Conflicts with Keyscrambler & Keylogger Hunter

[dlguild]

Hi Tzuk,

I have been having a lot of problems since Sandboxie moved beyond beta version 2.95 similar to the ones reported elsewhere in the forum (conflicts & performance slowdowns). I did not want to report back here until I had more definitive information. To that end, I re-formated and reinstalled Windows XP Pro SP2, FireFox v2.0.0.6 and installed ONLY my security software as follows:

Sandboxie Version 3.00.11
Kaspersky Internet Suite Version 7.0.0.125 http://www.kaspersky.com
Keylogger Hunter Version 2.12 http://www.styopkin.com/
Keyscrambler Pro Version 1.3.1 http://www.qfxsoftware.com/
Mil Shield version 5.6 http://www.milincorporated.com/milshield2.html

Findings:

In general, Kaspersky has issues with Sandboxie. Their firewall & proactive defense modules will bring my system to a grinding halt when used in conjunction with Sandboxie, both for IE and for FireFox. I am still trying to sort out the proper settings for these modules in KIS, but no luck so far. Currently I have both modules turned off. I don't mind so much not having proactive defense because Sandboxie is better for that anyway. Not having a usable firewall is troublesome.

Mil Shield no issues after opening up the windows class. It's just a clean-up tool which is useful to clean house after browsing un-sandboxed (occasionally necessary like for Windows or program updates) .

Keylogger Hunter used in conjunction with Keyscrambler Pro does not work with Sandboxie. Keyscrambler's encrypted keystrokes end up in browser form data instead of the unencrypted ones. Both work fine together when the browser is not sandboxed. I find that Keyscrambler does work with the browser sandboxed if Keylogger Hunter is turned off. In order to get this far, I ran a trace & applied the following changes to sandboxie.ini:

OpenPipePath=\Device\NamedPipe\KSTIPipeDan
OpenPipePath=\Device\NamedPipe\wkssvc
OpenPipePath=\Device\NamedPipe\srvsvc
OpenPipePath=\Device\NamedPipe\lsarpc
OpenIpcPath=\BaseNamedObjects\00MemoryShareKeyloggerHunter
OpenWinClass=980d8agerw4

BlockFakeInput=n
BlockWinHooks=n

With the above changes implemented I get what looks like a clean trace to me (only blocked entries posted) but still no joy:

00000000 0.00000000 (003260) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
00000001 0.83356738 (003260) SBIE (GD) PostMessage 01224 (04C8) to hwnd=0003005A pid=000824 DDEMLMom
00000002 6.51943398 (001028) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
00000003 8.36108017 (003980) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
00000004 35.04868698 (003260) SBIE (GD) PostMessage 01225 (04C9) to hwnd=0003005A pid=000824 DDEMLMom

If you can give me an idea as to what to do next to get the keylogger protection scheme working again I would appreciate it greatly.

Thanks,
Dan

[Rasheed187]

Can´t give a solution, but I´ve noticed that KAV doesn´t give any conflicts with SBIE on my virtual machine, I think they might have "whitelisted" it, not sure. And Keyscrambler doesn´t like any of my security tools.

[tzuk]

I also haven't noticed any slowdowns with KAV/KIS in the few times I had to install them to check some other conflict. I will try these programs, though, maybe it takes a combination of KAV/KIS and some of these other programs AND Sandboxie, to reproduce the problem. Strange though.

[dlguild]

Hi Tzuk,

I have turned up other issues with Keyscrambler Pro v1.3.1. The newest version of Keyscrambler is no longer compatible with Keylogger Hunter. I have reinstalled an older version of Keyscrambler, v1.2.1. and requested support from the Keyscrambler folks. They have acknowledged the incompatibility in the new version. Unfortunately, the older version is no longer available for you to download, so I don't think you will be able to help at this point. Keylogger Hunter protects only against hook based keyloggers, while Keyscrambler protects only against kernel based keyloggers. For this reason, one would think the respective vendors would expect a user concerned about keyloggers would install both types of protection.

I don't know what to think about the KIS firewall and proactive defense modules. If you have to move beyond the default settings, things get a bit mystifying for an average user such as myself. v2.86 did not require any 'tweaking' but v3.0 appears to need some. The Kaspersky forum has not provided much useful data for Sandboxie users. I tried all the suggested settings, some of which did improve performance, but all caused other system problems.

I will try deleting Keyscrambler altogether to see if the issues with KIS disappear.

Thanks,
Dan

[Paul_K]

It appears that version 1.3.2 of Key Scrambler Personal (free) is available at their web site - as of yesterday.
http://www.qfxsoftware.com/

[dlguild]

Thanks Paul_K! They thought they had the issue with Keylogger Hunter resolved in v1.3.0, but it didn't work for me (perhaps it was KIS causing the problem). I am testing v1.3.2 now. So far, it seems to work fine with Keylogger Hunter outside the sandbox, but not when sandboxed. I no longer have the KIS firewall or proactive defense modules installed, so they are no longer a factor.

I ran some new traces with the new version of Keyscrambler installed, but still nothing obvious resulted. Maybe Tzuk will turn something up. Meanwhile I am looking for a more user friendly firewall.

[Paul_K]

Maybe Tzuk will turn something up.

At least he will be able to get a version that you are having problems with

[SnDPhoenix]

Meanwhile I am looking for a more user friendly firewall.

Maybe you need comodo firewall pro, its superior and i still have yet to find one thats better (protection-wise and gui-wise).

Maybe Tzuk will turn something up.

At least he will be able to get a version that you are having problems with

I dont know....., its just like tzuk would say "If i cant reproduce the problem, i cant fix it"

[dlguild]

Maybe you need comodo firewall pro

Thanks! I'll give it a try tomorrow. It's 3AM here for me, got to get some sleep. I tried to install ZoneAlarm but the install failed. It took me ages to get all the crap it left behind off my system. Their un-installer is terrible.

I dont know....., its just like tzuk would say "If i cant reproduce the problem, i cant fix it"

I agree. But if anyone can he can!

[Unknown_User_451]

...reinstalled Windows XP Pro SP2, FireFox v2.0.0.6 and installed ONLY my security software as follows:

Sandboxie Version 3.00.11
Kaspersky Internet Suite Version 7.0.0.125 http://www.kaspersky.com
Keylogger Hunter Version 2.12 http://www.styopkin.com/
Keyscrambler Pro Version 1.3.1 http://www.qfxsoftware.com/
Mil Shield version 5.6 http://www.milincorporated.com/milshield2.html

Off-topic:
I'm sure - you would be much more securier if you simply used the LUA and the SandBoxIE alone.
All those AV|AM|AT|AK packages are garanteed to conflict with each other - decreasing (or downright disabling) your protections.
The simpler - the better.

[SnDPhoenix]

Off-topic:
I'm sure - you would be much more securier if you simply used the LUA and the SandBoxIE alone.
All those AV|AM|AT|AK packages are garanteed to conflict with each other - decreasing (or downright disabling) your protections.
The simpler - the better.

Couldn't have said it better myself.

[tzuk]

It appears that version 1.3.2 of Key Scrambler Personal (free) is available at their web site

Thanks!

Keylogger Hunter used in conjunction with Keyscrambler Pro does not work with Sandboxie. Keyscrambler's encrypted keystrokes end up in browser form data instead of the unencrypted ones.

Fixed in version 3.00.13. I tested with KeyScrambler 1.3.2 and KeyHunter 2.12, but the fix itself is to the mechanisms in Sandboxie and not specific for any of these products.

OpenPipePath=\Device\NamedPipe\KSTIPipeDan
OpenPipePath=\Device\NamedPipe\wkssvc
OpenPipePath=\Device\NamedPipe\srvsvc
OpenPipePath=\Device\NamedPipe\lsarpc
OpenIpcPath=\BaseNamedObjects\00MemoryShareKeyloggerHunter
OpenWinClass=980d8agerw4

I added the one in bold to Sandboxie, and in fact I added one more for KeyScrambler, even though it's probably not strictly necessary.

It's not a good idea to OpenPipePath wkssvc, srvsvc, lsarpc. (There's a fourth one like these: samr). That introduces vulnerabilities.

I don't know what to think about the KIS firewall and proactive defense modules. If you have to move beyond the default settings, things get a bit mystifying for an average user such as myself.

But you did imply that you enabled some special modules. Like I said earlier here, I couldn't see any slowdown with KAV/KIS installed with the default settings, if you have any hints how to reproduce the slowdown, that would be great.

[dlguild]

Fixed in version 3.00.13. I tested with KeyScrambler 1.3.2 and KeyHunter 2.12, but the fix itself is to the mechanisms in Sandboxie and not specific for any of these products.

Confirmed, works fine now.

Per your suggestion I removed these 3 entries:
OpenPipePath=\Device\NamedPipe\wkssvc
OpenPipePath=\Device\NamedPipe\srvsvc
OpenPipePath=\Device\NamedPipe\lsarpc

And added this one:
OpenIpcPath=\BaseNamedObjects\00MemoryShareKeyloggerHunter

I don't know what to think about the KIS firewall and proactive defense modules. If you have to move beyond the default settings, things get a bit mystifying for an average user such as myself.

But you did imply that you enabled some special modules. Like I said earlier here, I couldn't see any slowdown with KAV/KIS installed with the default settings, if you have any hints how to reproduce the slowdown, that would be great.

No I did not enable any special modules. I was referring to the 'rules' which must be added to KIS to resolve conflicts and other special circumstances.

Kaspersky's stock answer to users is to uninstall the product and reinstall. I always thought this a bit lame, but I did it anyway today and it resolved the firewall problems. I think I know why. During the install, Kaspersky scans the system for installed applications and running processes. It uses this information to set up a default set of firewall rules. This means that if software is added after KIS, the user has to figure out what firewall rules need to be added or modified. When I rebuilt the system from scratch for these tests, I installed KIS first, then Sandboxie. By reinstalling KIS today with Sandboxie already in place, I can only assume that KIS added some additional firewall rules.

Tzuk, thank you for resolving the keylogger issue. Much appreciated!

@booBot & @SnDPhoenix - I agree wholeheartedly with your sentiments. However, if you have ever been a victim of identity theft because of a keylogger as I have, you might feel differently. Believe me it is not a pleasant experience. AV software is pretty useless against keyloggers, thus prevention (i.e. Sandboxie) is paramount. Should a keylogger manage to get installed via some un-sandboxed route, AV software is not going to help, so you best have some means of thwarting its activity (i.e. Keyscrambler & Keylogger Hunter).

[Unknown_User_451]

...if you have ever been a victim of identity theft because of a keylogger...

I have never been hit with malware.
Most probaly because I use LUA and non-IE (namely - Opera) browser on the hardened up-to-date patched winXP-SP2.
The only site is WU where I go with IE.

[MitchE323]

Maybe you need comodo firewall pro, its superior and i still have yet to find one thats better (protection-wise and gui-wise).

SND - per your recco I've installed this along with boClean which comes from them. thanx, looks good

so now it's sandboxie and comodo

question; on the firewall packaged with xp from windows, shut it off, leave it on, doesn't matter?

Thanx, mitch