I don't know if Sandboxie yet has this feature, but if it doesn't, perhaps it can be added since the functions used by Warden can be used by any rogue program that tries to get your personal information.
As background information, Warden is a controversial anti cheating mechanism put in place by World of Warcraft. Preventing cheating is great, but some people have noted that the way Warden works is disturbing.
This link gives the details: http://www.rootkit.com/blog.php?newsid=358
I know it is possible to wipe whatever things Warden might have put on my computer after I'm done with a gaming system. I simply empty the sandbox. But I do a lot of things other than just playing a game, so Warden might read my windows or log my keystrokes or take screenshots while it it is sandboxed, then send this off to somewhere before I empty my sandbox. So basically, I am hoping (if Sandboxie doesn't already have this feature) that Sandboxie can support restricting a program's ability to do these things rather than letting the program do it and then trying to contain the damage by keeping the newly created files within the sandbox. The problem is that World of Warcraft needs to be able to access the Internet.
The functions I am particularly worried about are GetWindowTextA and ReadProcessMemory. I am worried that Warden uses others too. Does Sandboxie offer any kind of protection against this kind of stuff? (please se ethe link above). If I run WoW sandboxed, would it prevent Warden from reading the titles or contents of other windows, logging my keystrokes, or doing other generally suspicious stuff? I have used Sandboxie for quite some time, and only recently did I notice the "Window Access (OpenWinClass)" setting. Am I deluding myself in thinking that Sandboxie can block Warden or any other similar programs from violating my privacy?
Protection against Warden in World of Warcraft
-
singedpopsicle
- Posts: 4
- Joined: Sat Jan 24, 2009 10:18 am
-
HIPSer
HIPS + proper FireWall Rules
SandBoxie can deny remote access to a program but it can either grant or deny but not certain rules.
If you know the remote address (try something like netstat -a -b -n -o) and later just land it in C:\WINDOWS\system32\drivers\etc\HOSTS as localhost (127.0.0.1).
Indeed a FireWall is more flexible and visual.
SandBoxie can deny remote access to a program but it can either grant or deny but not certain rules.
If you know the remote address (try something like netstat -a -b -n -o) and later just land it in C:\WINDOWS\system32\drivers\etc\HOSTS as localhost (127.0.0.1).
Indeed a FireWall is more flexible and visual.
-
singedpopsicle
- Posts: 4
- Joined: Sat Jan 24, 2009 10:18 am
Well, Sandboxie does allow you to set some rules [e.g. the Windows Access (OpenWinClass) setting that I mentioned], but I'm just not sure what they do. In particular, I don't know whether it stops GetWindowTextA, ReadProcessMemory, logging my keystrokes, or installing drivers.
You are right about the HIPs. I do already use a HIPS and a firewall, but the firewall isn't very useful for stopping Warden, because I do need to allow World of Warcraft access to the Internet. The same IP I must allow access to is the IP to which data that Warden gathers is sent to. This is why it is important to stop the data from being gathered in the first place. I don't think my HIPS stops Warden, even though it blocks drivers from being installed and stops some DLL injections.
So in conclusion, firewalls and HIPSs are both very useful, and I use both, but they do not stop warden in the way that Sandboxie might be able to. The only question is...can Sandboxie protect against these things mentioned here: http://www.rootkit.com/blog.php?newsid=358 ? The important point is that since I can't stop Warden from sending back information, I need to stop the information from being gathered in the first place. Sandboxie is ideal for doing this because one would expect keyloggers and its cousins to want to read text from other windows, much as Warden does.
In the past, I don't think Sandboxie provided any functionality that restricted the behavior of programs running within the sandbox beyond not allowing them to create any files outside of the sandbox folder. However, it now has certain added protection that further restricts the programs, such as the option to drop administrator privileges. This is why I asked whether Sandboxie has such functionality. If it doesn't, then perhaps it can be added in a future release. After all, Sandboxie seems to be moving in the direction of restricting programs running in the sandbox anyways. Not all malware aims to damage data. Some forms of malware merely intend to spy on users. I wouldn't mind so much if a virus wiped out my system, since I have a backup of my data and I can easily reinstall Windows. But I would be quite upset if a virus sat on my system silently and sent all my data back to some remote server without my knowledge.
You are right about the HIPs. I do already use a HIPS and a firewall, but the firewall isn't very useful for stopping Warden, because I do need to allow World of Warcraft access to the Internet. The same IP I must allow access to is the IP to which data that Warden gathers is sent to. This is why it is important to stop the data from being gathered in the first place. I don't think my HIPS stops Warden, even though it blocks drivers from being installed and stops some DLL injections.
So in conclusion, firewalls and HIPSs are both very useful, and I use both, but they do not stop warden in the way that Sandboxie might be able to. The only question is...can Sandboxie protect against these things mentioned here: http://www.rootkit.com/blog.php?newsid=358 ? The important point is that since I can't stop Warden from sending back information, I need to stop the information from being gathered in the first place. Sandboxie is ideal for doing this because one would expect keyloggers and its cousins to want to read text from other windows, much as Warden does.
In the past, I don't think Sandboxie provided any functionality that restricted the behavior of programs running within the sandbox beyond not allowing them to create any files outside of the sandbox folder. However, it now has certain added protection that further restricts the programs, such as the option to drop administrator privileges. This is why I asked whether Sandboxie has such functionality. If it doesn't, then perhaps it can be added in a future release. After all, Sandboxie seems to be moving in the direction of restricting programs running in the sandbox anyways. Not all malware aims to damage data. Some forms of malware merely intend to spy on users. I wouldn't mind so much if a virus wiped out my system, since I have a backup of my data and I can easily reinstall Windows. But I would be quite upset if a virus sat on my system silently and sent all my data back to some remote server without my knowledge.
Ok, tested ReadProcessMemory also. This access is not blocked. Furthermore, I can't identify any particular resource that is directly related to this function call. Basically I started the resource monitor after my app loaded, but before the function call, and nothing at all showed up. Lastly, I tried to block access to the executable file whose memory I was trying to read, and it had no effect either.
-
singedpopsicle
- Posts: 4
- Joined: Sat Jan 24, 2009 10:18 am
How did you test GetWindowTextA and ReadProcessMemory, and what tools are you using to test it? Does your tool by any chance also test whether Sandboxie blocks a sandboxed program from dumping DLLs? I would be very interested in knowing your method, even though I am not very tech savvy, and hopefully I can learn a few things along the way. 
-
singedpopsicle
- Posts: 4
- Joined: Sat Jan 24, 2009 10:18 am
I am not sure if I am using the right terminology, but it is found here: http://www.rootkit.com/blog.php?newsid=358
Greg says "The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space."
Do you know what he means?
Greg says "The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space."
Do you know what he means?
dumping the with toolhelp api just means they are listed,singedpopsicle wrote:I am not sure if I am using the right terminology, but it is found here: http://www.rootkit.com/blog.php?newsid=358
Greg says "The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space."
Do you know what he means?
and warden probably looks at info like the author, version, and checksum
-
user
Ditto to what Mark_ said.
The only thing I can suggest here is from and information gathering standpoint. That is to use something like Process Monitor from Sysinternals to see what Warden is accessing. I'm afraid that if you mess with it too much, it's going to think you're cheating and you won't be able to play WoW.
I read that link. Nasty stuff. But it sounds, at the moment, that Warden does not send this information anywhere unless it suspects you of cheating, and then it is unclear what information is actually sent. I wouldn't even TRY messing with the app itself, as I'm sure it has measures against that.
Is Warden a separate EXE? What happens if you block only its internet access?
The only thing I can suggest here is from and information gathering standpoint. That is to use something like Process Monitor from Sysinternals to see what Warden is accessing. I'm afraid that if you mess with it too much, it's going to think you're cheating and you won't be able to play WoW.
I read that link. Nasty stuff. But it sounds, at the moment, that Warden does not send this information anywhere unless it suspects you of cheating, and then it is unclear what information is actually sent. I wouldn't even TRY messing with the app itself, as I'm sure it has measures against that.
Is Warden a separate EXE? What happens if you block only its internet access?
-
;)
My Comodo firewall is set to CUSTOM and I mostly don't use predefined rules; so I have every program pass thru Defense+ (behavior analyzer) and then set rule(s) by firewall while learning.
It's a bit annoying but I know what it's for - my security.
Yes, only advanced settings let user specify the rule; simple mode asks once Yes or No and then uses the answer for all application connetction types without certain rules.
If the ip is the same then you'd rather CAP/sniff the outhoing traffic from Warden. So if you care about data leakage then don't have any important apps running in background. Or even better - try some other games with no such 'wardens' (see LotR, LI2, EVE, SecondLife and so on).
It's a bit annoying but I know what it's for - my security.
Yes, only advanced settings let user specify the rule; simple mode asks once Yes or No and then uses the answer for all application connetction types without certain rules.
If the ip is the same then you'd rather CAP/sniff the outhoing traffic from Warden. So if you care about data leakage then don't have any important apps running in background. Or even better - try some other games with no such 'wardens' (see LotR, LI2, EVE, SecondLife and so on).
Please try out my solution here -
http://sandboxie.com/phpbb/viewtopic.php?t=4885
I'm curious if Warden freaks out about this. GetWindowTextA is already blocked by Sandboxie, so ReadProcessMemory was the other leak.
http://sandboxie.com/phpbb/viewtopic.php?t=4885
I'm curious if Warden freaks out about this. GetWindowTextA is already blocked by Sandboxie, so ReadProcessMemory was the other leak.
Who is online
Users browsing this forum: No registered users and 1 guest
