The idea with regard to keyloggers is that you can create a box with a restricted process group associated with ClosedIpcPath=!<restricted>,* which would effectively prevent anything except what you allow from running (including any keyloggers). The MD5 checks make sure that a downloaded program can't impersonate a piece of the Sandboxie program or an allowed process by simply changing its name.
After thinking about it again, the MD5 for a process would only have to be calculated once when the program is started, then associated with the process's PID or open handle, or whatever. Then checks could be against that stored value.
tzuk wrote:1. For any negated ClosedXxxPath settings, if the executable file for the program resides within the sandbox folder, Sandboxie ignores everything until the first comma.
The malware can still inject its own code into a running instance of a program file that was checksummed when it started. Checksumming can't do anything about it.
Users browsing this forum: No registered users and 2 guests