Hi All,

I want to make sure I understand the protection limitations of SandboxIE. Here's the situation:

* Unbeknownst to me I have malware keyloggers and screenscrapers running on my Win7 64 bit PC. They're running very quiet and stealth and I don't know they're there.

* I install the latest version of SandboxIE.

* I start SandboxIE and then run start FireFox within SandboxIE.

* Then in the sandboxed FireFox I type in mybank.com and then type in my user name and password.

Is there anything that prevents the keyloggers and screenscrapers on the host OS from recognizing "mybank.com" and then grabbing my user name and password? My understanding is that SandboxIE does not and cannot prevent the host OS malware from grabbing this info. Therefor SandboxIE offers no protection in this situation.

Am I wrong? Am I missing something? Let me know. Thanks!

Advait

http://www.sandboxie.com/index.php?FrequentlyAskedQuestions#KeyLoggers

Hi All,

I read this FAQ page and it answered my question. Issue resolved. Thanks,

Advait

Glad the FAQ helped - it certainly helped me when I asked the same question back around 2009. Since then, my understanding of Sandboxie has improved a lot.

Discussion on logging malware is always interesting. I've read a lot about people's philosophies regarding it over the years. Many views exist, including the following:
1. "I don't care about getting infected by malware in general - I only care about logging malware. This is because I have adequate back-up systems in place. If my computer is infected by malware in general, then I would simply reboot my last clean image. This means I only need anti-logging software for protection etc".
2. "I care about all types of malware equally and require all protective mechanisms of anti-malware software"

My personal philosophy for computer security is that prevention must be the only form of protection. If active malware is able to break out on to the REAL system at any time, it's over. I do appreciate that many others think this is not necessarily always true. For example, having software like Prevx SafeOnline (or whatever Webroot call it now) and Trusteer Rapport "MAY" be able to prevent logging malware from stealing your usernames and passwords if the malware breaches other defenses. The argument then continues along the lines of a layered security approach - for example, if something bypasses a HIPS/antivirus, then at least a separate anti-logging mechanism "COULD" still prevent identify theft etc.

It comes down to balancing the potential risks and benefits of having such "ADDITIONAL" protective mechanisms. I have observed a lot of conflicts over a period of relatively brief testing - I did a lot of testing of all types of security software back around 2009-2011. Some of these conflicts resulted in protective mechanisms failing as a direct result! One must also remember that the more software one has on their system, the more chance of exploitation - the reason is simple - there is more code to potentially exploit! So those are the two major pitfalls of having more than one (third-party) anti-malware mechanism installed on a system:
1. Potential for conflicts, resulting in holes in protection. Please be aware that such conflicts may not have been discovered yet - the fact is that most of us here are rarely infected by malware, so it's quite difficult to know whether such conflicts exist. All I do know is that I discovered many concerning conflicts that resulted in eg. malware or POCs escaping the sandbox.
2. More software installed = more programmed code installed = more exploitable holes via eg. buffer overflow exploits etc.

The beauty of Sandboxie is that tzuk is incredible at fixing conflicts - the support from tzuk is second to none, so that really helps. However, only conflicts that can be demonstrated (mostly incidentally) will be fixed. Conflicts that we are all unaware of may still exist. Such conflicts may only surface when a malware strikes, resulting in failed protection.

Personally, the only third party software I use is Sandboxie. Combined with my "security approach", I believe that I have the best anti-logging mechanism of them all. This security approach is as follows:
1. Recognising that apparently "safe" software may still be tagged by (logging) malware. This means I verify the hash codes +/- digital signatures +/- upload to VirusTotal all "safe" software I will install. This process sounds long-winded, but when you have a system that rarely has any new software installed, it's actually very easy.
2. Recognising malware threat-gates (eg. browsers, chat messengers, online programs/games, open USB devices) and auto-sandboxing them all. For example, both my browsers are forced to open sandboxed. USB devices have autorun disabled and are accessed via a sandboxed explorer.exe window. All newly introduced files are also opened via a sandboxed explorer.exe window.
3. My computer is not physically networked to any other computer. This means it's arguably the safest computer to do sensitive browsing like banking etc.
4. For sensitive browsing, I would open a sandboxed fresh browser with no add-ons installed (in fact, it's basically Internet Explorer in its original form). I would physically type in the eg. banking web-site. All opened sandboxed threat-gates are stopped and/or deleted while I type in usernames and passwords. This means that any eg. logging malware running in those threat-gates are also stopped.
5. Default to using a Limited User Account with SRP enabled (for default-deny anti-execution of unknown executables). I only log on to my Administrator account to do just that - Administrate (eg. updating "safe" software).

I've been using the above method for what seems like years. I haven't changed my security setup/approach for that length of time. The only "change" I've implemented is the addition of a "firewall" rule (built-in to Windows) that is only "switched on" when I log on to my banking site. This firewall rule restricts all internet traffic to ONLY flow between my bank's sole IP address and my own IP address, via Port 443.

The hilarious thing about it all is that I've never been unintentionally infected by malware in my entire life - the implementation of the above simply stemmed from a hobby. What I've eventually realised is that I simply cannot think of a better security setup/approach than the above.