Sandboxing C:\Docume~1\Privat~1\Locals~1\Temp

If it doesn't fit elsewhere, it goes here
Post Reply
bayj

Sandboxing C:\Docume~1\Privat~1\Locals~1\Temp

Post by bayj » Wed Apr 25, 2007 2:04 pm

I had a first, hopefully last, experience with a rootkit last month, which ended after a 2-week failed battle, with wiping, reformatting, reinstalling from the retail CD, re-updating, etc . . . Now am looking at other ideas of prevention, since one is unlikely to quarantine, disable, disinfect, or delete one of these nasty things. During the struggle I discovered and disabled the original payload carrier, disguised as a bogus chipset driver file. Also discovered it entered through C:\Docume~1\Privat~1\Locals~1\Temp and while it was active, wrote home through there using normal Windows services. Other snoopware uses that route, and so do normal apps doing normal business. Some items found there cannot be opened or viewed because they have locked handles--tho its usually pretty trivial to unlock them with a command line utility.

What's the pros and cons and results of sandboxing that path and file?

Thanks in advance

bayj

SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Wed Apr 25, 2007 4:12 pm

You dont sandbox that path, if you are running something sandboxed, and it tries to access that folder, then the folder will be sandboxed that way the sandboxed program you are running can write to that folder, but it will be done in SBIE instead of the real folder outside SBIE, oh btw, that folder is a crucial folder seeing as a ton of programs out there all write some of their data to that folder, so dont go thinking that it is only a folder used by malware only.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.

bayj

I think this is tricky. Maybe Tzuk has an opinion?

Post by bayj » Wed Apr 25, 2007 10:47 pm

Hi,

Thanks for the input. Yes, I'm aware that folder is the crossroads of the Windows world, and that everything will get trapped in the sandbox. But the quick recovery option allows for recovery of files and folders back to the real world. My thought was to USE it as a trap and trace for files that come and go through there, because the recovery function has to show the destination of whatever exits an application as a file, does it not, so it could be recovered?

I read the through the Forum before I posted, and understand that SBIE is not designed to run services under the OS kernel, and explorer.exe. This is a different line of thought.

I'm asking (a) if I can get a fully qualified path to that folder into the sandbox, by putting an innocuous standalone application in it? (b) If that gets the folder into the standbox, will SBIE track all the other files that exit through TEMP?

Many objects that pass through that folder have locked handles until some unknown process completes. For example the ZoneAlarm firewall client, zlclient.exe sends a file through that is merely accumulating runtime log data in a locked temp file. Its only locked because its in use as it accumulates data. As soon as ZoneAlarm exits, that data is written to the permanent log file in the WINNT/Internet Logs folder. If the firewall is exited INSIDE of SBIE, the normal process should write that data to the permanent log file INSIDE SBIE, then the permanent log INSIDE SBIE should become available to to the Recovery process. Other similar temp files pass through only I don't know their final destination, but they are either obscure normal logs, or logs of which some will be harvested later by malware, or else they are copied in the browser cache as they exit through a browser instance that didn't pop a window. If the browser, the firewall, and application I put in C:\Docume~1\Privat~1\Locals~1\Temp are all in the sandbox, will SBIE trap and track the OTHER files that go through that TEMP directory, so I can trace where they end up?

Thanks again,

bayj

SnDPhoenix
Posts: 2690
Joined: Tue Dec 26, 2006 5:44 pm
Location: West Florida

Post by SnDPhoenix » Fri Apr 27, 2007 9:09 pm

Sorry, this thread just happened to slip through thats all, it happens sometimes, anyways, the point of your post is kind of confusing, let me get it straight, what you want to do is 1. get the temp folder into your sandbox and then 2. you want sbie to track all files that exit the temp folder? what do you mean exit the temp folder, through quick recover? cause sbie will sandbox the temp folder if a sandboxed program accesses it, (which should answer your first q) and secondly it will sandbox any files that are created or accessed in the temp folder, but i dont know what you mean exit the temp folder, also sbie isnt gonna create a log that tells you what program created which file or anything like that, (unless thats not what you meant, then agaian im kinda confused) :?
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.

Chanio

Re: I think this is tricky. Maybe Tzuk has an opinion?

Post by Chanio » Mon May 07, 2007 9:28 pm

bayj wrote:
I'm asking (a) if I can get a fully qualified path to that folder into the sandbox, by putting an innocuous standalone application in it? (b) If that gets the folder into the standbox, will SBIE track all the other files that exit through TEMP?
bayj
A fully qualified path should be where SBie plans to write the file when it asks you if you want it to, before exiting, Ok?

I am not sure if it is possible to put Zone Alarm in the sandbox. For security reasons, ZA should work in admin mode, not a regular user. Most secure systems divide applications in admin (or root) applications that are started by admins, and user applications that can be started with SBie, for example.
Multiuser Windows should have these privileges available. (see 'runas' help)

If you succeded in cleaning your system from trojans, you should do like I did: install a ZoneAlarm Pro trying for less than a month period. It should configure correctly all your daily applications and let you tune in your system. After the trial period, your ZA should return to your standard version. But you should keep your actual config. So, don't return to your doubtful state any more. Don't change anything for any reason.

If you want to track your /temp folder you should use Spy the Spy < http://www.mediachance.com > and tell it to watch that folder. But I guess that what you are looking (I know it by my own experience) is to watch your system startup for changes. When you reboot your system, how do you expect a rootkit to re-activate? It needs to instal itself in the startup in an invisible way.

There is also, a virtual Windows XP (google it) that you could build on a CD with your standard config. There, nothing can be recorded because it is all inside a CD. You could burn a new one when you want to change something in your system. You should remember to configure your user folder outside of the CD, though.

Do these ideas help? (hope so)
Alberto

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest