all good but here is the thing - the OP states a concern on keyloggers and wonders about SandboxIE. What I am trying to say is "Hey man, look at this SpectorSoft stuff - what anti-keylogger out there can protect you from this?" The answer is that none of them can - except sandboxie.

To then hear that KeyScrambler Personal would be somehow a better choice because of some slight of hand with RoboForm.......well, it's all here for the reading.

 

It is not what I said at all... I said that layers, of HIPS (which will intercept any executable loading) in combination with a Browser dedicated anti keylogger and Roboform all running inside sandboxie will prove effective to near 100 %. What you are trying to say is that sandboxie is all that is needed... Big difference.

No were in any of my recommendation do I advice reliance on any one products... In fact as I hope you have read in my articles: I advice users to "Educate themselves" and "To do their own research" and "To over All their security setups at regular intervals...

Anyone reading this will be upset if they are looking for an easy button that you can click to get all for no efforts... It simply doesn't work that way... You are taking everything I wrote out of context just to argue... You must be a retiree or something?

I think the only hope most users may have against those spectorsoft type utilities is to use a HIPS... as a preemptive protection otherwise you need to scan and hunt...

 

Wow, well with that logic, security products are usless then since they aren't default on windows!

But all that you mentioned, does require a driver to function...

KeyScrambler is useless, you can use this one file to just descramble the scrambled keystrokes, and you've got the untouched, unscrambled keystrokes.
Whats so safe about that?

Yep thats true, cause not just can Sandboxie block and remove keyloggers, but A/Vs, although can sometimes successfully detect keyloggers, will never detect commercial keyloggers though cause they are added to the "whitelist" in the A/V. Who knows what else those A/Vs aren't detecting (due to either not be added to the signatures, or being whitelisted...)

Again, easily descrambled, so it's not effective...

I would always do that, even if I was or wasnt registered to...

Exactly!!
Most other programs that "block" keyloggers, can only block the keylogging part of the keylogger (even then, it doesn't always work...) but in Sandboxie, go ahead, run the keylogger all you want, and go ahead and even let it take screenshots, hell go ahead and decorate your desktop just so it will look good in the screenshots.
Doesn't matter though, cause in the end, when I am done with my session, I am deleting the sandbox, and all those screenshots, keystrokes, etc are gone, before anyone was able to get their hands on them...
It's like a security camera, sure, it can record all the data it wants, but if you commit a crime, the camera records you, and then you take the tape before anyone can get their hands on it, well then, nobody is going to see anything...

Exactly, keyloggers are pretty damn rare to come across anyways, especially on the net.
Most times, if a keylogger is installed onto your pc, it is because it was bundled inside of some program/setup file that you ran, but the keyloggers can't just auto install themselves when you visit a webpage (except maybe in FF)...

Thats right, and it's funny, cause you are the OP of this thread and even you realize that!

Really? I see it recco'd all over the place! You should try broadening your horizons and look elswhere other than just at Wilders.

What makes your recommendations so great? What makes you think that if someone sets their pc up based on your recommendations, then their PC will be perfect?
I wouldn't trust someone elses setup (I am not talking about you, I mean everyone), I have my PC setup based on my own personal experience, from over 12 years of PC usage and it has worked out just fine for me.

Man you should let down on your ego, it's getting a little big. This has nothing to do with invincibility, it has to do with finding what works just fine for you, nothing more!

Ha, you could just use Opera in conjunction with Sandboxie, and its even more secure than that setup!

Or just run the browser sandboxed, then if/when you do encounter a large number of actual attacks, just terminate the box, and delete the data, done...

You don't need keyscrambler for that, most mondern day browsers (except FF, it hasn't caught up yet) can do that for you...

Oh god, the layer approach again, it doesn't work, layering started out in the late 90s when people got scared that current security products would become ineffective against the onslaught of viruses that started out, so instead of waiting for 1 good program, they decided to install another bad program, and another one, and another one. So now we are at the point to day where people just say "Oh just install 20 things and call it layering"!
It doesn't really work, it is just a pyscological thing, thats all.
I mean, if you were to put a guard in front of the white house, then decide that isn't enough, and so you put another guard there, and another one til you've got 250 guards around the white house, it still won't matter though if all 250 of them are all drunk and passed out, then you're going to sneak pass them real easily.

Same with multiple security programs, it doesn't matter how much you put on, if they can't detect the viruses, your screwed...

Yeah, but there is no need to put 7 other things on though. Use that one program, and if/when it is bypassed, then continue using it until you find a new program. No need to put 7 other things on as "layers" though...

TY!

No, none of the F/Ws work for crap, they haven't since about 2002...

Actually there is no need for No-script. Most browsers today (maybe even the new FF?) can easily block scrips, contents, plugins, etc.. Much more then NS can..

Yep, they are unnecessary, just like UAC in Vista, does nothing and is just an annoyance. "IE is trying to access the internet, oh whatever should I do??"
...Please, if I opened IE, obviously it should be connecting to the net, and I don't need a program to tell me that...

Exactly, use Sandboxie, it only takes up a mb of HD space, 7 mb of ram, and only 3 CPU, and sucks up none of your bandwidth, plus no conflicts to hell!

Yeah they can, easily, which is why most people don't want to use them anymore, or even worse, I know people who are running multiple F/Ws, then they wonder why their network frequently stops working, and they get all kinds of BSODs??

There is no properly configured F/W, all F/Ws fail at the hands of a virus, trojan, rootkit, etc..

Yes it can, hell, even ad-ware can transmit through a "properly configured" fw... or 2, or 3...

No-Script can't block most XSS, the only ones it can are the "known" ones, most cross-scripts out there though will slip right through NS without you realizing it..

Yes it will...

I know what you mean, but if you had it sandboxed, then it wouldn't be able to load before the OS, no matter what it installs, cause it is constrained to the sandbox, where it can't auto-load, before or after the OS... All you have to do is just delete the box, simple as that.

Contradiction? You want people to research their own products, and find their own program(s) to use (like I did), but then you say that you are offering them the "appropiate tools"? What makes those the appropiate tools out of everything out there?
Reminds me of that old Ford saying; "You can have it any color you like, as long as it's black"!

It's is not safe, it only makes you think so. It is not experience proven, since people constantly point out "Omg, I am running, this, this, that, this, this and that with this turned on and a rootkit, and 3 trojans made it through, what happened?" I mean hell, you even said yourself, you get people all the time riddled with viruses. If the layer approach worked, you'd have no customers..
Oh and last, no it does not work, as stated.

And what makes what you say 100% perfect, compared to what someone else says??
3 years, just Sandboxie (except for the first 4 months when I had 3 other things installed), and I have had no problems.
'nuff said!

Why do you keep referring to your articles or site?
So because your article says not to use one program, then your recommendations must be followed? Big ego man...

Or run it in a sandbox?
You keep missing the concept. There is no need to scan and hunt (which is what renders an A/V useless) and there is no need to detect a keylogger, cause it can't do anything in the first place (in a sandbox) cause in the end, it is gone, plus so is everything it did, without anyone seeing what the keylogger did, and without any permanent damage, etc...

So sorry for the long post guys, I had no idea it would be this long, I just had to go through 2 pages of quotes cause I like to get it all done at once (like Sandboxie, ha)!

 

Terror_Eyez, have you ever tried DefenseWall? Compare it to Sandboxie.

 

I can't believe i actually read up to this part. What a long post!

So what your saying is, besides that NS is no good for XSS (do you actually have something to show me, or just empty words?), that one should throw the towel, or better, believe that SandboxIE or Opera fixes the problem. It could, with a rigid discipline (flushing the sandbox over and over to originate new sessions when needed), concerning many things one does online..
I just ask a bit more thought into this...

 

How I can do that with Sandboxie?

 

Easy, just run your browser sandboxed. Open up the Sandboxie Control. Right mouse click your browser file and select program settings. it's the fourth one down you choose.

muf

 

Whew! Quite a read indeed!

All i might add is already been spoken on infinite times before and is still repeating. SandboxIE is one really tough bird and it's almost funny how users continue to jocky with apps from one to another to pile on the beef and some with total blind trust in AV's/AS's only and completely miss the mark entirely of the rock hard benefits of virtualization. Some still do.

An artificial environment is the best place to sit while the activity takes place in front of your view while reveling in confidence of the security that in but a press of the button, P00F!

Back to Zero! again, ya just gotta luv SandboxIE and other virtuals for some. LoL

 

Thank you, muf. I didn't know about that option in Sandboxie. There's a lot I don't know about it yet. It seems as if the more I learn, the more I find out new things Sandboxie can do.

I do admit to a sort of layered approach....kind of.....maybe. I also run Returnil 2008 Premium and I have DeepFreeze. Between them, I think I'm fairly good to go just about anywhere I want safely.

 

Do you mean this?

This program is the only program in this sandbox that can access the Internet.

That's not what I ask. I mean only program which can run in that sandbox.

 

I don't think this is possible in the current feature set. besides, sandboxie always run it's start.exe, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe.

 

Not to veer very far OT, let's hypothetically assume that a file infector virus lands in the sandbox and goes straightway to ALL exe's (inside containment)to modify/corrupt common compilation files.

I want to assume SandboxIE would exhibit immunity from such an attack on it's executables but which is it? I employ a HIPS in the sandbox to intercept such an attempt. Does SandboxIE support itself under such this challenge?

I sandboxed IE and proceeded to one of known aggressive drive-by sites that throw some pretty mean darts at IE to bypass on to it's pre-programmed course of disruptions.

Any thoughts, real results?

Thanks

 

If that virus can bypass Sandboxie then it can do some nasty things. Otherwise:

It can't access to my hard drive -> blocked
It can't access to my registry -> blocked
It can't connect to internet -> blocked

It can just wait that I close my sandbox and Eraser cleans it totally.

 

As evident with my question, i too am fairly new to this superb program so i'm cautiously overviewing any potential break-out possibilities, but if i read it all right, no matter what, just like a Vmware, any/all file activity is limited to applying approaches to ONLY duplicate/artificial containment environment and is for all practical purposes TRAPPED within the borders of the Sandbox PERIOD!

Is this an accurate assumption? Because if so the percentages are incredibly favorable that any and all sandboxed activity is helplessly LOCKED in this parallel environment/field with no alternative to exercise any genuine control to the rest of the unsandboxed state of the genuine system.

 

As Tzuk evidentily said somewhere,you are not protected from a keylogger that is already on your system.I still don't get it how this keylogger can bypass my sandboxed browser !?!?!

Guess its my misconception about the true intent of Sandboxie cause i am pretty new to all this.

Huub.

 

Hi Huppi

I think the KEY factor in any of this hinges on getting ahead of that possibility beforehand. After that the Sandbox is a parallel/duplicate copied mirror image and ANY files and/or activity are kept within these borders. I think the mere mention of any expectation that a security app can deal with malware AFTER it's already landed in the field of your REAL system is not at issue here, because programs like SandboxIE or any good security program needs be positioned and active FIRST. Otherwise it's a matter of dealing with an AFTER-THE-FACT intrusion which of course contradicts the very purpose of any security app or in this case virtualization/sandboxing.