How to contain meta data, and polymorphic malware

Post your tutorials for using Pale Moon or performing related tasks here.
Note: Not for "how do I...?" Questions!

Moderator: satrow

Forum rules
Tutorials and Howtos should only relate to Pale Moon, and not to third party applications. e.g.: Don't post a Howto for configuring your firewall.
If you have a question how to do something, you should use one of the support boards, not this board. It is meant for people to document and post instructions.
User avatar
John connor
Lunatic
Lunatic
Posts: 470
Joined: Wed Jan 21, 2015 5:06 am
Location: USA
Contact:

How to contain meta data, and polymorphic malware

Postby John connor » Sat Sep 02, 2017 4:41 am

I discovered with my use of a program on my computer called spy the spy that websites were adding meta data in the Pale Moon profile folder under storage. So I wanted to contain this. I can't simply block it as I have read here that it will break websites. So I thought of a few solutions. My first inclination was to symlink the storage folder to a small RAM drive using the program ImDisk and the program Link Shell Extension which gives you an easy context menu to right click a file or folder and create the symlink. You can read about symlinks here: https://www.howtogeek.com/howto/16226/c ... -or-linux/

Well, this setup worked up to a point. The meta data was being stored in the Temp file of the small 5MB RAM drive, but every time I turned off the computer the symlink wouldn't stick, but the RAM drive was in fact cleared out on system reboot. So I took care of one thing, but the other wasn't working. My next idea was to use the program (fantastic by the way) called AutoHotKey to create a script that would start on computer boot that would automatically create the symlink. But try as I might, I couldn't get the two auto script recording programs to work right to create my symlink. So it was back to the drawing board on how to contain this meta data.

The solution? The all mighty and brilliant Sandboxie application. Sandboxie will allow you to contain programs in a so-called "sandbox." Wheres all the data is contained in this virtual machine- like program and nothing touches your computer. I've been using it for the better part of 6 years now. It's a really great way to keep polymorphic malware off of your computer like ransomware since your standard definition-based anti-virus doesn't catch a lot of polymorphic malware like, Avast, Bitdefender, Malwarebytes, you name it. ALL are definition-based and depend on definitions to work and catch malware. With polymorphic malware there won't be a definition and will slip right on by.

So with Sandboxie you can effectively keep everything including meta data contained in the sandbox and it won't even touch your computer. Now to do this you will want Sandboxie access to your bookmarks of course otherwise they won't stick on browser exit. If you intend on updating Pale Moon, don't use Sandboxie for the update otherwise it won't stick as well. To get this setup follow my instructions to a T. And after you are done, not only will you have a more secure way to browse the Internet, but you will contain meta data as well. I should note that Sandboxie is indeed free. But with the free version, after 30 days you will get a pop up when you launch Pale Moon that lasts for 5 seconds reminding you that you are using the free version and to get rid of the pop up to buy Sandboxie. The pop up goes away after 5 seconds after you click the button and then Pale Moon will launch in the Sandbox. Just a small price to pay for free, but well worth it for what Sandboxie offers in terms of protection both in security and privacy.



Double click the Sandboxie icon. Select Sandbox | Default Box | Sandbox settings.

Go to Applications |web browser | Firefox

Allow access to your Pale moon bookmarks and history. Nothing else unless you store passwords.

Now do the following to allow access to your extension folders and Grease monkey scripts if you have them.


Right-Click on your Sandbox |Sandbox Settings | Resource Access | File Access | Direct Access
Click Add Program to choose the program that should have access to those locations (in this case, Pale Moon).
Hit Add and select the folders you want that program to be able to access.
Hit Apply and Ok your way out.
Configure | Reload Configuration.

You have to show hidden files and folders in your Windows control panel under folder options to navigate to the folders in Sandboxie that need access.

Allow access to the following folders in your PM profile folder:

extension-data\

extensions\

and if you have Grease Monkey, the gm_scripts\ folder.

That's it! Now Sandboxie will allow permanent access to those folders and your bookmarks/history and delete everything else on browser exit.

Note: When you download a file you have to click recover. Also note that you may have to setup your downloads location in Sandboxie. So if it's isn't the default My Documents/Downloads, but rather D:\\Downloads or something, you will want to set that path under Recovery | Quick Recovery. Note that if you haven't downloaded anything and didn't expect the recovery box to pop up. Don't recover (or download) what ever it is that wants to be on your computer. You can also right click the Sandboxie icon in the task bar and delete all contents in the sandbox. Due make sure the red X shows up over the Sandboxie icon in the task bar when you close Pale Moon. That tells you everything has been deleted. Also note the icon will show particles of "sand" in it meaning that there is content currently in the sandbox. The Sandboxie program and their most helpful forum is located here: https://www.sandboxie.com/

If you have any questions ask. I'll be happy to help.

EDIT- One more thing. I wouldn't launch Pale Moon in Sandboxie if you intend to download a torrent. Doing so will keep the torrent in Sandboxie until it fully completes. If it's small then you don't have to worry. But if it's several gigabytes big like CentOS, you may want to stop and start the torrent at a latter time and you won't want that data siting in the Sandbox.
My forum project :wave:
You ever dance with the devil in the pale moon light?
Cooler Master Storm Scout 2 Advanced |GIGABYTE AORUS GA-Z270X-Gaming K7| i5 6600k | 2666 MHz Ballistix Tactical RAM | Crucial MX300 256GB SSD | 1 TB Hitachi platter | GTX 560TI |Logitech Z 5300 5.1 audio | Logitech mouse/keyboard
Laptop: Dell Precision M6300

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19943
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: How to contain meta data, and polymorphic malware

Postby Moonchild » Sat Sep 02, 2017 9:55 am

Downloading a torrent and having it store its data in the browser data storage/profile area is a really bad way to go about it. If you want to torrent something, you should not be using a browser extension, but use a torrent client application like Tixati (http://www.tixati.com) and hand over torrents or magnet links to it.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

User avatar
John connor
Lunatic
Lunatic
Posts: 470
Joined: Wed Jan 21, 2015 5:06 am
Location: USA
Contact:

Re: How to contain meta data, and polymorphic malware

Postby John connor » Sat Sep 02, 2017 10:55 am

Moonchild wrote:Downloading a torrent and having it store its data in the browser data storage/profile area is a really bad way to go about it. If you want to torrent something, you should not be using a browser extension, but use a torrent client application like Tixati (http://www.tixati.com) and hand over torrents or magnet links to it.



No, you have that wrong. When you use Sandboxie and click a magnet link your default torrent application will launch. Thus since you are in Sandboxie the torrent application will launch in the sandbox as well. So as data is being downloaded it will sit in the sandbox until either, A) the file is done downloading and you click recover, or B) you exit Sandboxie and all your data is lost. That's why I say if you intend on downloading a torrent you should do so without using Sandboxie.
My forum project :wave:
You ever dance with the devil in the pale moon light?
Cooler Master Storm Scout 2 Advanced |GIGABYTE AORUS GA-Z270X-Gaming K7| i5 6600k | 2666 MHz Ballistix Tactical RAM | Crucial MX300 256GB SSD | 1 TB Hitachi platter | GTX 560TI |Logitech Z 5300 5.1 audio | Logitech mouse/keyboard
Laptop: Dell Precision M6300

User avatar
John connor
Lunatic
Lunatic
Posts: 470
Joined: Wed Jan 21, 2015 5:06 am
Location: USA
Contact:

Re: How to contain meta data, and polymorphic malware

Postby John connor » Sat Sep 02, 2017 11:03 am

I just discovered a few other files that you should grant Sandboxie access to so changes take place. They are:

\formhistory.sqlite (Only if you want to keep browser history.)

\extensions.ini

\extensions.json

\extensions.sqlite

\searchplugins\

And if you use the add-on Lazarus which stores your typed text in case of browser crash you will want to allow access to these two files:

\lazarus.sqlite

\lazarus-backup.sqlite

Once you add these paths to File Access | Direct Access, go to Configure | Reload Configuration.


This all may sound like one big giant PITA, but believe me. Once you set this up you will have a very secure browsing experience.
My forum project :wave:
You ever dance with the devil in the pale moon light?
Cooler Master Storm Scout 2 Advanced |GIGABYTE AORUS GA-Z270X-Gaming K7| i5 6600k | 2666 MHz Ballistix Tactical RAM | Crucial MX300 256GB SSD | 1 TB Hitachi platter | GTX 560TI |Logitech Z 5300 5.1 audio | Logitech mouse/keyboard
Laptop: Dell Precision M6300

distantpluto
Hobby Astronomer
Hobby Astronomer
Posts: 27
Joined: Thu Dec 17, 2015 6:28 pm
Location: UK

Re: How to contain meta data, and polymorphic malware

Postby distantpluto » Sat Sep 02, 2017 1:13 pm

Interesting. what is the purpose of the "permanent" folder in storage? What are the ramifications of not keeping this folder?


distantpluto
Hobby Astronomer
Hobby Astronomer
Posts: 27
Joined: Thu Dec 17, 2015 6:28 pm
Location: UK

Re: How to contain meta data, and polymorphic malware

Postby distantpluto » Sat Sep 02, 2017 2:56 pm

coffeebreak wrote:Some links to reading material...


Many thanks for the links. I shall investigate further...

distantpluto
Hobby Astronomer
Hobby Astronomer
Posts: 27
Joined: Thu Dec 17, 2015 6:28 pm
Location: UK

Re: How to contain meta data, and polymorphic malware

Postby distantpluto » Sun Sep 03, 2017 1:53 pm

Well, I've been browsing my regular sites, including financial, after deleting everything in "storage" and suffered no adverse affects so far. I've also set 'Offline Web Content and User Data -> Deny'.

I'm using Linux and would have used an fstab tmpfs/bind mount for this directory so it's discarded at shutdown but as I run PM from a script which copies the profile to memory (/dev/shm) first, I simply delete the contents of "storage" in the script before it rsyncs my profile back to disk.

User avatar
John connor
Lunatic
Lunatic
Posts: 470
Joined: Wed Jan 21, 2015 5:06 am
Location: USA
Contact:

Re: How to contain meta data, and polymorphic malware

Postby John connor » Fri Sep 15, 2017 4:57 am

Couple other files that Sandboxie should have access to. The dictionary so that your added words to the dictionary stick. That file is persdict.dat The other file, and this is the most critical is the prefs.js file. That file stores most of your extension data. That way if you make a change in an extension while using Sandboxie the change will stick.
My forum project :wave:
You ever dance with the devil in the pale moon light?
Cooler Master Storm Scout 2 Advanced |GIGABYTE AORUS GA-Z270X-Gaming K7| i5 6600k | 2666 MHz Ballistix Tactical RAM | Crucial MX300 256GB SSD | 1 TB Hitachi platter | GTX 560TI |Logitech Z 5300 5.1 audio | Logitech mouse/keyboard
Laptop: Dell Precision M6300


Return to “Tutorials/Howtos”

Who is online

Users browsing this forum: No registered users and 4 guests