[.04] New phishing folder for Firefox

[Guest10]

With the official release of Firefox 17, a new sub-folder is created for anti-phishing use.

XP location:
C:\Documents and Settings\(user)\Local Settings\Application Data\Mozilla\Firefox\Profiles\xxxxxxxx.default\safebrowsing

Vista/Win 7 location (Win 8 not known) should be:
C:\Users\(user)\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\safebrowsing

The "safebrowsing" folder contains multiple files with extensions like:
.pset, .sbstore, .hashkey, .cache

The current Sandboxie anti-phishing template for Firefox does not allow the contents of the "safebrowsing" folder to be saved out of the sandbox, so until that template can be updated, I recommend that users of Fx17 give 'firefox.exe' a direct access setting for the entire "safebrowsing" folder after they update the program.

Notes:
- The "safebrowsing" folder does not exist until Firefox is updated to version 17.
- I don't know if future Waterfox or Palemoon versions will also use a "safebrowsing" folder, so the following Direct Access setting specifies 'firefox.exe'. (In the case of Waterfox or Palemoon, you would substitute that program's .exe name in place of 'firefox.exe')

Sandbox Settings > Resource Access > File Access > Direct Access
"Add Program" button: firefox.exe
"Add" button: Navigate to the "safebrowsing" folder, located as above, and select the folder.
OK
------
A new Firefox anti-phishing template (for Fx17 and earlier), for inclusion in future updates to 'templates.ini':
(For most people: those whose Firefox profile folders are all located in the default location underneath %USERPROFILE%)

[Template_Firefox_Phishing_DirectAccess]

Tmpl.Title=#4337,Firefox/Waterfox/Pale Moon
Tmpl.Class=WebBrowser
ProcessGroup=<FirefoxPrograms>,firefox.exe,waterfox.exe,palemoon.exe
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier.pset
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier*.sqlite*
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\cert8.db
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\blocklist.xml
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\safebrowsing\*

------
An (alternate) Local Template for those who (like me) may have Firefox profile(s) located at non-default locations:
(Specifies firefox.exe only; not written for use with Waterfox or Palemoon)

[Template_Local_Firefox_Phishing_DirectAccess]
Tmpl.Title=My Firefox Phishing Direct Access
OpenFilePath=firefox.exe,*\blocklist.xml
OpenFilePath=firefox.exe,*\cert8.db
OpenFilePath=firefox.exe,*\urlclassifier*.sqlite*
OpenFilePath=firefox.exe,*\urlclassifier.pset
OpenFilePath=firefox.exe,*\safebrowsing\*
Tmpl.Class=Local

[tzuk]

Thanks Guest10. I will add this to the default phishing settings for Firefox in Sandboxie.

[bo.elam]

Guest10, thank you.

Bo

[Blues]

Thanks, Paul for the info, and Tzuk for adding it to future versions.

[Bellzemos]

What happens if I just update Firefox to v17 and don't change any settings (as in the 1st post) in Sandboxie? Thank you.

[Guest10]

What happens if I just update Firefox to v17 and don't change any settings...

Then the Google Safebrowsing files in the unsandboxed (%Local AppData%) profile folder will only be updated when you run Firefox unsandboxed.

Each time you start Firefox with an empty sandbox, the Safebrowsing files outside of the sandbox will be used at first; then those files will be updated inside of the sandbox; and then the updated files will be deleted when the sandbox contents are deleted.

In practical terms, the safebrowsing files are small in size and the extra updating that occurs each time you start with an empty sandbox doesn't really amount to much.
That was not the case with the previous phishing database file Urlclassifier3.sqlite. That file could get quite large, and without the phishing template, it would trigger a warning from Sandboxie because it was being copied into the sandbox. The phishing template allowed it to be updated while sandboxed, and kept it from being copied into the sandbox.

After a false start with an earlier version of Firefox, version 17 is the first version to use Google's newest Safebrowsing application programming interface:
https://developers.google.com/safe-browsing/
----
Chrome also downloads Google Safebrowsing files, in its "User Data" folder:

XP: C:\Documents and Settings\(user)\Local Settings\Application Data\Google\Chrome\User Data\
Vista/Win 7: C:\Users\(user)\AppData\Local\Google\Chrome\User Data\
File names (list may not be complete):
Safe Browsing Cookies
Safe Browsing Download
Safe Browsing Download Whitelist
Safe Browsing Csd Whitelist
Safe Browsing Bloom Prefix Set
Safe Browsing Bloom

As with Firefox, these are very small files and downloading them each time you start with an empty sandbox doesn't amount to much.
There's no Sandboxie phishing template for Chrome, and none of the existing templates will allow these files to be saved outside of the sandbox, so they're downloaded each time you start Chrome with an empty sandbox - and updated, in the sandbox, while sandboxed Chrome runs.

[Bellzemos]

Thank you for your extensive answer. I will update FF to v17 and just leave all the default SBIE settings. Thank you again.

[bo.elam]

Each time you start Firefox with an empty sandbox, the Safebrowsing files outside of the sandbox will be used at first; then those files will be updated inside of the sandbox; and then the updated files will be deleted when the sandbox contents are deleted.

I am not seeing this in my W7 or XP when Safebrowsing is not allowed Direct access. In other words, if the Safebrowsing folder is not allowed Direct access, it doesnt update sandboxed at all.

Bo

[Guest10]

Each time you start Firefox with an empty sandbox, the Safebrowsing files outside of the sandbox will be used at first; then those files will be updated inside of the sandbox; and then the updated files will be deleted when the sandbox contents are deleted.

I am not seeing this in my W7 or XP when Safebrowsing is not allowed Direct access.

Since the times/dates of the safebrowsing files were updated after Firefox ran sandboxed, I guess I assumed that they would be updated in the sandbox if not allowed out.
I didn't see any new files saved in the sandbox for a while, but after creating a sandbox where they were not allowed out, and using that sandbox for a while, I got a "safebrowsing" folder created in the sandbox.
Look at the file sizes for the sandboxed files, though. They sure looks strange. Did Firefox try to delete the files outside of the sandbox and wind up creating 0 byte files inside of the sandbox ??
If I had used it longer would the file sizes increase ??

UNsandboxed folder (note the times and file sizes):



Sandboxed folder:

[bo.elam]

Look at the file sizes for the sandboxed files, though. They sure looks strange. Did Firefox try to delete the files outside of the sandbox and wind up creating 0 byte files inside of the sandbox ??
If I had used it longer would the file sizes increase ??

Guess10, over here, the file sizes sandboxed and unsandboxed look pretty much the same. Its just that when sandboxed, they don't change at all if I am using a sandbox where I am not giving Direct access to the safebrowsing folder. Here, I don't see any 0 KB file as in the picture.

Bo

[Guest10]

The Firefox Phishing template in templates.ini (v4.01.03) still needs to be updated.
The latest Firefox versions do not use urlclassifier3.sqlite, but it should stay in the template for use with earlier Firefox versions.
The "\safebrowsing" sub-folder should be added, as shown.


[Template_Firefox_Phishing_DirectAccess]
Tmpl.Title=#4337,Firefox/Waterfox/Pale Moon
Tmpl.Class=WebBrowser
ProcessGroup=<FirefoxPrograms>,firefox.exe,waterfox.exe,palemoon.exe
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier.pset
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\urlclassifier*.sqlite*
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\cert8.db
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\blocklist.xml
OpenFilePath=<FirefoxPrograms>,%USERPROFILE%\*\safebrowsing\*

----
Anyone who has a Firefox profile folder that isn't in the default location underneath %USERPROFILE% should use their own Local Template, since the above will not allow those items to be updated outside of the sandbox.

[tzuk]

Sorry Guest10
I just typed the new line into Templates.ini so it definitely be part of the next beta version.

[tzuk]

Updated in version 4.01.04.