Sandboxie question

Discussion in 'sandboxing & virtualization' started by Essentials, Jun 2, 2011.

Thread Status:
Not open for further replies.
  1. Essentials

    Essentials Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    49
    Hi,

    I always use firefox sandboxed, my question is, imagine my sandbox gets infected, I have my sandbox configured to autodelete when ever I close firefox. My system will not get infected, but what about if the malware´s objective is to steal information? I have my documents blocked. What else should I block? Where is other sensitive information located(if there is)?

    Thanks
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    if you haven't already you should use restrictions for Start/Run and Internet Access for both firefox.exe and plugin-container.exe

    you might also wants to include dllhost.exe and rundll32.exe
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    As long as your have your browser as one of the only things having internet/running privileges then the malware would die due to having no ability to run or connect to the host to send back data.
     
  4. Essentials

    Essentials Registered Member

    Joined:
    Mar 21, 2011
    Posts:
    49
    @moontan:
    Hi, yes I have restrictions for start/run and internet access.
    start/run: firefox.exe, plugin-container.exe and acrobat.exe
    internet access:firefox.exe, plugin-container.exe

    @cheater87: I have read that malware is able to gain internet access using other programs, for example firefox. I am not sure how do they do this, I am not an expert.....


    So reading your posts I think I am fine with my configuration. Thanks
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    btw, does anyone if it's safe to allow dllhost.exe and rundll32.exe?

    i know those are needed is some cases; right click context, choosing folders and such.
     
  6. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    If it's safe I do not know, but are essential for everyday browsing, so they can perform here in my box.

    I think it hard to run a virus (Being able to cause problems) from another application, and by what I saw you use the F-Secure, then relax, it's safe!
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    On my end I only allow Firefox to have Internet access. Plugin container
    only has start/run. Allow as few programs as you can to have Internet
    access and your chances of being hurt by a keylogger will be diminish.
    Some users need to allow dllhost.exe and rundll32.exe, but me, NO. If
    you get a SBIE message telling you that it needs to be allowed, then
    do it, otherwise there is no need.
    You should also allow as few programs as possible to start/run and apply
    the drop rights settings and you ll be ready to go against keyloggers.
    A keylogger can hurt you through Firefox if you have installed a bad addon,
    a infected addon, so be careful about what addons you install. Personally,
    again, I install as few addons as I can and only install the ones that are
    well known.

    Bo
     
  8. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    question;
    how does the Droprights feature in SBie compare to Protected Mode for IE or Chrome sandbox?

    with UAC on, both Chrome and IE9 will run at Medium Integrity Level with the tabs/child at Low.

    with SBie Droprights, IE9 runs all its processes at Medium I.L. o_O

    from what i gather, Droprights might be useful only to people running as Admin without UAC.

    can anyone confirm?
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    DropRights - such an ambiguous title when it comes to Sandboxie.

    When enabled, treats the processes in the sandbox as if they were users. This means that the sandbox mimics what happens in the real OS - %windir% and %programfiles% require administrator rights to modify.

    Since c:\sandbox\..\.. is not known to the OS and the rights of users and groups, much can happen in the c:\sandbox directory that would not happen in the real world couterpart locations, such as %programfiles%.

    So then, in order that within the sandbox the environment can be kept to user level or admin level, the option to DropRights. Now the sandboxed environment behaves like the real environment would, and only Admins are allowed to install drivers and programs - just like a normal LUA setup would be. Keeps things from getting installed to the sandbox you don't want - and also requires admin rights within the sandbox to do what you do want.

    DropRights - I see why Tzuk displayed very little interest in talking about it - there really isn't much to say, it strips the token within the sandbox. The rest falls into place I suppose.

    Sul.
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i see...

    tnx for taking the time Sully to explain more about that Droprights feature. :)
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Every logged in user has a security token. Within this token are the details as to what the account may or may not do. Simple enough.

    When using UAC, you have 2 security tokens - one for Admin actions, the other for normal useage as a User. Simple enough.

    Every process you create (call it the parent) inherits your security token - the parent can only do what the token allows it. Every process (call it the child) created by the parent process inherits the same security token. So all processes started, no matter how many layers deep, all inherit the same security token.

    This is an easy way to show that as a User, you have certain restrictions and everything you do is bound to those restrictions. It takes the rights of an Administrator to overcome any restrictions. Normally when you want to do something AS an administrator, you do that one thing, then close and finish. This minimizes how much the more powerful Admin security token is actually used and improves the overall security. This is pretty simple too, you stay user only until you need to be Admin, and then go back to User right away.

    Now, Integrity Levels are very similar to rights. Objects and processes can be assigned one of 4 basic levels of integrity. System Integrity would be the highest, and only things used by the OS itself get these. System level items can do what they please - they are the royalty - they command others into action.

    High Integrity would be items that have the trust of Administrators. They cannot tell System items what to do, but they can tell everyone else what to do. If you login as an Admin, your whole experience -- everything you do, will run at High Integrity. Very little will be off limits to you, only System items.

    Medium Integrity would be items that don't have much trust - just like a User. Medium Integrity items cannot start High Integrity Items, can't modify High or System Integrity items. Those items, whether processes or objects, are just off limits for the lower Integrity items. When you login as a User, your whole experience is at the Medium Integrity Level. You can start many programs and do many average things that don't change the system. You can modify your own data usually. But Medium Integrity items have no right to the more protected High Integrity items - so not only would your security token prohibit you from having access to a system area, but it might be that even if you had the correct security token makeup, that the Integrity Levels might restrict you.

    Finally you have the Low Integrity. This is basically an Untrusted Level of Integrity. You cannot really go much lower than this and expect anything to work - normally. When things are ran at this level, it means there are not many items/areas they are allowed. You can have the security token of an administrator - full rights - yet if the Integrity Level is at Low, you are still off limits to most of the computer.

    Integrity Levels and security tokens do not do the same thing. They are however a great combination IMHO. The more people understand them the better.

    Sul.
     
  12. chris1341

    chris1341 Guest

    Well I for one certainly understand them better now. I think I got them somewhat confused up till now. Simple, straightforward explanations are surprisingly hard to come by so many thanks for this one.
     
  13. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx Sully.

    i had to read that 2-3 times before it started to sink in. ;)

    i guess your comments reinforce the importance or running under a LUA/SUA account.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes and no. While it does showcase the distinct difference between an account with "root" and an account without "root", it really should show that there is a difference between RIGHTS and INTEGRITY.

    They are not the same thing yet both exist and each strives towards the same end - allow or restrict. To appreciate how they work together, you must understand thier differences as well as how they perform in unison together. Thinking an Admin account is of the devil seems to be a growing trend in the last few years, just as thinking LUA alone brings salvation seems to be. UAC has been touted as both good and bad by anyone with an opinion - yet its creators have stated in multiple documents whats it purpose is, and that is not to enhance security, but to enhance compliancy.

    The inclusion of Integrity Levels is what has made Vista/7 a more secure platform, not the fact that UAC is offering you an easy path to root. Of course it is more than just Integrity Levels, but if I had to, at this point, give a one factor answer as to what is most improved or what gives the most security, I would say it is Integrity Levels. So, understand what they are, how they work WITH rights, what they don't do, and how you might make the most of them.

    Grains of salt. Always with grains of salt ;)

    Sul.
     
  15. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Thx for the answer sul, I finally understand difference between integrity and rights.

    So my decision to use admin with uac is not that bad at all :D

    One more question : how can we force low integrity? Using icalc?
     
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    IE9 under protected mode and Chrome runs their tabs at Low I.L.

    Chromium, Opera and Firefox can be run at Low I.L., including the parent process.

    Sully and others help me to set it up with Firefox in thsi thread:
    https://www.wilderssecurity.com/showthread.php?t=299316&highlight=icalcs

    another good thread here:
    https://www.wilderssecurity.com/showthread.php?t=283375
     
  17. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    thx moontan, I'll try those

    is it possible to set the whole drive/folder to run at low intergrity?
     
  18. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    yes, like this:
    icacls.exe "c:\program files\myApp" /SetIntegrityLevel (OI)L

    i don't know how to reset the folder to default though.

    i am assuming you have to put M instead of L at the end of the line. (for Medium) :)

    here's another good post on this by Sully:
    https://www.wilderssecurity.com/showpost.php?p=1873693&postcount=72
     
    Last edited: Jun 4, 2011
Loading...
Thread Status:
Not open for further replies.