domingo 6 de julio de 2008

SandboxIE

So, I'll jump some steps ahead and will write about SandboxIE (or SBIE) .
Official website: http://www.sandboxie.com

This is a great app for protecting your computer. It's a program that belongs to the HIPS (Host Intrusion Prevention System) family, under the sandbox category. More specific: a virtualization sandbox.

If you start to see terminology you don't know, don't worry, I'll explain it all in later posts. Lets focus on sandboxes. In simple words, a virtualizating sandbox creates a space in your computer where programs can do anything they want, except get out of that sandbox. This means that if a virus runs on the sandbox, it can't do no real harm, since it only can live inside that sandbox. It can't screw up your files, or delete settings, etc.

I myself always run my web browser sandboxed. This way, everything I download lands in the sandbox. If I accidentally pick up a virus or a trojan, it stays there. When I decide so, I can delete all contents on the sandbox.

For more about sandboxes and sandboxie, go to the official website or visit Wilders Security Forum.

------------------------------------------

Now, for those who already know about SBIE, I'll explain how I use it. Please feel free to ask questions or suggest changes that might give even a higher level of protection.

First of all, I have different sandboxes (I believe this can only be done with the paid version, since the free version only allows one sandbox):

-Internet Explorer Sandbox
-Firefox Sandbox
-Media Players Sandbox
-Received Files Sandbox
-Test Sandbox

The named are pretty much self explainatory, and the settings are almost the same for each sandbox.

For Explorer and Firefox sandboxes, these programs are forced to always run sandboxed. Also, nothing else in the sandbox can run, so if I ever accidentally download a trojan or a keylogger, it will be impossible for it to run and achieve it's evil task. Also sensible data folders are locked, so there's absolutely no access to them from within the sandbox: no read, no write, no deletion.

Received Files sandbox forces apps that are in "received files" folders (msn and uTorrent) to run sandboxed. No access to sensible data folders and no access to the internet.

Media Players folder is self explainatory. Also no internet access and data folders locked. Used to prevent fake mp3's that are malware in reality.

Test Sandbox is used for 2 purposes: test malware and open unknown programs that are downloaded or come in USB drives. Everything that comes from F: and G: drives (usually where usb drives are mounted) is forced to run sandboxed, to prevent worms from jumping to my computer. No access to the whole data partition (D:), no internet access.

I added some registry keys protection for all sandboxes (mainly to block boot start folders and keys). finally, all the sandboxes are automatically erased when the programs in it are closed.

The only downside this is application updating. Specially with firefox and it's add-ons. To deal with this, every now and then, I start the applications unsandboxed and update. Takes under 2 minutes of my valuable time, a real bargain when you think how long it can take to clean an infected system.
---------

If you wonder how my SBIE ini file looks, here it is:

[GlobalSettings]

ProcessGroup=,firefox.exe
ProcessGroup=,iexplore.exe
ProcessGroup=,firefox.exe,PDFXCview.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ProcessGroup=,DivXsm.exe,mplayerc.exe,winamp.exe,wmplayer.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ProcessGroup=,iexplore.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

[MediaPlayers]

Enabled=y
ConfigLevel=4
AutoRecoverIgnore=.part
AutoRecoverIgnore=.jc!
RecoverFolder=%Desktop%
RecoverFolder=%Personal%
AutoDelete=y
NeverDelete=n
ForceProcess=winamp.exe
ForceProcess=mplayerc.exe
ForceProcess=wmplayer.exe
ClosedFilePath=\Device\RawIp
ClosedFilePath=\Device\Ip*
ClosedFilePath=\Device\Tcp*
ClosedFilePath=\Device\Afd*
ClosedFilePath=%Personal%EII\
ClosedFilePath=%Personal%8525 BACKUP\
ClosedFilePath=%Personal%Contraseñas\
ClosedFilePath=%Personal%My Chat Logs\
ClosedFilePath=%Personal%varios\
ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedFilePath=!,*
ClosedIpcPath=!,*
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

[IEXPLORER]

Enabled=y
ConfigLevel=4
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
RecoverFolder=%Favorites%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
AutoDelete=y
NeverDelete=n
ForceProcess=iexplore.exe
ClosedFilePath=%Personal%varios\
ClosedFilePath=%Personal%My Chat Logs\
ClosedFilePath=%Personal%Mis archivos recibidos\
ClosedFilePath=%Personal%Contraseñas\
ClosedFilePath=%Personal%Completed Torrent Downloads\
ClosedFilePath=%Personal%8525 BACKUP\
ClosedFilePath=!,\Device\RawIp
ClosedFilePath=!,\Device\Ip*
ClosedFilePath=!,\Device\Tcp*
ClosedFilePath=!,\Device\Afd*
ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedFilePath=!,*
ClosedIpcPath=!,*
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

[FIREFOX]

Enabled=y
ConfigLevel=4
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
RecoverFolder=%Desktop%
AutoDelete=y
NeverDelete=n
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*
OpenProtectedStorage=y
ForceProcess=firefox.exe
ClosedFilePath=%Personal%Completed Torrent Downloads\
ClosedFilePath=%Personal%8525 BACKUP\
ClosedFilePath=%Personal%Mis archivos recibidos\
ClosedFilePath=%Personal%My Chat Logs\
ClosedFilePath=%Personal%varios\
ClosedFilePath=%Personal%Contraseñas\
ClosedFilePath=!,\Device\RawIp
ClosedFilePath=!,\Device\Ip*
ClosedFilePath=!,\Device\Tcp*
ClosedFilePath=!,\Device\Afd*
ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedFilePath=!,*
ClosedIpcPath=!,*
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

[TESTBOX]

ConfigLevel=4
AutoRecoverIgnore=.part
AutoRecoverIgnore=.jc!
Enabled=y
AutoDelete=y
NeverDelete=n
ForceFolder=C:\Documents and Settings\Propietario\Escritorio
ForceFolder=F:\
ForceFolder=G:\
DeleteCommand=C:\Archivos de programa\Eraser\Eraserl.exe -folder "%SANDBOX%" -subfolders -method Random 3
ClosedFilePath=%Start Menu%\Programas\Inicio\
ClosedFilePath=%Personal%
ClosedFilePath=\Device\Afd*
ClosedFilePath=\Device\Tcp*
ClosedFilePath=\Device\Ip*
ClosedFilePath=\Device\RawIp
ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

[RECEIVEDFILES]

Enabled=y
ConfigLevel=4
AutoRecoverIgnore=.part
AutoRecoverIgnore=.jc!
RecoverFolder=%Desktop%
RecoverFolder=%Personal%
AutoDelete=y
NeverDelete=n
ForceFolder=D:\Mis archivos recibidos
ForceFolder=D:\Completed Torrent Downloads
DeleteCommand=C:\Archivos de programa\Eraser\Eraserl.exe -folder "%SANDBOX%" -subfolders -method Random 3
ClosedFilePath=%Personal%Mi música\
ClosedFilePath=%Personal%Mis imágenes\
ClosedFilePath=%Personal%varios\
ClosedFilePath=%Personal%My Chat Logs\
ClosedFilePath=%Personal%8525 BACKUP\
ClosedFilePath=%Personal%Contraseñas\
ClosedFilePath=\Device\Afd*
ClosedFilePath=\Device\Tcp*
ClosedFilePath=\Device\Ip*
ClosedFilePath=\Device\RawIp
ClosedFilePath=%Personal%EII\
ClosedFilePath=%My Video%\
ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

[UserSettings_38A404AF]

SbieCtrl_UserName=propietario
SbieCtrl_ShowWelcome=N
SbieCtrl_NextUpdateCheck=1555555555
SbieCtrl_UpdateCheckNotify=N
SbieCtrl_HideWindowNotify=N
SbieCtrl_WindowLeft=560
SbieCtrl_WindowTop=295
SbieCtrl_WindowWidth=660
SbieCtrl_WindowHeight=450
SbieCtrl_Hidden=Y
SbieCtrl_ActiveView=40021
SbieCtrl_BoxExpandedView_DefaultBox=Y
SbieCtrl_AutoApplySettings=Y
SbieCtrl_SettingChangeNotify=N
SbieCtrl_BoxExpandedView_IEXPLORER=N
SbieCtrl_BoxExpandedView_FIREFOX=N
SbieCtrl_BoxExpandedView_SKYPE=Y
SbieCtrl_ReloadConfNotify=N
SbieCtrl_EditConfNotify=N
SbieCtrl_ColWidthProcName=250
SbieCtrl_ColWidthProcId=70
SbieCtrl_ColWidthProcTitle=310
SbieCtrl_BoxExpandedView_ArchivosRecibidos=Y
SbieCtrl_BoxExpandedView_Winamp=Y
SbieCtrl_BoxExpandedView_MediaPlayers=Y
SbieCtrl_BoxExpandedView_Internet=Y
SbieCtrl_BoxExpandedView_TESTBOX=N
SbieCtrl_BoxExpandedView_RECEIVEDFILES=Y
Publicado por HURST en 15:46
Etiquetas: ,
Suscribirse a: Enviar comentarios (Atom)