Is The Automatic Sandbox Set to Fully-Virtualized Vulnerable to Keyloggers

As the title suggests I would like to know if the automatic sandbox is vulnerable to keyloggers if the level is changed to Fully-Virtualized.

Be aware that by vulnerable I not only mean that data can be read but that the data can be transferred over the internet without the firewall intercepting the request. Therefore, for this topic please assume that the user is very security savvy and will not accidentally allow a dangerous alert.

If you find that it is vulnerable can you please try to find out if there are any settings which can be changed, without changing the level of the behavioral blocker to anything other than fully-virtualized, which can plug the leak?

Thank you.

I test it with the AKLT and the antitest.

It can block “keylog, clipboardlog, and install global hooks (except for JournalRecord Hook)”

It can not block “screenlog”.

In theory, no. Only thing that is always vulnerable in virtualized environments like this is data leaking because despite being isolated it can still access any document on your PC and send the data to any remote destination. Only way to overcome that is to go the Sandboxie path of restricting access inside sandbox itself. Limited user rights, restricted drivers and services installation, restricted execution and access to files and also restriction on internet access.

There is one downside of doing this, most of apps will not work in such environments. I think similar would apply if you use Untrusted sandbox level…

But can it actually transmit these off of the computer without triggering a firewall alert?

You can check this by the DDE of comodo leak test.

The firewall can not block the iexplore.exe for connecting the network. (for “fully virtualized” only)

is it only the iexplorer.exe or all the safe applications as per firewall rules??

I was worried about that. So, and remember that my understanding of the firewall is very basic, does this mean that any application which uses iexplorer.exe to communicate can bypass the firewall?

If so, does anyone know if there are any configuration changes which can solve this problem?

I would think you could set up an ask rule for IE that would apply in the real as well as the virtual environment?

The trouble is that would be very inconvenient.

I think the DDE exploit may depend on what browser was set as default and whether it is open when the test is run?

Best wishes

Mouse

  1. Any application which uses “safe applications” to communicate can bypass the firewall for “fully virtualized” only.

For example, a malware executes the svchost.exe, and then the svchost.exe is trying to connecting to the network. CIS can not block the svchost.exe for connecting to the network.

  1. It can not be solved because of the design for VK.
    CIS V6 do not block VKed browsers (trusted files) for connecting to the network.

The situation with IE appears to be anomolous.

I can impose ask rules on Dragon and IceDragon, and on IE copied to unusual path.

But not on IE on normal path. I defined rules for both IEx64 and IEx86, and tried custom mode as well.

Custom mode appears to cause Kiosk instability…

I have done bug reports

Best wishes

Mouse