Seeking intrepid souls to test something...

Discussion in 'other security issues & news' started by Sully, Jun 28, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have been in the mood to reconfigure Sandboxie. I have been in the mood to learn something new. A test then. Anyone care to participate?

    The test is simple. Install win7, and apply no updates, just bare bones install. Turn off the firewall. Turn off UAC. Do your normal stuff, don't change a thing except make sure you don't do any sensitive activities.

    Install Chrome or Chromium (I am using Chromium). Install Sandboxie paid. Force the c:\users\<username>\downloads directory into a sandbox that allows no outbound network access. Make sure Chrome\Chromium does not prompt you to save files, but saves everything to the downloads directory automatically.

    I have enabled the 1806 zones value to 1, so that all files from internet or intranet zone are prompted before executing.

    Thats it. No SRP, no applocker, no UAC, no FW, no AV, nothing but what is stated above. No deny execute, no Integrity Levels.

    I have been using this for 1 week now. You must take precautions if you are going to bank online or something, lets not be stupid ;) This is a test. You must know how to monitor what is running. You must be familiar with your processes and services, to be able to determine what is out of place. It isn't hard to do, you simply have to do it to find out.

    Will my computer become infected? Will I get the plague? Will someone steal my identity, and a new Sully starts posting on the forums. Will you regkogniz thee nuu Suwlly? Kan tha knu Sewlly cpell kerectically? Will the world blow up? Will I win the lottery?

    Anyone want to test? It is my hypothesis that I will not become compromised. The reason is simple. I believe it has more to do with what I do and where I go, than with what security "tools" I have in place. A wise man is prudent, and takes proper precautions, and I normally do. But this test is to see, what really will happen?

    Anyone? Anyone at all?

    Sul.
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    not me, because i agree 100%.

    i'm only running with UAC at max lately.
    i'm pretty sure i could run like this for months without getting infected.
    i think this security/paranoia sometimes present here at Wilders is way overblown.

    you pretty much have to install a malware yourself to get infected these days...

    the only concession to security i'm willing to make is a fully patched OS and UAC.
    and I use Rapport for online banking just to be on the safe side.
    there's Norton DNS but it hasn't detected anything in over 2 months.
     
  3. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Suppose the sandbox that opens the download directory is called Test.
    Could you please provide the relevant entries in sandboxie.ini to achieve what you suggest.

    Could you also provide a .reg file that does this. Thanks.
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    this might help for the time being:
    https://www.wilderssecurity.com/showpost.php?p=1892121&postcount=72
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @soccerfan

    I must point out, you should have an image you can restore to, just in case your habits prove dangerous :blink:

    Here is what I am using in my sandbox. It is a default sandbox, with these exceptions
    Code:
    ForceFolder=C:\Users\<your user name goes here>\Downloads
    NotifyInternetAccessDenied=y
    ClosedFilePath=\Device\RawIp6
    ClosedFilePath=\Device\Udp6
    ClosedFilePath=\Device\Tcp6
    ClosedFilePath=\Device\Ip6
    ClosedFilePath=\Device\RawIp
    ClosedFilePath=\Device\Udp
    ClosedFilePath=\Device\Tcp
    ClosedFilePath=\Device\Ip
    ClosedFilePath=\Device\Afd*
    Here is a .bat file you can create to turn the 1806 to 1 for prompting
    Code:
    @echo off
    reg add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1806 /t REG_DWORD /d 1 /f
    and here is one for turning it off
    Code:
    @echo off
    reg add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1806 /t REG_DWORD /d 0 /f
    here it is in .reg format, for enabling prompting
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000001
    and here it is to turn it off
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000000
    ** NOTE ** the default value should be 1. A 0 turns it off, and a 3 will tell you it blocked execution.

    If you modify the zones\3 to zones\1, it then applies to your intranet (lan) instead of internet.

    Sul.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Take a look here.

    Just in case... :p
     
  7. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Thanks all.

    @Sul:
    In your first post you mention:
    but in your last post above, you say:
    So, does setting the value to '1' prompt for both intranet and internet files or just intranet? Thanks again.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    They are handled separately.

    Code:
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1806"=dword:00000001
    
    This will apply for the Internet zone.

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1806"=dword:00000001
    
    This one applies to the Intranet zone.

    -edit-

    That means that you'll get a different alert, depending on what value you add.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The zones registry keys have same values within each, but each "zone" allows you to apply a setting to a zone, as follows
    Code:
       0        My Computer
       1        Local Intranet Zone
       2        Trusted sites Zone
       3        Internet Zone
       4        Restricted Sites Zone
    The value 1806 is in each zone (or could be), and it has the following definition
    Code:
       1806     Miscellaneous: Launching applications and unsafe files
    A dword value of 0 is do nothing, a value of 1 is to prompt before execution and a value of 3 is to deny execution but inform the user.

    When a file is downloaded, it "can" have an ADS (alternate data stream) tagged onto it. The ADS in this case simply defines what zone the item originated in. If it came from zone 1 (a server or other computer on your network) you can add that 1806=3 value into "zone 1" registry key, and it will be treated exactly like what Kees tells about for the "internet zone". It isn't much of a security when set to 1, because it is easy to execute, but I use it so that IF something from internet/intranet attempts to execute without my knowledge, I get a chance to see it and decide what to do.

    HTH>

    Sul.
     
  10. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Thanks for the explanations m00nbl00d and Sully. Much appreciated :thumb:
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, you should be warned that the ADS will only come to play if your system is formatted with NTFS.
     
  12. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Thanks. I do have it formatted with NTFS.
    But I have XP Home and, upon further reading, found that the 1806 tweak (especially with value=3)
    may not display the 'unblock button' in the properties tab (of a downloaded file). Is this really the case?
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I did something similar for a month but no sandboxie. No infection.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't doubt it. The reason I include SBIE in this is that I actually want things to execute, or at least attempt to, and further I want to allow it. However, I don't actually want it to enter the real system. Instead, let it do its thing in SBIE. I can see what it did much easier, especially if using BSA.

    If you set the 1806 value to 1, you get the option, which is what I wanted for this test. That way I know something is going on, and I can focus on what is happening.

    Like I said, this test is to see how habits effect exploitation. I don't think my habits will pose a risk. Ideally it would be nice of others would test it who might have radically different habits, and the results could be compared.

    What will the end conclusion be? Not sure really. Maybe it is only to see, in normal every day useage, just how extreme does one really need to go? This doesn't address everything of course, like email or adobe, etc. Since one persons habits will differ from another, and thus thier threats, I can't say to everyone "use this or do things this way" because they are not me. So it is interesting to see what will happen with a bare minimum of security in place.

    Sul.
     
  15. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    interesting thread.

    i have been running without any sort of real-time protection in place (no antivirus, sandbox, rollback softwares etc). so how do i know if i have been infected? 9 on demand scanners :D

    best setup i have ever had, i set active@ disk image to run scheduled full image backups every night at 5am (set and forget) and then i run the on demand scanners around once every week or 2. if any scanner finds any sort of infection then i restore a clean image (although to this day i have not been infected)

    to me this is the ultimate in light security :thumb:

    edit- windows and all software's are kept up do date and i also run scans from outside windows (boot disks) once every 2 months (still not detected anything to this date :thumb: )
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Interesting approach... I got nothing against it, but you could run all the existing antimalware scanners, they all would fail detecting so many infections... So, the question is: If what you use to know your system is clean are 9 scanners, how do you know your system is clean?
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    of course 9 scanners and multiple boot disks will detect virtually any malware i have as the scanners will have many weeks or months to add signatures in the engine.

    and how do i know my system is clean? i dont, the same you dont KNOW your system is clean ;)

    but i think i have a greater chance of finding out if i have an infection then those who run realtime scanners.

    edit- and i must say that i'm a very knowledgeable user so that helps :)
     
    Last edited: Jun 28, 2011
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is after the fact way of doing things. It is but one of many ways to approach it. Nothing wrong with it if it works for you.

    I would rather not handle things after the fact. I would rather stop things before they happen.

    This test I am talking about is hopefully a way to show me what might happen by only using a browser that is utilizing sandbox technology and controlling what executes. It is going to show me whether what I do on a daily basis ever poses a threat. I must know what processes/services are normally running, so I can tell if new/unwanted ones begin.

    This is not about proving to anyone, anything. It is for others who like myself choose to have a minimalistic approach, to perhaps form some data cumulatively, that might help us to understand better how WHAT we do affects our security.

    It is my belief that the majority of my "threats" will come in via the browser, as the only thing I do on the internet without the browser is either play streaming media, play a game or specific programs that require it. Some programs might have exploits, such as Teamspeak which I use quite a lot. I would like to think that those type of programs are not much of a threat. So instead, all email and browsing and movies etc are done in the browser, so it is the #1 threat IMO and I would like to know, for myself, what will happen when I only use this configuration.

    Time will tell, but I plan on keeping this setup for quite some time to see what might happen.

    Sul.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Exactly. Solely relying on imaging and on-demand scanners doesn't suffice, IMHO. We aren't truly preventing anything. I guess this approach works if xyz user doesn't do any sensitive tasks in their systems, like accessing their bank accounts.

    They don't care whether or not they'll be infected for a short time, until they reimage.

    It's an approach... :argh:

    By the way, you said no firewall, but I believe you're behind a router? ;)
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am most certainly behind a router, if you are talking to me.

    Sul.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Only way I'll be willing to do this is within a virtual machine.
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, I understand. It is not everyone who can forsake thier everyday doings to test something like this. For me, it is feasible, for many, maybe not.

    VM would work fine, the only downfall would be time spent with it would be fractional to real machine. I thought about only doing this in VM, but I wanted to go day to day, to get the most exposure.

    This is not a ground breaking experiment, or really much of anything to be honest. It is only to see if anyone else would both like to participate to get greater information and to learn something. If a dozen others try this, what will each experience? Will 90% remain problem free indefinately? Or will 50% find they develop an issue? What is the issues then that cause the problem? Going to warez site? Or some drive by executable that bypassed the sandbox of the browser? Or was it only due to user error in being tricked to say "yes" to a prompt?

    That is what I want to find out. The approach is quite minimal, and flies in the face of contemporary thoughts of the day. Don't use a firewall? No AV? Don't update the OS? All of these are today a defacto standard. But, are they necessary? The only way to find that out is to try it, 24/7. It is because of the spirit of this forum, and the aptitude that users have, or try to gain. The spirit here of sharing knowledge, and the quest to be secure and stop having the same problems that most of the world has. Not everyone can do this. Not everyone should. But, we are not everyone here, are we? We are interested. We like to learn. We like to experiment. Whether "we" are only mildly interested, or seriously addicted, there is no place I know of quite like Wilders. There might be, I just haven't found it yet ;)

    I have been slimming down my security time and time again, and every time I do, I still remain problem free. But as I said, I think it is more what I do that what I use for security. Will it be that way for the majority?

    Sul.
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Same here. I feel that Comodo is overkill on my system, I only use it because I already have it set up and it's light enough to not bother me.

    edit: I could never truly do this test as my router blocks ads via the MVPS host file for everyone on my network. If I were to take it off I'd have to go through the process of setting it up for individual computers on my network... so I can't do that.

    Let's be honest, the web isn't as scary as some might like to believe. You can go without these overkill setups that we all have, most people do.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    The web is getting scarier, with no change in sight. Always better safe than sorry.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I think there are plenty of dangers for the novice user. I am not so sure it is the same for the informed. But, the landscape is changing too. It seems to me that there is more focus on fooling you than anything else. Sasser and the like seem to have fallen off the hackers popularity chart or something. Now you have to be vigilant in what you say "yes" to.

    This is my focus then, for the informed user, how can I be safe and not sorry, while at the same time not being a slave to the security machine? I am tired of keeping up with the latest and greatest. I don't have problems because of what I know and what I do. Even at that, with my minimal approach, am I still over-doing it? Can many here with knowledge do without all the frills?

    Sul.
     
Loading...
Thread Status:
Not open for further replies.