more security in online banking with Sandboxie

[Arielle01]

First I want to apologize for my bad english!

I would like a little more security for online banking - can you give me any advice?
What say you to my thoughts?
1.
Should I open the browser from the main system in a sandbox OR a browser in a sandbox install again?
1.a.
Have you recommendations for secure browser? Iron, etc., or Firefox with NoScript, BetterPrivacy, Disconnect, etc.
2.
Can I change the sandbox so that these after every close again in exactly the old state is reset?
2.a.
Are these settings to correct?
Sanboxie Control> Sandbox> Name Sandbox> Sandbox Settings> Delete> 1 point = enable contents of the sandbox automatically delete
3.
I would like to install a antikeylogger (Zemana AntiLogger Free or SpyShelter Free). Which program is run with Sandboxie or available at a well-known of the two problems?
3.a.
engages the antikeylogger in the sandbox when it is installed at the main system? Or do I have this then manually assign the sandbox?

or do you have other suggestions to online banking and online shopping to make a bit safer the system?

[Craig@Invincea]

1.
Should I open the browser from the main system in a sandbox OR a browser in a sandbox install again?

It doesn't matter if a browser is installed in the SB, or installed directly into the SB. You're protected. I'd use separate SB for banking.

1.a.

Have you recommendations for secure browser? Iron, etc., or Firefox with NoScript, BetterPrivacy, Disconnect, etc.

Iron doesn't work with SBIE and is junk imho. It hasn't been updated and it's classified as scareware. Firefox w/ NoScript is fine. But Sandboxie is the most important part.
2.

Can I change the sandbox so that these after every close again in exactly the old state is reset?

Use a seperate sandbox. Delete contents of that sandbox when you're done.
2.a.

Are these settings to correct?
Sanboxie Control> Sandbox> Name Sandbox> Sandbox Settings> Delete> 1 point = enable contents of the sandbox automatically delete

Not required, but I'd still do it manually.
3.

I would like to install a antikeylogger (Zemana AntiLogger Free or SpyShelter Free). Which program is run with Sandboxie or available at a well-known of the two problems?

Most do not work with Sandboxie. Read about keyloggers and SBIE here. http://www.sandboxie.com/index.php?DetectingKeyLoggers
3.a.

engages the antikeylogger in the sandbox when it is installed at the main system? Or do I have this then manually assign the sandbox?

Sandboxie wouldn't have anything to do with this, again take a look at http://www.sandboxie.com/index.php?DetectingKeyLoggers

or do you have other suggestions to online banking and online shopping to make a bit safer the system?

[rpljhun]

Here's my advise:
Sandboxie can't protect you when your system is already compromise.
Download your installer from the publisher site and check if it's not tampered by checking the digital signature if valid.
You need to have a seperate sandbox for online banking.
Allow ONLY the browser's executable to run in the sandbox.
Allow ONLY the browser's executable to access the internet.
Enable Drop Rights.
Block access to your sensitive files and folders.
Add "BlockPort=*,443" without quotation in your sandbox configuration under your online banking sandbox(this allows banking transaction in HTTPS Only).
Always check the domain address and certificate of the site valid before logging in. Browser usually have an indicator for secured site like chrome, firefox, and etc.
Set it to auto delete sandbox when app/browser exit.
Remember to only run your browser unsandboxed when updating. Anything else should be run sandboxed to avoid being compromise.

[bo.elam]

or do you have other suggestions to online banking and online shopping to make a bit safer the system?

I think doing sensitive browsing with Sandboxie is really simple and can be done safely. First of all, your system has to be clean to begin with, if its not, Sandbvoxie can not help you. If it is clean, when you are going to do banking or make purchases, make sure all activities in all sandboxes are terminated, and do the banking in a fresh browsing session. In other words, open the browser, do banking or purchases, and immediately after you finish, close the browser and delete the sandbox. Dont mix sensitive and regular browsing all in the same browsing session.

Try using a restricted sandbox for sensitive browsing. The more restricted, the better. And stay away from installing many addons. A malicious addon can hijack the browser and phone home. So, get in the habit of using popular and well known addons only. You mentioned NoScript. Thats a great one that helps a lot. Keep it.

Bo

[Arielle01]

I want to let FireFox is the only program in the sandbox.
Do I need to add these 3 files or firefox.exe only in settings?
firefox.exe
waterfox.exe
palemoon.exe

Enable Drop Rights

sorry, but I do not understand what you mean. What's Drop Rights and where can I find this?

[bo.elam]

Arielle01, firefox.exe is the only exe you need to allow for Firefox.

You ll find Drop rights in Sandbox settings>Restrictions>Drop Rights, tick the option. Enabling this setting makes the sandbox more restricted as sandboxed programs can do less within the sandboxed environment. Ticking the setting wont keep you from doing what you normally do when you browse but would keep malware that gets downloaded into the sandbox from installing. So, using Drop rights on top of Start Run and Internet restrictions makes the sandbox stronger an extra notch.

Bo

[rpljhun]

These might help you.
Create New Sandbox , copy setting is none (Sandbox Menu->Create New Sandbox).
Allow ONLY the browser's executable to run in the sandbox(Sandbox Settings->Restrictions->Start/Run Access). Click Add Program and select the program.
Allow ONLY the browser's executable to access the internet. (Sandbox Settings->Restrictions->Internet Access). Click Add Program and select the program.
Enable Drop Rights(Sandbox Settings->Restrictions->Drop Rights). Marked check "Drop rights from Administrators and Power Users group".
Block access to your sensitive files and folders(Sandbox Settings->Resource Access->File Access->Blocked Access). Under All Programs click add then add your files or folder.
Add "BlockPort=*,443" without quotation in your sandbox configuration under your online banking sandbox name(Configure Menu->Edit Configuration).
Set it to auto delete sandbox when app/browser exit(Sandbox Settings->Delete->Delete Invocation). Marked check "Automatically delete contents of sandbox".

[Arielle01]

Add "BlockPort=*,443" without quotation in your sandbox configuration under your online banking sandbox name(Configure Menu->Edit Configuration).

If I add

Code: Select all

BlockPort=*,443

in the configuration file in the sandbox by online banking, then the browser (Firefox) is offline.
then I no longer have access to the Internet.

[Craig@Invincea]

If you block port 443, you block https for which your bank should be using.

[Arielle01]

OK! When I use this change, then I can only open https: // sides - is that correct?

another question,
if I only give read accesses in the Settings C, then FireFox will not starting.
need FireFox necessarily write access to C?

[bo.elam]

need FireFox necessarily write access to C?

By default, sandboxed Firefox can read files in C drive that it has to have access to in order to work properly, and then it makes changes in the sandboxed environment. Leave it like that. So, you don't want sandboxed Firefox to have write access to C drive. Thats what you are doing if you allow Write to C drive in Resource access settings.

Bo

[Arielle01]

Sorry, I do not quite understand your answer. (i think this is because of my bad english - sry)
Must FireFox have write access to C for correctly function?
So FireFox not work with read access alone?
for which folder to C requires FireFox write access? So I can forbid remaining folders.

[bo.elam]

Must FireFox have write access to C for correctly function?
So FireFox not work with read access alone?

Hi Arielle. By default, Sandboxed programs don't have write access to C drive. In the case of Firefox, write access outside the sandbox is not required for the browser to work properly. Thats what we want, we dont want sandboxed programs making changes to C or the registry or other programs. But sandboxed programs are allowed to read and access files everywhere in the computer. And to work, they need this access.

In the case of Firefox, it requires access to Firefox folders and files in AppData and Program files. As you use the sandboxed browser, changes take place, Firefox files change. All this changes take place in the sandbox. When you applied read only to C drive, you were forbidding Firefox from making changes to files within the sandbox. Thats why that didn't work.

The Resource access setting are for restricting or relaxing the access that sandboxed programs are allowed to files and folders and what they can do with files within the sandbox. By default, sandboxed programs can read files and make changes to files within the sandbox. I recommend you use this settings for personal files and folders and stay away from using them for blocking access to System files or folders or AppData.

Bo

[rpljhun]

If I add

Code: Select all

BlockPort=*,443

in the configuration file in the sandbox by online banking, then the browser (Firefox) is offline.
then I no longer have access to the Internet.

No, if you add the setting. You can only access the internet through encrypted connection that is HTTPS. It will not block port 443. That setting means it blocks any port except 443.

another question,
if I only give read accesses in the Settings C, then FireFox will not starting.
need FireFox necessarily write access to C?

You don't have to worry about your System or Program Files, sandboxie will handle it for you. That's the purpose of sandbox. My advice to block your sensitive files or folder is to prevent malicious code from leaking your data such as your word, pdf, excel and etc. By default it can't modify nor damaged your data but it can read your data and steal it. So by blocking it you prevent it from happening.

[Arielle01]

Thanks to everyone here and the sensational support
I should have bought Sandboxie much earlier!

I have one more question, but for that I'm open a new thread.
thx to all!