Try your anti-keylogger protection

So you know yourself very well.

Its always tricky to depend only on personal experiences,maybe i'm lucky all those years with online transactions but never compromised in this way.

Its great what Wraithdu added, to forbid any execution except for......,so to inject code in browser is cut off,it makes SBIE all the more a diamond shining on the digital heaven.

But for all practical purposes its a bit redundant seems to me.

 

I don't use Opera, so I'm not too familiar with how it works, but it sounds like the browser is trying to launch another process to help printing. From the error message, I'd say it's using rundll32.exe. Try adding it to your group list for that sandbox.

 

Sandboxie is so versatile that it would be laborious and confusing for new users to try and list everything you can do with it. I don't think something like this belongs in the main SB help pages.

However an unofficial wiki page might not be a bad idea. I have no experience creating something like that, but perhaps someone else who'e interested can get one started.

FYI, the configs I've posted here, while done by directly editing the INI file for efficiency's sake, can be mostly setup through the GUI. At the moment you cannot create process groups through the GUI, but they become selectable in the different resource sections once created.

 

I agree.

SandboxIE opens up useful benefits for all users/customers to organize their own best settings that suits each users individual purposes as needed.

EASTER

 

Hi All

Despite there being a comprehensive Sandboxie forum run by the the developer, my impression is that the real nuggets of help come from within Wilders. I don't know whether its the independence of Wilders or not, but Sandboxie is not the only example, there are many other forums exhibiting similar traits.

Perhaps its the absence of acolytes dedicated to the cause rather than pursuit of excellence that makes Wilders what it is.

Certainly wraithdu is an example of support of the many by the few without the trappings of developer decorum.

Terry

 

Can these settings be copied directly and set into sandboxie, or do I have to modify them to suit my setup? These settings will still allow my default browser - FF - to connect to the net?

 

Yes you can do that if you have Global ProcessGroup rule.

ProcessGroup=<restricted>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

 

OK, thanks. Where can I enter a ProcessGroup (that can be seen under Global Settings) in SB 3.24?

 

Yeah under Global Settings

 

OK, here are my settings for my default box (I only use this to browse). Would I be okay with this or do I need to add/remove something?

 

You can just allow only Firefox to connect to the internet. No reason to give internet access to Sandboxie components.

ClosedFilePath=!firefox.exe,\Device\RawIp
ClosedFilePath=!firefox.exe,\Device\Ip*
ClosedFilePath=!firefox.exe,\Device\Tcp*
ClosedFilePath=!firefox.exe,\Device\Afd*

You don't all of these:

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,* <- This is enough.
ClosedKeyPath=!<restricted>,*

only ClosedIpcPath´is enough because other programs can't run so there isn't any other programs which want to access registry and so on.

If you like you can use that ClosedFilePath rule to block some hard drive access.

Actually registry blocking isn't so easy task to complete. Even portable browser needs some read access to registry. I'm trying now to find/edit portable browser which doesn't need ANY access to registry. Suggestions are welcome...

EDIT: Actually these are useless too because those can't run

LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe

 

Thanks Mike. Settings for ClosedFilePath can also be done through: Sandbox - DefaultBox - Sandbox Settings - Resource Access - File Access, right?

 

Is that good or bad?

 

Yeah that's correct.

EDIT: So I'm trying to find that portable browser because I want to build setup where Sandboxie components can access to registry but not connect to internet. Browser can't access to registry but can access to internet. That sound's safest to me. With portable browser there might be situation that I can also block whole system drive file access too (not Sandboxed components access).

 

Good or bad what? You ini file is ok. There's just useless rules. Those doesn't tighter or weaken your setup.

Here is your edited ini file which do all the same:

 

Thanks Mike, I got a little confused...

 

aigle,

Did you try the tests on SnoopFree?

 

Nope, SnoopFree is outdated, no longer under development.

 

[FireLion] Anti Keyloggers can pass the test:
http://support.the-best-soft.com/viewtopic.php?f=22&t=74

 

Btw, I´ve checked out Zemana AL and it can pass all the AKLT2.exe tests but it won´t block keyloggers automaticly, you will first have to respond to alerts, and since it´s impossible to know if a certain hook is malicious or not, that´s a serious drawback. But it seems to be a much more stable version of FireLion´s AK, plus it has got some limited HIPS capabilities. Nice, but not really worth the money IMO.

 

Yes, there was some issue in OA discovered, that allowed the files digitally signed by trusted certificate issuers (Verisign, GlobalTrust etc) to be autotrusted, and as a result allowed.

This is fixed now to check not only issuer, but signature owner as well.

As for Keylogger, there is no need to run it safer, it is just enough to untrust it (set uknown manually), and this makes the trick. At the moment I know no one keylogger that OA was unable to stop.

 

All these tests were run from within the Forcefield browser sesion.
The download was never 'saved' to disk. Options chosen were
'Run' and 'Runfile'

Key Logger Simulation Test - - - - - FAIL
Screen-Logger Simulation Test - - - PASS
Webcam Logger Simulation Test - - not applicable
Clipboard Logger Simulation Test - - FAIL

Isn't it stuff like this that Forcefield suppose to protect us from ?
In all fairness, FField gave yellow warnings for each test.

ZA firewall didn't even give a warning

 

Which version of ZAFF are you testing? IE? Firefox?
May be something have changed with latest version?
And you can save the keylogger on your HD... no difference.

Are you writing within the browser right? ZAFF does not protect you if you write in, lets say, microsoft word...

ZAFF does not warn you... no pop-up to answer, no decisions to make.
Just kill the logger or the means used by the keylogger.
I will post a grab later

EDIT: Tested it again with latest ZAFF 1.0.322.0, IE7, VISTA (tested on XP same result)

Key Logger Simulation Test - - - - - PASS

I cannot post a screenshot... ZAFF kills it! LOL

Cheers,
Fax

 

It was capturing the keystrokes when I opened a ms word document. As you mentioned, no keystrokes are captured that are entered on a webpage.

The clipboard test failed.

For each test ZAFF gave a yellow warning bar at the top of the screen.

ZA Firewall didn't give any warning at all.

 

Yep, ZAFF is designed to protect the browser not other applications..

Which version of ZA firewall are you using? The free version has no HIPS.
I had to allow the keylogger in ZASS (suite) to test it in ZAFF since ZA OS firewall blocked it. Check that ZA program control is not set to 'autolearn'. But indeed ZAFF is far more aggressive than ZA OS firewall on key-loggers and screenloggers, you can use the Anti-Keylogger Tester (AKLT) to compare.

Cheers,
Fax