How to contain meta data, and polymorphic malware

Post your tutorials for using applications or performing related tasks here.
Note: Not for "how do I...?" Questions!
Forum rules
Tutorials and Howtos should only relate to developed software, and not to third party applications. e.g.: Don't post a generic Howto for configuring a firewall.
If you have a question how to do something, you should use one of the support boards, not this board. It is meant for people to document and post instructions.
John connor

How to contain meta data, and polymorphic malware

Unread post by John connor » 2017-09-02, 04:41

I discovered with my use of a program on my computer called spy the spy that websites were adding meta data in the Pale Moon profile folder under storage. So I wanted to contain this. I can't simply block it as I have read here that it will break websites. So I thought of a few solutions. My first inclination was to symlink the storage folder to a small RAM drive using the program ImDisk and the program Link Shell Extension which gives you an easy context menu to right click a file or folder and create the symlink. You can read about symlinks here: https://www.howtogeek.com/howto/16226/c ... -or-linux/

Well, this setup worked up to a point. The meta data was being stored in the Temp file of the small 5MB RAM drive, but every time I turned off the computer the symlink wouldn't stick, but the RAM drive was in fact cleared out on system reboot. So I took care of one thing, but the other wasn't working. My next idea was to use the program (fantastic by the way) called AutoHotKey to create a script that would start on computer boot that would automatically create the symlink. But try as I might, I couldn't get the two auto script recording programs to work right to create my symlink. So it was back to the drawing board on how to contain this meta data.

The solution? The all mighty and brilliant Sandboxie application. Sandboxie will allow you to contain programs in a so-called "sandbox." Wheres all the data is contained in this virtual machine- like program and nothing touches your computer. I've been using it for the better part of 6 years now. It's a really great way to keep polymorphic malware off of your computer like ransomware since your standard definition-based anti-virus doesn't catch a lot of polymorphic malware like, Avast, Bitdefender, Malwarebytes, you name it. ALL are definition-based and depend on definitions to work and catch malware. With polymorphic malware there won't be a definition and will slip right on by.

So with Sandboxie you can effectively keep everything including meta data contained in the sandbox and it won't even touch your computer. Now to do this you will want Sandboxie access to your bookmarks of course otherwise they won't stick on browser exit. If you intend on updating Pale Moon, don't use Sandboxie for the update otherwise it won't stick as well. To get this setup follow my instructions to a T. And after you are done, not only will you have a more secure way to browse the Internet, but you will contain meta data as well. I should note that Sandboxie is indeed free. But with the free version, after 30 days you will get a pop up when you launch Pale Moon that lasts for 5 seconds reminding you that you are using the free version and to get rid of the pop up to buy Sandboxie. The pop up goes away after 5 seconds after you click the button and then Pale Moon will launch in the Sandbox. Just a small price to pay for free, but well worth it for what Sandboxie offers in terms of protection both in security and privacy.



Double click the Sandboxie icon. Select Sandbox | Default Box | Sandbox settings.

Go to Applications |web browser | Firefox

Allow access to your Pale moon bookmarks and history. Nothing else unless you store passwords.

Now do the following to allow access to your extension folders and Grease monkey scripts if you have them.


Right-Click on your Sandbox |Sandbox Settings | Resource Access | File Access | Direct Access
Click Add Program to choose the program that should have access to those locations (in this case, Pale Moon).
Hit Add and select the folders you want that program to be able to access.
Hit Apply and Ok your way out.
Configure | Reload Configuration.

You have to show hidden files and folders in your Windows control panel under folder options to navigate to the folders in Sandboxie that need access.

Allow access to the following folders in your PM profile folder:

extension-data\

extensions\

and if you have Grease Monkey, the gm_scripts\ folder.

That's it! Now Sandboxie will allow permanent access to those folders and your bookmarks/history and delete everything else on browser exit.

Note: When you download a file you have to click recover. Also note that you may have to setup your downloads location in Sandboxie. So if it's isn't the default My Documents/Downloads, but rather D:\\Downloads or something, you will want to set that path under Recovery | Quick Recovery. Note that if you haven't downloaded anything and didn't expect the recovery box to pop up. Don't recover (or download) what ever it is that wants to be on your computer. You can also right click the Sandboxie icon in the task bar and delete all contents in the sandbox. Due make sure the red X shows up over the Sandboxie icon in the task bar when you close Pale Moon. That tells you everything has been deleted. Also note the icon will show particles of "sand" in it meaning that there is content currently in the sandbox. The Sandboxie program and their most helpful forum is located here: https://www.sandboxie.com/

If you have any questions ask. I'll be happy to help.

EDIT- One more thing. I wouldn't launch Pale Moon in Sandboxie if you intend to download a torrent. Doing so will keep the torrent in Sandboxie until it fully completes. If it's small then you don't have to worry. But if it's several gigabytes big like CentOS, you may want to stop and start the torrent at a latter time and you won't want that data siting in the Sandbox.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: How to contain meta data, and polymorphic malware

Unread post by Moonchild » 2017-09-02, 09:55

Downloading a torrent and having it store its data in the browser data storage/profile area is a really bad way to go about it. If you want to torrent something, you should not be using a browser extension, but use a torrent client application like Tixati (http://www.tixati.com) and hand over torrents or magnet links to it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

John connor

Re: How to contain meta data, and polymorphic malware

Unread post by John connor » 2017-09-02, 10:55

Moonchild wrote:Downloading a torrent and having it store its data in the browser data storage/profile area is a really bad way to go about it. If you want to torrent something, you should not be using a browser extension, but use a torrent client application like Tixati (http://www.tixati.com) and hand over torrents or magnet links to it.

No, you have that wrong. When you use Sandboxie and click a magnet link your default torrent application will launch. Thus since you are in Sandboxie the torrent application will launch in the sandbox as well. So as data is being downloaded it will sit in the sandbox until either, A) the file is done downloading and you click recover, or B) you exit Sandboxie and all your data is lost. That's why I say if you intend on downloading a torrent you should do so without using Sandboxie.

John connor

Re: How to contain meta data, and polymorphic malware

Unread post by John connor » 2017-09-02, 11:03

I just discovered a few other files that you should grant Sandboxie access to so changes take place. They are:

\formhistory.sqlite (Only if you want to keep browser history.)

\extensions.ini

\extensions.json

\extensions.sqlite

\searchplugins\

And if you use the add-on Lazarus which stores your typed text in case of browser crash you will want to allow access to these two files:

\lazarus.sqlite

\lazarus-backup.sqlite

Once you add these paths to File Access | Direct Access, go to Configure | Reload Configuration.


This all may sound like one big giant PITA, but believe me. Once you set this up you will have a very secure browsing experience.

User avatar
distantpluto
Fanatic
Fanatic
Posts: 115
Joined: 2015-12-17, 18:28
Location: UK

Re: How to contain meta data, and polymorphic malware

Unread post by distantpluto » 2017-09-02, 13:13

Interesting. what is the purpose of the "permanent" folder in storage? What are the ramifications of not keeping this folder?
Pale Moon and Epyrus on Arch Linux.


User avatar
distantpluto
Fanatic
Fanatic
Posts: 115
Joined: 2015-12-17, 18:28
Location: UK

Re: How to contain meta data, and polymorphic malware

Unread post by distantpluto » 2017-09-02, 14:56

coffeebreak wrote:Some links to reading material...
Many thanks for the links. I shall investigate further...
Pale Moon and Epyrus on Arch Linux.

User avatar
distantpluto
Fanatic
Fanatic
Posts: 115
Joined: 2015-12-17, 18:28
Location: UK

Re: How to contain meta data, and polymorphic malware

Unread post by distantpluto » 2017-09-03, 13:53

Well, I've been browsing my regular sites, including financial, after deleting everything in "storage" and suffered no adverse affects so far. I've also set 'Offline Web Content and User Data -> Deny'.

I'm using Linux and would have used an fstab tmpfs/bind mount for this directory so it's discarded at shutdown but as I run PM from a script which copies the profile to memory (/dev/shm) first, I simply delete the contents of "storage" in the script before it rsyncs my profile back to disk.
Pale Moon and Epyrus on Arch Linux.

John connor

Re: How to contain meta data, and polymorphic malware

Unread post by John connor » 2017-09-15, 04:57

Couple other files that Sandboxie should have access to. The dictionary so that your added words to the dictionary stick. That file is persdict.dat The other file, and this is the most critical is the prefs.js file. That file stores most of your extension data. That way if you make a change in an extension while using Sandboxie the change will stick.

Locked