Messenger Issue

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
Messenger Issue

Messenger Issue

Post by Messenger Issue » Tue Dec 22, 2009 11:48 am

Hi can someone help me resolve this Error Message.

Ok i am running windows live messenger latest version sandboxed and i am using ssj100 setup.

Everytime i recieve or send a message and when i close the window i get a popup error message sayign something like this.

"An error occurred creating the message history folder for Tommy (C:\Users\Tommy\Documents\My Recived Files
Tommy152717274546\History:

Access is denied."


Any idea how i can set it up so i do not get these pop warning's?

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Tue Dec 22, 2009 1:26 pm

I think it's probably because you've denied access to your "My Documents" folder or similar. That is, you've created a ClosedFilePath to your User's Documents folder, thus nothing running in that sandbox (eg. your messenger program) can access it.

Your messenger program is simply trying to create a log file (of your messages) in that folder, but it doesn't have access to it. Should be easy enough to fix.

For example, you could configure your messenger program to store log files in a different location (that the sandbox isn't blocked from accessing).
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

1

1

Post by 1 » Tue Dec 22, 2009 4:34 pm

ssj100 wrote:I think it's probably because you've denied access to your "My Documents" folder or similar. That is, you've created a ClosedFilePath to your User's Documents folder, thus nothing running in that sandbox (eg. your messenger program) can access it.

Your messenger program is simply trying to create a log file (of your messages) in that folder, but it doesn't have access to it. Should be easy enough to fix.

For example, you could configure your messenger program to store log files in a different location (that the sandbox isn't blocked from accessing).


Yes i have it set to block my documents folder, so would you recommend i can avoid this error by using either the "openfilepath" method and leading it to this folder (C:\Users\Tommy\Documents\My Recived Files
Tommy152717274546\History: ?

or would i use the "openpipepath" instead? or would either of these approaches not make it very secure?


i am using this setup that i saw from a post. http://www.wilderssecurity.com/showthre ... 008&page=4


Originally Posted by ssj100
Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).

Thanks to Wilders user demoneye for suggesting step 5. Enjoy!


Also is this the setup you still using now? have you added or changed up anything to make it more secure.

Also i added in these lines i saw in that same post, but a few pages into it.

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*

ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM

ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\

however when i add in these lines, for some reason when i am running the the browser through sandboxie, when i try to download a file say to a networked drive, i am unable to access that folder.

Are these extra lines really needed?

1

1

Post by 1 » Tue Dec 22, 2009 4:40 pm

oh yah also when i add in these lines, i do not see them showing up when i look through the gui section

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*


is this normal?

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Tue Dec 22, 2009 4:42 pm

Yes I'm still using the same setup, except I've added a few more sandboxes now, including CD/DVD, USB and Virtual Machine sandboxes.

I don't think adding those extra lines are necessary at all - I don't use them myself.

Also, a slight change to my setup is that I don't use Drop Rights anymore, since I'm using LUA.

And by the way, OpenFilePath etc will not work, since ClosedFilePath over-rides that. Just get your messenger program to store logs in a different location. My messenger program stores logs in a different folder by default anyway.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Re: 1

Post by ssj100 » Tue Dec 22, 2009 4:47 pm

1 wrote:oh yah also when i add in these lines, i do not see them showing up when i look through the gui section

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*


is this normal?
It's because you're not looking hard enough haha. Look for "The list above applies to" and click on the drop down box next to it. You'll see something like "internetaccess_internet" and your rules will be there.

These rules are put in place whenever you configure restrictions for internet access. This is important to have for all your potential malware threat-gates.

EDIT: oh, and I see Wilders deleted my Sandboxie related posts too, including the updated setup I had. That sux for you I guess haha. Don't worry, I'll eventually write out my full setup again in the future.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

1

1

Post by 1 » Tue Dec 22, 2009 5:38 pm

hmmm when i added in these lines

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*

i am unable to open up IE and my Messenger Sandbox, however FF works fine


Also what does LUA stand for i am guessing Limited User Account? if so is there any real advantages or annoyances of running in LUA + Drop Rights unchecked? versus admin + dropped rights.

I just added in keyscrambler to my setup, and i was intersted in combining geswall or defensewall as well, however some people are saying it can conflict or end up having too much annoyances. Do you think i should add in the extra security?

Furthermore, i was planning on getting a new pc, however i was planning to get windows 7 64bit and sadly alot of these type of programs don't seem to be ported over to 64bit. Do you think the security offered by 64bit is better then 32bit + combined with apps like sandboxie/keyscrambler/geswall or defensewall?

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Re: 1

Post by ssj100 » Tue Dec 22, 2009 6:04 pm

1 wrote:hmmm when i added in these lines

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*

i am unable to open up IE and my Messenger Sandbox, however FF works fine


Also what does LUA stand for i am guessing Limited User Account? if so is there any real advantages or annoyances of running in LUA + Drop Rights unchecked? versus admin + dropped rights.

I just added in keyscrambler to my setup, and i was intersted in combining geswall or defensewall as well, however some people are saying it can conflict or end up having too much annoyances. Do you think i should add in the extra security?

Furthermore, i was planning on getting a new pc, however i was planning to get windows 7 64bit and sadly alot of these type of programs don't seem to be ported over to 64bit. Do you think the security offered by 64bit is better then 32bit + combined with apps like sandboxie/keyscrambler/geswall or defensewall?
Not sure why IE and Messenger don't open mate. Keep playing around I guess.

Yes Limited User Account is the way to go for sure. I had some very good links (all in one post) back on Wilders about how to setup LUA + SRP + DEP and how to use SuRun with it. I'm guessing that post is also deleted, but I'm sure someone else will be able to post it again in the future - I'm just too lazy at the moment sorry haha.

To be honest though, if you've setup Sandboxie properly, you can run as administrator just as securely. I've just got so used to running as LUA that I might as well stick to this extra expense-free and conflict-free layer of security.

Finally, do what you want mate. Experiment with it. I'd recommend experimenting in a Virtual Machine though. I personally tried it all - DefenseWall, GeSWall etc etc. I even ran Sandboxie + DefenseWall for a short period. For me, Sandboxie was definitely the one to keep. You might see it differently though.

The only "security program" I am waiting to add is Comodo Time Machine (a rollback program) - it's currently in RC2 phase, which means the final shouldn't be too far away. And the only reason I'm wanting to add it to my setup is not for myself - it's for "noob users" who want to use my system haha. With Comodo Time Machine, I can let them do what they like on the snapshot and then roll back all the changes with a simple restart, while retaining their snapshots for future re-visiting.

Regarding 64-bit systems, I'll let Tzuk or others reply.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

1

1

Post by 1 » Wed Dec 23, 2009 2:16 am

hey ssj100, i was reading up on a post you were chatting on and it mentioned something about shutting down all sandboxies and using one clean sandbox if you were to do online banking etc.

However, i have 1 sandbox which is set to autodelete everytime i am done surfing online and the other box, which i have messenger running and i allow it access IE when i get emails or links through messenger, however i have this box set to never delete. So do i need to shutdown this messenger sandbox each time i am online trying to buy something? Just say i forgot to shutdown or just say other people forget to shutdown. Isn't there some other way protecting us? Also just say 1 box is infected why would it be able to log all other boxes? Furthermore is this where a program like KeyScrambler could come into play as an extra layer of security.

Also any idea how good these keyscrambler work? Couldn't someone like reverse engineer some type of program and crack how the scrambler works and they would know what has been typed.

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Re: 1

Post by ssj100 » Wed Dec 23, 2009 3:12 am

1 wrote:hey ssj100, i was reading up on a post you were chatting on and it mentioned something about shutting down all sandboxies and using one clean sandbox if you were to do online banking etc.

However, i have 1 sandbox which is set to autodelete everytime i am done surfing online and the other box, which i have messenger running and i allow it access IE when i get emails or links through messenger, however i have this box set to never delete. So do i need to shutdown this messenger sandbox each time i am online trying to buy something? Just say i forgot to shutdown or just say other people forget to shutdown. Isn't there some other way protecting us? Also just say 1 box is infected why would it be able to log all other boxes? Furthermore is this where a program like KeyScrambler could come into play as an extra layer of security.

Also any idea how good these keyscrambler work? Couldn't someone like reverse engineer some type of program and crack how the scrambler works and they would know what has been typed.
Yes, it's probably best to shut down all other sandboxes before using your clean sandbox to do sensitive browsing. I've not heard of malware that can jump around and access other sandboxes, but it might be possible, who knows.

KeyScrambler is only useful if you're already infected by a keylogger. If the web-site itself is compromised, nothing can save you. Now here's the thing that makes me NOT use KeyScrambler - it's basically impossible for me to be infected by a keylogger that can start/run or access the internet. Why? Because all my malware threat-gates are sandboxed with start/run/internet restrictions, and so should yours. In other words, nothing can start/run/execute or access the internet except specific applications (on my REAL system) in each of my sandboxes. Also if anything bypasses Sandboxie, I have SRP in place to default-deny all types of executable file types.
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest