Trust No Program

for maximum protection,stop activity in all sandboxes ,Why

If it doesn't fit elsewhere, it goes here

for maximum protection,stop activity in all sandboxes ,Why

Postby pool » Mon Dec 05, 2011 6:00 pm

Until now i have been using SB just to do my banking,but seeing the rising threat level i am now using SB for regular browsing and email, this works perfect !
As far as Safe banking concerns I read :
"Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. "
Why is this ?
my settings:
[bank]

Code: Select all
Enabled=y
ConfigLevel=7
Template=IExplore_Cookies_DirectAccess
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Force
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
BorderColor=#00FFFF
BoxNameTitle=y
AutoDelete=y
NeverDelete=n
NotifyInternetAccessDenied=y
ProcessGroup=<InternetAccess>,*,iexplore.exe
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
LeaderProcess=iexplore.exe
OpenPipePath=D:\downloads\
[/code]

I have sometimes other sandboxes open , like my email client ,(with mail i am working on) and sandboxed firefox, so it is inconvienient to close all boxes ,if necessary i will do so but i'd like to know the reason.
I presume i use "The Terminate All Programs command "?
Thanks
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby Guest10 » Mon Dec 05, 2011 7:13 pm

I can't answer your main question.
pool wrote:ProcessGroup=<InternetAccess>,*,iexplore.exe
OpenPipePath=D:\downloads\
Regarding the wild card character (*) in your Internet Access Process Group:
Having Internet Access Restrictions turned on, automatically prevents programs whose .exe files are located inside of the sandbox from having Internet Access.
Is it your intention to allow any program whose .exe file is located outside of the sandbox to be able to access the Internet when using that sandbox, instead of adding a long list of .exe programs to the ProcessGroup line?
I can sympathize with that, if it is your intention, because my ProcessGroup line for programs that have Start/Run access is quite long.

OpenPipePath gives a little more direct access to the D:\Downloads folder than I would recommend, since the setting applies to all programs that use the sandbox, including programs whose .exe file is located inside of the sandbox.
An OpenFilePath setting might be more appropriate than an OpenPipePath setting, since only programs whose .exe file is outside of the sandbox would be allowed to make use of OpenFilePath.
Paul
XP Pro SP3 (Admin), Zone Alarm Pro Firewall, Malwarebytes Pro, Firefox 34, Thunderbird 31.
Sandboxie user since March 2007.
Guest10
Top Poster
Top Poster
 
Posts: 4867
Joined: Sun Apr 27, 2008 10:24 pm
Location: Ohio, USA

Re: for maximum protection,stop activity in all sandboxes ,W

Postby pool » Mon Dec 05, 2011 9:52 pm

Thanks for responding,
Regarding the wild card character (*) in your Internet Access Process Group:
Having Internet Access Restrictions turned on, automatically prevents programs whose .exe files are located inside of the sandbox from having Internet Access.
Is it your intention to allow any program whose .exe file is located outside of the sandbox to be able to access the Internet when using that sandbox, instead of adding a long list of .exe programs to the ProcessGroup line?
I can sympathize with that, if it is your intention, because my ProcessGroup line for programs that have Start/Run access is quite long.

No, the (*) is a mistake , i only want iexplore.exe to be able to run.
To me, this dialog is somewhat confusing,on the top it says:"the following programs can access the internet" at the bottom it says:
"When this feature is enabled, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet.so if i put iexplore.exe there it can't access the internet.....,obviously this is not so, the help says:
"when any restrictions are in effect programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. this is better to understand ( to me)
OpenPipePath gives a little more direct access to the D:\Downloads folder than I would recommend, since the setting applies to all programs that use the sandbox, including programs whose .exe file is located inside of the sandbox.
An OpenFilePath setting might be more appropriate than an OpenPipePath setting, since only programs whose .exe file is outside of the sandbox would be allowed to make use of OpenFilePath.

I only use it to download bank statements , if it is safer i can use "immmediate recovery". to recover the files
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby Guest10 » Tue Dec 06, 2011 12:21 am

pool wrote:i only want iexplore.exe to be able to run.
ProcessGroup=<InternetAccess>,*,iexplore.exe
Well, when you remove the wild card and comma (*,) from the line, be prepared to start adding more .exe programs to the list.
Listing programs that are allowed Internet access might not be as bad as listing all programs that can Start and Run using the sandbox. I have quite a list, for that.
I don't use Internet Access restrictions, because I use a firewall program and programs that cannot start and run are not going to be able to access the Internet, anyway.
pool wrote:To me, this dialog is somewhat confusing
Some do have a hard time understanding, but it all depends on where the .exe file that is asking for Internet access is located. When the Internet Access Restriction is turned on, only .exe files that are located outside of the sandbox can be allowed to access the Internet while using that sandbox.
The files for these .exe programs remain outside of the sandbox, even though they are running under Sandboxie's supervision.
If any .exe file finds its way into the sandbox, such as being downloaded there, it will not be allowed Internet access even if the name matches an .exe program that is located outside of the sandbox - such as iexplore.exe.
pool wrote:I only use it to download bank statements , if it is safer i can use "immmediate recovery". to recover the files
An OpenFilePath setting
(Sandbox Settings > Resource Access > File Access > Direct Access)
should be OK to use, instead of:
(Sandbox Settings > Resource Access > File Access > Full Access)

With any direct access setting, you should limit what programs can make use of it, though.
Sandbox Settings > Resource Access > File Access > Direct Access
"Add Program" button: iexplore.exe <-- if that's the program that saves the bank statements
"Add" button: Navigate to and select the D:\Downloads folder.
results in:
OpenFilePath=iexplore.exe,D:\Downloads\
Paul
XP Pro SP3 (Admin), Zone Alarm Pro Firewall, Malwarebytes Pro, Firefox 34, Thunderbird 31.
Sandboxie user since March 2007.
Guest10
Top Poster
Top Poster
 
Posts: 4867
Joined: Sun Apr 27, 2008 10:24 pm
Location: Ohio, USA

Re: for maximum protection,stop activity in all sandboxes ,W

Postby Lumberjack » Tue Dec 06, 2011 1:23 pm

pool wrote:Until now i have been using SB just to do my banking,but seeing the rising threat level i am now using SB for regular browsing and email, this works perfect !
As far as Safe banking concerns I read :
"Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. "
Why is this ?
my settings:
[bank]

Code: Select all
Enabled=y
ConfigLevel=7
Template=IExplore_Cookies_DirectAccess
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Force
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
BorderColor=#00FFFF
BoxNameTitle=y
AutoDelete=y
NeverDelete=n
NotifyInternetAccessDenied=y
ProcessGroup=<InternetAccess>,*,iexplore.exe
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
LeaderProcess=iexplore.exe
OpenPipePath=D:\downloads\
[/code]

I have sometimes other sandboxes open , like my email client ,(with mail i am working on) and sandboxed firefox, so it is inconvienient to close all boxes ,if necessary i will do so but i'd like to know the reason.
I presume i use "The Terminate All Programs command "?
Thanks


I have only one question. Where I'm suppose write this configuration in Sandboxie, in what section?
And how?
Is this configuration enough for protection, but still will not disable my internet, opening and surfing with Mozilla Forefox and Internet Explorer? I only hope this maximum configuration will not freeze my computer, so I can't open anything at all.
Thanks.
Lumberjack
 
Posts: 88
Joined: Fri Nov 25, 2011 6:37 am

Re: for maximum protection,stop activity in all sandboxes ,W

Postby pool » Tue Dec 06, 2011 5:05 pm

@Guest10
Thank you for the elaborate explanations, i'll use it to strengthen the "bank"sandbox.
And when i find the time i'll read up some more on the config options.
Cheers
PS, i still like to know the answer to the original question....anyone?
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby pool » Tue Dec 06, 2011 5:15 pm

@Lumberjack

I have only one question. Where I'm suppose write this configuration in Sandboxie, in what section?
And how?

See http://www.sandboxie.com/index.php?SandboxieIni
Is this configuration enough for protection, but still will not disable my internet, opening and surfing with Mozilla Forefox and Internet Explorer? I only hope this maximum configuration will not freeze my computer, so I can't open anything at all.
Thanks.

This is just my personal setup ,it is not a proven safe bankig config, ask the more experienced members here for recommendations.
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby bs1 » Tue Dec 06, 2011 5:28 pm

pool wrote:PS, i still like to know the answer to the original question....anyone?

Hi pool.

Assumptions:

1) You're referring to your question that asked: "Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. " Why is this ?

2) You read that in the keylogger section: http://www.sandboxie.com/index.php?Dete ... ers#defend

If the above assumptions are correct, then my understanding is that tzuk makes that recommendation to mitigate the possiblity of active malware contained in sandbox A monitoring browsing activity (such as banking) occurring in sandbox B.
Desktop: XP Pro SP3 32bit, Sandboxie 3.72, NOD32 AV, MBAM (free), Windows Firewall + router
Laptop: Win7 Home Pro 64bit, Sandboxie 3.76, Panda Cloud (free), Windows Firewall
bs1
 
Posts: 555
Joined: Fri May 16, 2008 5:32 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby pool » Tue Dec 06, 2011 11:16 pm

pool wrote:PS, i still like to know the answer to the original question....anyone?

Hi pool.

Assumptions:

1) You're referring to your question that asked: "Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. " Why is this ?

You read that in the keylogger section: http://www.sandboxie.com/index.php?Dete ... ers#defend

Indeed i did
If the above assumptions are correct, then my understanding is that tzuk makes that recommendation to mitigate the possiblity of active malware contained in sandbox A monitoring browsing activity (such as banking) occurring in sandbox B.[

This i dont understand, this would defeat the sandbox concept,which is that malware can't "escape"from the sandbox.
This point is not all that important to me i trust SB and i'll follow his advice ofcourse, i was just curious.
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Re: for maximum protection,stop activity in all sandboxes ,W

Postby bs1 » Wed Dec 07, 2011 4:46 am

pool wrote:This i dont understand, this would defeat the sandbox concept,which is that malware can't "escape"from the sandbox. This point is not all that important to me i trust SB and i'll follow his advice ofcourse, i was just curious.

If keylogger code is in sandbox A, it will stay contained in sandbox A, so you're right...it can't escape from that sandbox. However, the keylogger can still be monitoring* activity going on with your computer, including keystrokes you are entering in other sandboxes. The fact that the keylogger is contained in a sandbox doesn't mean it is stopped from doing its dirty deeds*. It just means it is contained in the sandbox and can be flushed when the contents of that sandbox are deleted.

* There are fairly simple ways to harden your sandbox to lessen the risk factor here.
Desktop: XP Pro SP3 32bit, Sandboxie 3.72, NOD32 AV, MBAM (free), Windows Firewall + router
Laptop: Win7 Home Pro 64bit, Sandboxie 3.76, Panda Cloud (free), Windows Firewall
bs1
 
Posts: 555
Joined: Fri May 16, 2008 5:32 pm

Postby ssj100 » Wed Dec 07, 2011 5:23 am

bs1 pretty much sums it up well.

Also, do remember that Sandboxie's main aim is to prevent permanent changes to your REAL system. This means malware could be operating "freely" in the sandbox, but it would be unable to make any permanent changes to the REAL system.

But because malware could potentially be operating "freely" in a sandbox, for those who don't regularly delete the sandbox, the best protection would be to use a separate sandbox for trusted browsing (eg. banking) while ensuring all other activity in other sandboxes are "shut down" during that eg. banking session.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
 
Posts: 873
Joined: Thu Apr 23, 2009 6:21 am

Postby pool » Wed Dec 07, 2011 10:35 am

@ BS1 & ssj100

I should have thought of this myself; A valid reason to close other sandboxes is indeed the possibility of malware running, especcially keyloggers, not a good idea when you do your banking........
An aside; taking this into acount ,installing a program in a sandbox for a longer period (which i don't do myself) would maybe not be a good idea, there would be always a Sbox open.

* There are fairly simple ways to harden your sandbox to lessen the risk factor here.

If you have time , could you maybe elaborate ?always willing to learn, thanks
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Postby bs1 » Wed Dec 07, 2011 7:10 pm

pool wrote:
* There are fairly simple ways to harden your sandbox to lessen the risk factor here.
If you have time , could you maybe elaborate ?always willing to learn, thanks


Users of Sandboxie have varying methods to harden their sandboxes based on their unique needs and comfort level, but here are some fairly common ones:

(a) configure the sandbox to automatically delete contents http://www.sandboxie.com/index.php?DeleteSettings (so that every time you use the sandbox it is fresh with no possibility of keyloggers, etc. lingering in it from a previous browsing session)

(b) configure the sandbox so only your browser has internet access http://www.sandboxie.com/index.php?Rest ... s#internet

(c) if you have any private/personal information stored on your computer, such as tax return information or account numbers in My Documents, then use File Access>Blocked Access to restrict access to that information during your browsing session http://www.sandboxie.com/index.php?Reso ... tings#file

(d) if the only program you need running during your browsing session is your browser, then use Start/Run Access to configure the sandbox accordingly. That way, in the unlikely event you pick up any malware it will not be able to run. http://www.sandboxie.com/index.php?Rest ... s#startrun
Desktop: XP Pro SP3 32bit, Sandboxie 3.72, NOD32 AV, MBAM (free), Windows Firewall + router
Laptop: Win7 Home Pro 64bit, Sandboxie 3.76, Panda Cloud (free), Windows Firewall
bs1
 
Posts: 555
Joined: Fri May 16, 2008 5:32 pm

Postby pool » Wed Dec 07, 2011 8:41 pm

Thank you for elaborating


Users of Sandboxie have varying methods to harden their sandboxes based on their unique needs and comfort level, but here are some fairly common ones:

(a) configure the sandbox to automatically delete contents http://www.sandboxie.com/index.php?DeleteSettings (so that every time you use the sandbox it is fresh with no possibility of keyloggers, etc. lingering in it from a previous browsing session)

This is already in place

(b) configure the sandbox so only your browser has internet access http://www.sandboxie.com/index.php?Rest ... s#internet

Is now in place

(c) if you have any private/personal information stored on your computer, such as tax return information or account numbers in My Documents, then use File Access>Blocked Access to restrict access to that information during your browsing session http://www.sandboxie.com/index.php?Reso ... tings#file

Is now in place

(d) if the only program you need running during your browsing session is your browser, then use Start/Run Access to configure the sandbox accordingly. That way, in the unlikely event you pick up any malware it will not be able to run. http://www.sandboxie.com/index.php?Rest ... s#startrun

Is now in place.
And i followed the recommendations from "Guest10"
"With any direct access setting, you should limit what programs can make use of it, though.
Sandbox Settings > Resource Access > File Access > Direct Access
"Add Program" button: iexplore.exe <-- if that's the program that saves the bank statements
"Add" button: Navigate to and select the D:\Downloads folder.
results in:
OpenFilePath=iexplore.exe,D:\Downloads\

+ while banking i make sure all other boxes are closed.
so here is what my"bank"config looks like now:
Code: Select all
[bank]

Enabled=y
ConfigLevel=7
Template=IExplore_Cookies_DirectAccess
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Force
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
BorderColor=#00FFFF
BoxNameTitle=y
AutoDelete=y
NeverDelete=n
NotifyInternetAccessDenied=y
LeaderProcess=iexplore.exe
ProcessGroup=<StartRunAccess>,iexplore.exe
ProcessGroup=<InternetAccess>,iexplore.exe
ClosedFilePath=%Personal%\
ClosedFilePath=\Device\Mup\
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
OpenFilePath=iexplore.exe,D:\downloads\
OpenFilePath=D:\downloads\
NotifyStartRunAccessDenied=y
ClosedIpcPath=!<StartRunAccess>,*
pool
 
Posts: 47
Joined: Wed Oct 08, 2008 1:48 pm

Postby Guest10 » Thu Dec 08, 2011 12:38 pm

pool wrote:OpenFilePath=iexplore.exe,D:\downloads\
OpenFilePath=D:\downloads\
Should have been removed, once the setting above it was added.
Paul
XP Pro SP3 (Admin), Zone Alarm Pro Firewall, Malwarebytes Pro, Firefox 34, Thunderbird 31.
Sandboxie user since March 2007.
Guest10
Top Poster
Top Poster
 
Posts: 4867
Joined: Sun Apr 27, 2008 10:24 pm
Location: Ohio, USA

Next

Return to Anything Else

Who is online

Users browsing this forum: No registered users and 2 guests