Add-on Secure Sandboxed Chromium Browser

Windows_Security

Level 17
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
806
OS
Windows 7
#1
MemProtected Chromium

Getting the software you need first CHROMIUM

1. Surf to Woolyss: Download latest stable Chromium binaries (64-bit and 32-bit)
2. Download 32 bits or 64 bits (scroll down) ARCHIVE of latest stable Chromium (I prefer the chromium-nosync.zip)
3. Extract the zip file, click and rename the extracted folder from chromium-nosync (or chromium-sync) to Woolyss Chromium
4. Copy the unzipped and renamed folder 'Woolyss Chromium' to Program Files or the location where you keep your portable programs,
remember it is a pre-requisite to use folder name Woolyss Chromium
5. Click on folder until you find Chrome.exe and add it to task bar and/or startmenu or create a shortcut on your desktop (each to his/her own liking)
6. Double click Chrome.exe and adjust settings to your liking and install your favourite extensions, and make one critical change,
add a subfolder in your downloads directory called
Chromium,
see picture

1529307345271.png


MemProtect

MemProtect is a driver only, no GUI software. The demo version is freeware, but you need to re-install the driver each year (WildByDesign is active user and is in contact with developer). The limitation of the free version is the size of the ini configuration file. But with only one program to sandbox (or better run in seperate policy hardened container) the 2K limit is suffificient to create a secure browser.

1. Surf to MemProtect - Products | Excubits scroll to bottom and download demo version.
2. Create a system restore point (just to have a fallback) and restart your PC (so Windows remembers las known good)
3. Copy downloaded memprotect-demo.exe to Program Files folder and run as admin.
4. Memprotect-demo extracts to a folder Program Files\Excubits\MemProtect
5. Navigate to \Excubits\MemProtect\ and open subfolder x86 (for 32 bits) or x64 (for 63 bits) depending on your system
6. Download the attached configuration file, rename it from MemProtect.txt to MemProtect.ini
7. Copy renamed MemProtect.ini into your Windows folder
8. Right click on the MemProtect.inf file and choose Install
9. Restart your system.
10. Everything OK?


Don'worry I will walk you through the MemProtect.ini file so you know what will be activated, my comments in red are not included in the ini file. Note lines preceded with an # are comment lines, so for instance [#Lethal] means that MemProtect is only logging the memory calls it would block and not actually blocking the calls.

________________________________________________
[#LETHAL]
# [#LETHAL] means that lethal is disabled and MemProtect is only auditing
[LOGGING]
# [LOGGING] means that MemProtect is logging its actions
[#INSTALLMODE]
# [#INSTALLMODE] means that 'install mode' is disabled (use it to install software, but not needed with my rules)
[DEFAULTALLOW]
# [#DEFAULTALLOW] means that 'default allow' is enabled. This is absolutely critical to keep it in default allow mode)
[#MODULEFILTER]
# [#MODULEFILTER] means that 'imodule filter' is disabled (is EMET ASR like functionality, not needed with my rules)
[WHITELIST]
# allow Woolyss Chromium to access its own program folder
!*\Woolyss Chromium\*>*\Woolyss Chromium\*

[BLACKLIST]
# isolate Woolyss Chromium from rest of the system
*\Woolyss Chromium\*>*
# in the logfile of MemProtect (in Windows folder), you should see only blocked calls to explorer.exe
# change above rule to
$*\Woolyss Chromium\*>* to silence the log

# isolate user folders internet programs use
# this the reason why you had to add subfolder Chromium in Downloads and change it in Chrome as download folder
*\Chromium\*>*
*\Temporary Internet Files\*>*
*\AppData\LocalLow\*>*
*\Windows\Temporary\*>*
*\Windows\Caches\*>*

# block user folder access to Chromium folder
*\Users\*>*\Woolyss Chromium\*

[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]

When something seems wrong:
1. Navigate to Excubits\MemProtect
2. Right click 'uninstall driver.cmd' and run-as Admin
3. Fallback to retore point you created before installing the driver

When all seems okay (should be unless some incompatibility with other security software might exist)
1. Navigate to Excubits\MemProtect
2. Right click 'status.cmd' and run-as Admin
3. STATE should be RUNNING

1529310679754.png


Time to enable protection

1. Open NotePad as Admin and open MemProtect.ini configuration file in Windows Folder
2. Remove # (comment tag) before LETHAL, so Memprotect.ini should show (see below _____)
3. Restart your system

______________________________
[LETHAL]

[LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[#MODULEFILTER]

[WHITELIST]
# allow Woolyss Chromium to access its own program folder
!*\Woolyss Chromium\*>*\Woolyss Chromium\*

[BLACKLIST]
# isolate Woolyss Chromium from rest of the system
*\Woolyss Chromium\*>*

# isolate user folders internet programs use
*\Chromium\*>*
*\Temporary Internet Files\*>*
*\AppData\LocalLow\*>*
*\Windows\Temporary\*>*
*\Windows\Caches\*>*

# block user folder access to Chromium folder
*\Users\*>*\Woolyss Chromium\*

[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]
___________________________________________________
 

Attachments

Last edited:

Windows_Security

Level 17
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
806
OS
Windows 7
#2
Download HMPalert test tool to check whether everything works http://dl.surfright.nl/hmpalert-test.exe

Open HMPalert test tool and select Chrome.exe to test. It should block all exploit tests, except
  • First test Run Windows Calculator should work (proofs that testtool has access) and
  • last (not an exploit) two spyware test (WebCam and Keylogger)
Close Chrome after every test. After testing when you open Process Explorer you should see a lot of suspended Calc.exe processes (which were blocked by MemProtect).

When Chrome has released a new version, Woolyss uploads a stable version usually one or two days after official Google release. This test shows you don;t have to worry about exploits with MemProtect (because nothing is allowed to get out of Chromium).

So you don;t need to bother micro-managing your browser, because scipts and frames can't escape from chromium.

For Chromium I run incognito and use uMatrix as simple blocker (with less than 200o rules and no host file asstes used): Add-on - Using uMatrix as AdBlocker (for people surfing incognito). When you don't run incognoto I would suggest MalwareBytes, Privacy Possum and Auto History Wipe
 
Last edited:

Windows_Security

Level 17
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
806
OS
Windows 7
#3
Using MemProtect with iridium. Privacy adapted Chromium clone, but lags in releases (so you need exploit protection when using this browser). MemProtect offers exploit protection and isolates Iridium from the rest of your system.

Note MemProtect does not delete downloaded files, just makes your browser safer, impenetrable with currently available techniques known by whitehat testers and security specialists ( you can check yourself with HMPalert test tool, testing is seeing is believing).

Steps:
  1. Simply download Iridium from Iridium Browser | A browser securing your privacy. That’s it.
  2. Unzip or install Iridium in \Iridium folder It does not matter where you unzip or install it, as long as the folder has the name Iridium
  3. Next install MemProtect driver by right clicking MEMPROTECT.INF file in 32bits/64bits subfolder and chosing install , see post #1 The ini file is explained below. Explanation in red is not in the ini file
  4. Download MEMPROTECT.TXT file, rename to MemProtect.ini and copy to your Windows folder
  5. Run 'start driver.cmd' file as administrator (right click). You are done (set and forget)
Unzip/install next versions of Iridium over the existing version (as long as folder is called Iridium)
----------------------------------------explanation of MemProtect.ini
[LETHAL]
# means protection is enabled (rules are lethal)
[#LOGGING]
#logging means logging is disabled with # hash
[#INSTALLMODE]
#install mode means install mode disabled with # hash (with ruleset below you don't need install mode)
[DEFAULTALLOW]
#don't touch this, means that driver runs in allow by default mode (so only Iridium is isolated)
[#MODULEFILTER]
#ModuleFilite is disabled, is ASR like protection to block specific DLL's (not needed with below ruleset)

[WHITELIST]
# priority allow rule to allow Iridium Memory access to its own folder
!*\Iridium\*>*\Iridium\*

[BLACKLIST]
# block iridium to access any other process
*\Iridium\*>*

[MODULEWHITELIST]
[MODULEBLACKLIST]

[EOF]

______________________________________________________
Rules order:
1. blacklist has priority over whitelist
2. priority whitelist (starting with ! exclamaton mark) precede over blacklist rules
3. priority blacklist rules preced pver all other rules


Priority rules have to specified before normal rules in whitelist/blacklist section.
 

Attachments

Last edited:

HarborFront

Level 39
Content Creator
Joined
Oct 9, 2016
Messages
2,895
#5
So with strict site isolation and appcontainer enabled in Chromium not enough for security?

Can it work with Ungoogled Chromium?
 
Joined
May 4, 2018
Messages
308
#6
This all seems a bit overboard, wouldn't using Chrome in Sandboxie be easier for people whom maybe a lil less tech savvy then ourselves?

Thanks for sharing too, I may try this.

~LDogg
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,151
OS
Windows 10
#7
This all seems a bit overboard, wouldn't using Chrome in Sandboxie be easier for people whom maybe a lil less tech savvy then ourselves?
There is actually a long-time debate over whether putting Chrome in Sandboxie gives you a significant security advantage, because the loss of native Chrome protection that this entails might in fact cancel out the gain of Sandboxie protection. So if you like to tinker around with non-GUI software, @Windows_Security made a pretty cool share over here, IMO.
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,151
OS
Windows 10
#8
I am wondering why you can't do the same thing with regular Google Chrome?
I have a couple MemProtect rules for Google Chrome that work just fine. It is not nearly as complete as the @Windows_Security config, but it allows Chrome to function normally, and still contains it:

[WHITELIST]
!*software_reporter_tool.exe>*
!*chrome*>*chrome*

[BLACKLIST]
$*Chrome\*>*
 

Windows_Security

Level 17
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
806
OS
Windows 7
#9
@shmu26 Yes works for Chrome also (y)

@harborfornt With AppContainer and regular Chrome is pretty hard to beat. When you use a privacy oriented spin-off
it always lags in vulnability patches so that is a reason for adding MemProtect, also when people still run on Windows7 Memprotect is certainly something to get your grips on.
@HarborFront Yes can also be used for Ungoogled Chrome, just unzip or install Ungoogled in Chromium and replace Iridium by Chromium, like
_________________________
[LETHAL]
[#LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[#MODULEFILTER]

[WHITELIST]
!*\Chromium\*>*\Chromium\*

[BLACKLIST]
*\Chromium\*>*

[MODULEWHITELIST]
[MODULEBLACKLIST]
[EOF]
___________________________

@LDogg Benefits of Sandboxie on Chrome on OS with AppContainer is debatable. MemProtect driver seems to check only some inter process callbacks and uses 'protected process' like mechanism (at least that is what author uses as explanation) to enforce memory protection. It barely delays programs startups and the driver is tiny (36 kb).
 
Last edited: