some questions about sbie!

[Amit]

Hi,

If I add entries to blocked access in file access do I need to add entries to blocked access in registry access?

What is IPC? And what entries should I add in blocked access in IPC access?

Best Wishes,
ams963

[bo elam]

I block personal files not system files but got some system files as read only, they are not the same than what I have under read only registry access. Never experienced a problem in the sandbox or a message from SBIE by using the setting that way. I think blocking system files/registry might be too strong but I have never set it that way.

HTH

Bo

[Amit]

Quote:

Originally Posted by bo elam

I block personal files not system files but got some system files as read only, they are not the same than what I have under read only registry access. Never experienced a problem in the sandbox or a message from SBIE by using the setting that way. I think blocking system files/registry might be too strong but I have never set it that way.

HTH

Bo

oh! I see......but I want to tighten up sbie.....I did as much as I could understand....but to fully take advantage of the sbie settings I have to get my answers to first post.....

[bo elam]

Based on how I use the Read only file and registry setting and how I use the block file setting to block specific personal files, the answer to your question is NO. The answer was on my previous post, you just did not read between the lines.

Anyway, I known of people that when blocking a bunch of system files, experience trouble when the sandbox malfunctions. I always avoid trouble and prefer to use the read only file and registry setting on files and keys that, over a period of time, I have learned that don't need to be modified by sandboxed programs. Doing it like this works perfectly as the sandbox gets restricted a little more and at the same time, programs in the sandbox work fine.

I might be wrong but I believe the blocked file setting was created to block personal files. I use it to block software licenses, files with my name or files with information on myself, my company or that are personal.

Bo

[Amit]

Quote:

Originally Posted by bo elam

Based on how I use the Read only file and registry setting and how I use the block file setting to block specific personal files, the answer to your question is NO. The answer was on my previous post, you just did not read between the lines.

Anyway, I known of people that when blocking a bunch of system files, experience trouble when the sandbox malfunctions. I always avoid trouble and prefer to use the read only file and registry setting on files and keys that, over a period of time, I have learned that don't need to be modified by sandboxed programs. Doing it like this works perfectly as the sandbox gets restricted a little more and at the same time, programs in the sandbox work fine.

I might be wrong but I believe the blocked file setting was created to block personal files. I use it to block software licenses, files with my name or files with information on myself, my company or that are personal.

Bo

yeah you're absolutely right....blocked file setting was indeed created to clock personal files.....I just got sandbox malfunctions and and got message from sbie that firefox could not get access to some windows dll file and also sandboxie dll files.......thank you very much for explaining to me so clearly.....otherwise I would think I tightened up sbie and when I would get those messages and ff would not start I would all banana........

[m00nbl00d]

In addition to what's been said, I'd only block access in those sandboxes meant for apps that have network access. There's no need to block such access to apps that will run in sandboxes without network access, in my opinion. Then again, maybe I'm wrong.

Regarding the IPC, that's Inter-Process Communication, which basically means what it means, processes will have to communicate with one another.

For instance, Sandboxie creates IPC rules for Microsoft EMET, which should be left in the global settings, which makes it easier for any other future application you may protect with EMET.

Besides that, there are some Full File Access default rules for Adobe Reader, for example, which you may want to remove from the global settings and add it to its own sandbox or other sandboxes that may need Adobe Reader, such as your web browser sandbox. If you do have Adobe Reader, of course. Just an example.

There's another one, in my case, for 7-zip. I don't need it to exist in all sandboxes, so I removed it from the global settings and add it to 7-zip's sandbox configuration instead. I think this were for IPC... don't recall.

There's also some Microsoft Office Licensing IPC rules, I think. You may want to add it to the individual sandboxes that need it, rather than globally. Why give more than they need, right?

[Amit]

Quote:

Originally Posted by m00nbl00d

In addition to what's been said, I'd only block access in those sandboxes meant for apps that have network access. There's no need to block such access to apps that will run in sandboxes without network access, in my opinion. Then again, maybe I'm wrong.

Regarding the IPC, that's Inter-Process Communication, which basically means what it means, processes will have to communicate with one another.

For instance, Sandboxie creates IPC rules for Microsoft EMET, which should be left in the global settings, which makes it easier for any other future application you may protect with EMET.

Besides that, there are some Full File Access default rules for Adobe Reader, for example, which you may want to remove from the global settings and add it to its own sandbox or other sandboxes that may need Adobe Reader, such as your web browser sandbox. If you do have Adobe Reader, of course. Just an example.

There's another one, in my case, for 7-zip. I don't need it to exist in all sandboxes, so I removed it from the global settings and add it to 7-zip's sandbox configuration instead. I think this were for IPC... don't recall.

There's also some Microsoft Office Licensing IPC rules, I think. You may want to add it to the individual sandboxes that need it, rather than globally. Why give more than they need, right?

Thank you very much. Things are clearer now. I can tighten up sbie more confidently.

[m00nbl00d]

Quote:

Originally Posted by ams963

Thank you very much. Things are clearer now. I can tighten up sbie more confidently.

I should have added that there's a catch, though. There's always a catch... And, that's what mentioned before is related to software compatibility. So, unless you want to have Sandboxie checking for compatible software all the time, then you should enable the option not to check for software compatibility in the future. Or, just click Cancel everytime it happens.

If you click OK, then it will add those entries back in Global Settings. Maybe Sandboxie's developer will change this in the future. It would be nice to be able to configure Software Compatibility per sandbox, and not globally.

I always enable this option, so I don't recall how recurrent those alerts would be. Maybe you'd get them on each reboot... not sure, though.

[bo elam]

Quote:

Originally Posted by m00nbl00d

It would be nice to be able to configure Software Compatibility per sandbox, and not globally.

You can do that now.

Go to applications in the sandbox where you want to apply software compatibility and enable/disable it there. PDF/Printing all the way down to All applications, that's where you ll get it done. I believe that's what you want.

Bo

[m00nbl00d]

Quote:

Originally Posted by bo elam

You can do that now.

Go to applications in the sandbox where you want to apply software compatibility and enable/disable it there. PDF/Printing all the way down to All applications, that's where you ll get it done. I believe that's what you want.

Bo

Yeah, that's it. It's been there for a long time. I just never associated it with software compatibility. Damn...

[Amit]

Quote:

Originally Posted by m00nbl00d

I should have added that there's a catch, though. There's always a catch... And, that's what mentioned before is related to software compatibility. So, unless you want to have Sandboxie checking for compatible software all the time, then you should enable the option not to check for software compatibility in the future. Or, just click Cancel everytime it happens.

If you click OK, then it will add those entries back in Global Settings. Maybe Sandboxie's developer will change this in the future. It would be nice to be able to configure Software Compatibility per sandbox, and not globally.

I always enable this option, so I don't recall how recurrent those alerts would be. Maybe you'd get them on each reboot... not sure, though.

ah a catch.....there is always a catch isn't there.........well, thx a lot

[m00nbl00d]

Quote:

Originally Posted by ams963

ah a catch.....there is always a catch isn't there.........well, thx a lot

Well, not so much of a catch, if we take under consideration what user bo elam mentioned in post #9. A more elegant approach, and the approach to follow, considering Sandboxie does allow to disable software compatibility for individual sandboxes. I just never associated the two.

[Amit]

Uh oh.....Got a problem. I've created a sandbox for USB stick. And want to restrict internet access and start/run access. But I must add a program in each to restrict any other programs from accessing internet or running, right? Otherwise all programs will access the internet and run/start. Which program should I add? I mean I cannot just add iexplorer.exe or firefox.exe, right? I don't want any program from my USB stick to access the internet.....maybe start/run.

[bo elam]

Quote:

Originally Posted by ams963

But I must add a program in each to restrict any other programs from accessing internet or running, right? Otherwise all programs will access the internet and run/start. Which program should I add? I mean I cannot just add iexplorer.exe or firefox.exe, right? I don't want any program from my USB stick to access the internet.....maybe start/run.

I rarely use USBs. On my USB sandbox all programs can run and none can connect to the Internet. Maybe you like to use 2 sandboxes, one like mine and another one where only the browsers are allowed Internet access.

Bo

[Page42]

Quote:

Originally Posted by ams963

Uh oh.....Got a problem. I've created a sandbox for USB stick. And want to restrict internet access and start/run access. But I must add a program in each to restrict any other programs from accessing internet or running, right? Otherwise all programs will access the internet and run/start.

I don't know which you should add, but you are correct in that you must add at least one in order to prevent all from accessing. When I first realized that, I was of course very impressed by the strength of the program (and very glad that I understood this configuration fact). But as I ponder it a bit more, I wonder why in the heck Tzuk made SBIE in this fashion? Why, for example, aren't all programs denied access by default and only allowed as they are added? I guess because then Sandboxie would not run out of the box.

[Amit]

Quote:

Originally Posted by bo elam

I rarely use USBs. On my USB sandbox all programs can run and none can connect to the Internet. Maybe you like to use 2 sandboxes, one like mine and another one where only the browsers are allowed Internet access.

Bo

Yes but I'm asking how did you restrict all programs from accessing to the internet.

[Amit]

Quote:

Originally Posted by Page42

I don't know which you should add, but you are correct in that you must add at least one in order to prevent all from accessing. When I first realized that, I was of course very impressed by the strength of the program (and very glad that I understood this configuration fact). But as I ponder it a bit more, I wonder why in the heck Tzuk made SBIE in this fashion? Why, for example, aren't all programs denied access by default and only allowed as they are added? I guess because then Sandboxie would not run out of the box.

Right on my good friend. This is exactly what I'm asking. I do not want any program inside the sandbox for USB sticks to access internet. But if I keep the space in the internet access blank then it says , 'All programs can access the internet'.

And I also sometimes would want no program to run/start from the sandbox for USB stick.

But I must add a program in both internet access and start/run access. But I do not know which one to add.

[Page42]

Quote:

Originally Posted by ams963

Yes but I'm asking how did you restrict all programs from accessing to the internet.

By doing precisely as you have noted, entering at least one.
I am not sure which one you should select, but at least be certain to also select Drop Rights.

[Amit]

Quote:

Originally Posted by Page42

By doing precisely as you have noted, entering at least one.
I am not sure which one you should select, but at least be certain to also select Drop Rights.

Maybe someone else would like to give a program to add. And I always select DropRights.

At least can you say which program to add in start/run access in my 'USB Sandbox'?

[Dark Star 72]

Quote:

Originally Posted by ams963

Yes but I'm asking how did you restrict all programs from accessing to the internet.

When you first set up a new Sandbox and go to "restrictions" > "internet access" - it is as in my screen shot. Simply click "Block all programs" and nothing will be able to connect out. I have separate sandboxes for my PDF reader and also for all my downloads, both are set up this way and in addition the downloads Sandbox has the "Drop rights" option ticked. I have deliberately tried starting malware in that box and it has never even managed to get started Sandboxie restrictions stop it dead
When I first tried Sandboxie a few years ago I simply could not get my head round it and left it, but I kept coming back to it and gradually learned how it worked and how to set it up. It is now the bedrock of my security and if anything doesn't work with Sandboxie it's gone. That and Shadow Defender are the only indispensable security apps on my machine.

[Page42]

Quote:

Originally Posted by Dark Star 72

Simply click "Block all programs" and nothing will be able to connect out.

Wow. How long has that option been present?
I seriously don't recall seeing that button. Could I be that blind?
And I agree totally with your SBIE bedrock assessment.

[Amit]

Quote:

Originally Posted by Dark Star 72

When you first set up a new Sandbox and go to "restrictions" > "internet access" - it is as in my screen shot. Simply click "Block all programs" and nothing will be able to connect out. I have separate sandboxes for my PDF reader and also for all my downloads, both are set up this way and in addition the downloads Sandbox has the "Drop rights" option ticked. I have deliberately tried starting malware in that box and it has never even managed to get started Sandboxie restrictions stop it dead
When I first tried Sandboxie a few years ago I simply could not get my head round it and left it, but I kept coming back to it and gradually learned how it worked and how to set it up. It is now the bedrock of my security and if anything doesn't work with Sandboxie it's gone. That and Shadow Defender are the only indispensable security apps on my machine.

Holy smoke! I must have gone banana not to see that option. Thank you so much my good friend.

And you are right. I also leave anything that won't play nice with sbie. I've made sbie a permanent in my setup.

[Amit]

Quote:

Originally Posted by Page42

Wow. How long has that option been present?
I seriously don't recall seeing that button. Could I be that blind?
And I agree totally with your SBIE bedrock assessment.

LOL. Guess we've become sloppy

[m00nbl00d]

Quote:

Originally Posted by Page42

Wow. How long has that option been present?
I seriously don't recall seeing that button. Could I be that blind?
And I agree totally with your SBIE bedrock assessment.

I don't know for how long it has been there, but it has been there since I started using Sandboxie... which I truly don't recall when it was.

[Amit]

Quote:

Originally Posted by Dark Star 72

When you first set up a new Sandbox and go to "restrictions" > "internet access" - it is as in my screen shot. Simply click "Block all programs" and nothing will be able to connect out. I have separate sandboxes for my PDF reader and also for all my downloads, both are set up this way and in addition the downloads Sandbox has the "Drop rights" option ticked.

But what about start/run access under 'Restrictions'? What if I want to block all programs from staring or running in the USB Sandbox? There is no option like Block all Programs in start/run access.