I have been trying the latest version of Sandboxie for about one week now (unregistered). The only setting that I have changed is to delete the contents of the default browser sandbox on program closure. What I plan to do is to use Sandboxie for general web surfing. If I need to download something from a reputable website I will use an unsandboxed browser. What other Sandboxie recommended settings changes should be made for "user friendly" safe web surfing?

Thank you.

Give Internet Access only to your default browser. This can be found in Sandbox Settings -> Resource Access -> Internet Access.

If you download a trojan in the sandbox and it tries to connect, Sandbox will not allow it.. I guess.

Of course a firewall would probably stop it, but since the setting is there, go for it.

{QUOTE-> .. I guess.

<-QUOTE}

I guess there is a need for more restrictions in case of possible browser hijack.

{QUOTE-> If I need to download something from a reputable website I will use an unsandboxed browser.

Thank you. <-QUOTE}

Why do that. You can remove files from the Sandbox if you download and want to keep them. But if the "trusted' site is compromised you are still protected.

To protect against keyloggers (courtesy of Blackcat)...

What you can do is use ProcessGroups in conjunction with special closedpaths, and it will block anything other then the files you've specified from running sandboxed.

For example, assume that you are using firefox as your browser. The lines to add are these:

1- In Sandbox Control, click...

Configure > Edit Configuration

2- Under Global settings, add:

ProcessGroup=<restricted>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe, firefox.exe

3- Then under DefaultBox (or any of your other boxes) add:

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*

That will block everything other then the processes in the "restricted" processgroup from running. Thus, if the browser downloaded a keylogger to the sandbox and tried to execute it, it would just fail since the process is not listed in the processgroup above.

BUT make sure that you add your own processes to the processgroup listed above -- as I did with firefox.exe in the above example.

{QUOTE-> 3- Then under DefaultBox (or any of your other boxes) add:

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*. <-QUOTE}

You don't need both of those.

{QUOTE-> You don't need both of those. <-QUOTE}

Its a kind of redundancy to add both,Wraihtdu who came up with these lines,initially added only ClosedFilePath=!<restricted>,*. which should be enough.
Also look at the long thread over at Sandboxie forums.

{QUOTE-> Its a kind of redundancy to add both,Wraihtdu who came up with these lines,initially added only ClosedFilePath=!<restricted>,*. which should be enough.
Also look at the long thread over at Sandboxie forums. <-QUOTE}

Yeah I know that. That's why I made that post. I'm using ClosedIpcPath=!<restricted>,* :D

{QUOTE-> Give Internet Access only to your default browser. This can be found in Sandbox Settings -> Resource Access -> Internet Access. <-QUOTE}
In addition to the above, I also use Sandbox Settings > Resource Access > File Access > Blocked Access to keep any sandboxed malware (e.g. keyloggers) from accessing my personal files.

Bell where do I add this in the notepad settings??? Do I add it anywhere or in a certain spot???

{QUOTE-> Bell where do I add this in the notepad settings??? Do I add it anywhere or in a certain spot??? <-QUOTE}Here are my settings, which enable firefox.exe to run in the sandbox, as well as sandboxie itself, and NOTHING else.

For purposes of illustration, I have used a larger print for the added settings, so as to distinguish them from the other settings.

{QUOTE->

[GlobalSettings]

ProcessGroup=<restricted>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,firefox.exe

[DefaultBox]

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*
ConfigLevel=3
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
RecoverFolder=C:\Program Files\Browsers\K-Meleon1.02\Profiles\default\1l1ey0md.slt
RecoverFolder=%AppData%\Mozilla\Firefox\Profiles\r4lqtwmm.default
RecoverFolder=D:\1WT Holding
RecoverFolder=%Desktop%
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe
Enabled=y
AutoDelete=y
NeverDelete=n

[UserSettings_17E802F0]

SbieCtrl_UserName=william
SbieCtrl_ShowWelcome=N
SbieCtrl_NextUpdateCheck=1213513298
SbieCtrl_UpdateCheckNotify=Y
SbieCtrl_WindowLeft=200
SbieCtrl_WindowTop=150
SbieCtrl_WindowWidth=660
SbieCtrl_WindowHeight=450
SbieCtrl_Hidden=Y
SbieCtrl_ActiveView=40022
SbieCtrl_AutoApplySettings=N
SbieCtrl_BoxExpandedView_DefaultBox=Y
SbieCtrl_RecoverTarget=D:\1WT Holding
SbieCtrl_SaveRecoverTargets=Y
SbieCtrl_HideWindowNotify=N
SbieCtrl_EnableLogonStart=N
SbieCtrl_EnableAutoStart=Y
SbieCtrl_AddDesktopIcon=N
SbieCtrl_AddQuickLaunchIcon=N
SbieCtrl_AddContextMenu=Y
SbieCtrl_AddSendToMenu=Y
SbieCtrl_ColWidthProcName=250
SbieCtrl_ColWidthProcId=70
SbieCtrl_ColWidthProcTitle=310 <-QUOTE}

{QUOTE-> To protect against keyloggers (courtesy of Blackcat)...

What you can do is use ProcessGroups in conjunction with special closedpaths, and it will block anything other then the files you've specified from running sandboxed.

For example, assume that you are using firefox as your browser. The lines to add are these:

1- In Sandbox Control, click...

Configure > Edit Configuration

2- Under Global settings, add:

ProcessGroup=<restricted>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe, firefox.exe

3- Then under DefaultBox (or any of your other boxes) add:

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*

That will block everything other then the processes in the "restricted" processgroup from running. Thus, if the browser downloaded a keylogger to the sandbox and tried to execute it, it would just fail since the process is not listed in the processgroup above.

BUT make sure that you add your own processes to the processgroup listed above -- as I did with firefox.exe in the above example. <-QUOTE}
I'm still new at this. Isn't another way of protecting against keyloggers by (1) opening Sandboxie Control, (2) click View and then Programs, (3) select the applicable sandbox (if more than one appears), (4) right-click the program...e.g. Internet Explorer or Firefox, (5) select Program Settings, and (6) click "This program is the only program in this sandbox that can access the internet"?

Yes that's a way, but with this settings you also make sure that the keylogger (or any other executable) can't even run in the sandbox.
Better than having a keylogger being unable to send data, is don't even allow it to run.

{QUOTE-> I'm still new at this. Isn't another way of protecting against keyloggers by (1) opening Sandboxie Control, (2) click View and then Programs, (3) select the applicable sandbox (if more than one appears), (4) right-click the program...e.g. Internet Explorer or Firefox, (5) select Program Settings, and (6) click "This program is the only program in this sandbox that can access the internet"? <-QUOTE}

Mr Belgamin explained just that why this setting is vulnerable. ;)

{QUOTE-> Yes that's a way, but with this settings you also make sure that the keylogger (or any other executable) can't even run in the sandbox.
Better than having a keylogger being unable to send data, is don't even allow it to run. <-QUOTE}
{QUOTE-> Mr Belgamin explained just that why this setting is vulnerable. <-QUOTE}
Thanks for the clarification. I'm still learning.

So if I make a sandbox to use when I conduct online banking and want to make it more robust than the default sandbox, it sounds like the way to go is to add the settings indicated in bellgamin's post. If I screw something up with the settings during that process, am I correct in assuming I can simply delete that sandbox altogether, the messed up settings associated with that sandbox will be deleted as well, and I can try again?

If there's no defaultbox anymore so their config is gone,but global settings stay but have no effect on other boxes because there are no added closed paths in the config. file

{QUOTE-> If there's no defaultbox anymore so their config is gone,but global settings stay but have no effect on other boxes because there are no added closed paths in the config. file <-QUOTE}
Huupi, bear with me. Not too sure I completely understand your response.

Let's say I have two sandboxes...one is my default box and the other is my online banking sandbox. Let's also assume I'm happy with the default box settings and haven't changed them, but I have added bellgamin's anti-keylogger settings to the online banking sandbox. Finally, let's assume I've screwed something up in the process of adding bellgamin's settings to the online banking sandbox (because I'm not a programmer or that computer-savvy). Are you saying it's no big deal because deleting altogether the online banking sandbox will also remove those messed up settings...and the default sandbox and its settings remain untouched?

{QUOTE-> Huupi, bear with me. Not too sure I completely understand your response.

Let's say I have two sandboxes...one is my default box and the other is my online banking sandbox. Let's also assume I'm happy with the default box settings and haven't changed them, but I have added bellgamin's anti-keylogger settings to the online banking sandbox. Finally, let's assume I've screwed something up in the process of adding bellgamin's settings to the online banking sandbox (because I'm not a programmer or that computer-savvy). Are you saying it's no big deal because deleting altogether the online banking sandbox will also remove those messed up settings...and the default sandbox and its settings remain untouched? <-QUOTE}

Yes,all other boxes remain untouched,only in the config .ini file you will see that online sandbox settings are gone if you delete this sandbox.

{QUOTE-> Yes,all other boxes remain untouched,only in the config .ini file you will see that online sandbox settings are gone if you delete this sandbox. <-QUOTE}
Appreciate it. Thank you.

I got this to run good in Firefox and Opera, but not in IE. I assume it works in IE and is good to have there too right? If so, anyone got this to work and wouldn't mind sharing their config?

dja2k

{QUOTE-> I got this to run good in Firefox and Opera, but not in IE. I assume it works in IE and is good to have there too right? If so, anyone got this to work and wouldn't mind sharing their config?

dja2k <-QUOTE}

If you talk about those "hard" settings then IE required that SandboxieCrypto.exe is also added to ProcessGroup.

What about adding these lines to the ini? What do these do? ???


ClosedFilePath=!<restricted>,\Device\RawIp
ClosedFilePath=!<restricted>,\Device\Ip*
ClosedFilePath=!<restricted>,\Device\Tcp*
ClosedFilePath=!<restricted>,\Device\Afd*

They forbid that anything outside the "restricted" group connect to the internet.

{QUOTE-> ClosedFilePath=!<restricted>,\Device\RawIp
ClosedFilePath=!<restricted>,\Device\Ip*
ClosedFilePath=!<restricted>,\Device\Tcp*
ClosedFilePath=!<restricted>,\Device\Afd* <-QUOTE}
Aren't these redundant while using the other two ClosedFilePath=!<restricted>,* and ClosedIpcPath=!<restricted>,*?

dja2k

Yes, I think they are redundant.

Personally, in my sandbox for firefox, I have the "execution prevention" enabled so that only firefox and pdf x-change viewer can run, because I do open and download a lot of pdf's for university. But only firefox can conect to the internet.

If you wan't to allow internet access to the same group that is allowed to run, it's redundant.... if it can't run, it can't connect :)

Hi Guys,

I'm also reconfiguring my sandboxie. I've attached my config file. I want IE and orbit downloader to run and be able to access the internet and that's it. Is there anything else I can do to make it more secure.

Also where can I find a full howto/manual for sandboxie.

{QUOTE->
[GlobalSettings]

ConfigLevel=1
BoxRootFolder=%APPDATA%
ForceDisableSeconds=10
FileTrace=.
PipeTrace=.
KeyTrace=.
IpcTrace=.
GuiTrace=.
ProcessGroup=<restricted>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,i
explore.exe,orbitdm.exe,orbitnet.exe

[DefaultBox]

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*
Enabled=yes
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=acrord32.exe
LingerProcess=jusched.exe
LingerProcess=syncor.exe
RecoverFolder=C:\Users\Jeremy
BlockDrivers=y
BlockFakeInput=y
BlockWinHooks=y
BoxNameTitle=n
ConfigLevel=3
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part

[Testing]

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*
Enabled=yes
BlockDrivers=y
BlockFakeInput=y
BlockWinHooks=y
BoxNameTitle=n
ConfigLevel=3
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
RecoverFolder=C:\Users\Jeremy
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe

[UserSettings_118A028D]

SbieCtrl_UserName=jeremy
SbieCtrl_ShowWelcome=N
SbieCtrl_NextUpdateCheck=1555555555
SbieCtrl_UpdateCheckNotify=Y
SbieCtrl_HideWindowNotify=N
SbieCtrl_WindowLeft=239
SbieCtrl_WindowTop=76
SbieCtrl_WindowWidth=720
SbieCtrl_WindowHeight=525
SbieCtrl_Hidden=Y
SbieCtrl_ActiveView=40021
SbieCtrl_ExplorerWarn=N
SbieCtrl_BoxExpandedView_DefaultBox=Y
SbieCtrl_BoxExpandedView_Testing=Y
SbieCtrl_SaveRecoverTargets=Y
SbieCtrl_AutoApplySettings=N
SbieCtrl_BoxExpandedView_Virus=Y
<-QUOTE}

{QUOTE-> Hi Guys,

I'm also reconfiguring my sandboxie. I've attached my config file. I want IE and orbit downloader to run and be able to access the internet and that's it. Is there anything else I can do to make it more secure.

Also where can I find a full howto/manual for sandboxie. <-QUOTE}
I wish I too could find a step by step How to that is configured a little better than the one on the Sandboxie web site.

{QUOTE-> Hi Guys,

I'm also reconfiguring my sandboxie. I've attached my config file. I want IE and orbit downloader to run and be able to access the internet and that's it. Is there anything else I can do to make it more secure.

Also where can I find a full howto/manual for sandboxie. <-QUOTE}

I could be wrong but I think you have two sandboxes with are identical therefore redundant (default sandbox and testing sandbox) since both will only allow the same set of programs to run.

{QUOTE-> I could be wrong but I think you have two sandboxes with are identical therefore redundant (default sandbox and testing sandbox) since both will only allow the same set of programs to run. <-QUOTE}

They are identical however I'm using them for session saving purposes :)

@huangker post

What are these options used for cause never seen them before? Where are they added in the settings if beneficial?

[GlobalSettings]

ConfigLevel=1
BoxRootFolder=%APPDATA%
ForceDisableSeconds=10
FileTrace=.
PipeTrace=.
KeyTrace=.
IpcTrace=.
GuiTrace=.

Being from the Low Level Access Settings, I thought they were default to yes instead of no, so why are they listed?

[DefaultBox]

BlockDrivers=y
BlockFakeInput=y
BlockWinHooks=y
BoxNameTitle=n

dja2k

{QUOTE-> What are these options used for cause never seen them before? Where are they added in the settings if beneficial?

[GlobalSettings]

ConfigLevel=1
BoxRootFolder=%APPDATA%
ForceDisableSeconds=10
FileTrace=.
PipeTrace=.
KeyTrace=.
IpcTrace=.
GuiTrace=.

Are these part of of the Low Level Access Settings? Thought they were default to yes instead of no, so why are they listed?

[DefaultBox]

BlockDrivers=y
BlockFakeInput=y
BlockWinHooks=y
BoxNameTitle=n

dja2k <-QUOTE}

http://www.sandboxie.com/index.php?SandboxieIni

I should have looked over at the sandboxie site first, okay now I feel dumb! ::) but still I wonder why my default ini file doesn't show the BlockDrivers, BlockFakeInput, BlockWinHooks as yes.

dja2k

{QUOTE-> I should have looked over at the sandboxie site first, okay now I feel dumb! ::) but still I wonder why my default ini file doesn't show the BlockDrivers, BlockFakeInput, BlockWinHooks as yes.

dja2k <-QUOTE}

What version are you using? I remember it coming in around 2.23-2.24 as that is when the scroll feature on my Thinkpad nipple stopped working.

I have 3.26.07 and I've never seen those by default.

dja2k

{QUOTE-> I have 3.26.07 and I've never seen those by default.

dja2k <-QUOTE}

I haven't seen those never either. No problem. Just adjust your basic rules. Sandboxie takes care of rest.

{QUOTE-> I haven't seen those never either. No problem. Just adjust your basic rules. Sandboxie takes care of rest. <-QUOTE}
Actually if you go for the low level access, permit all three, that will add those lines and give you "n" for all of them, but if you go back in there again and uncheck them, it will change all three to "y" in the list plus it leaves the lines in the .ini.

dja2k

{QUOTE-> Actually if you go for the low level access, permit all three, that will add those lines and give you "n" for all of them, but if you go back in there again and uncheck them, it will change all three to "y" in the list plus it leaves the lines in the .ini.

dja2k <-QUOTE}

I know that but I don't have reason to do so...