Sandboxie v2.86

[ErikAlbert]

This thread is about Sandboxie ONLY. So please, stick to the subject.
You don't have to tell me how good or bad Sandboxie is. So no emotional outbursts or comments regarding Sandboxie, because these comments don't make me any wiser.
You don't have to tell me that Sandboxie causes some troubles on certain computers, all softwares have that in common and that doesn't make me any wiser either.
I don't want any comparision with other softwares either, this is about Sandboxie, nothing else.

I only want to know HOW Sandboxie works, in other words the philosophy behind Sandboxie. I'm using Sandboxie for two days, so I'm certainly not an experienced user of Sandboxie, but Sandboxie seems to love my total system so far.
The bottom line is : I want to figure out, if Sandboxie is worth my time to LEARN it in detail and use it in my frozen snapshot as a protection in the period between two reboots.
This thread might also be usefull for potential users and for discussions, but first I like to know if I understand the concept of Sandboxie and I would like to have an answer to my questions.
---------------------------------------------------------------------------------------------------
As far as I understand Sandboxie works like this, if I'm wrong please correct me :

1. You can choose which application has to run sandboxed or NOT.
Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
It seems to me you have to decide carefully which application will be sandboxed or not.
What are the general rules to run an application sandboxed or not ?

2. Once an Application is sandboxed :
a. It can only read objects on the REAL harddisk
b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

3. This means to me that the SANDBOX can contain GOOD and BAD objects.
a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.
If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.
If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.
----------------------------------------------------------------
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

Thanks in advance for your co-operation.

[Pedro]

1. Yes you choose. It only sandboxes (virtualizes..) what you want, or what you specifically assigned. Your FW is not sandboxed.
General rules? I don't know how to answer, you sandbox what you want to completly isolate from your system. Mostly browser, messenger, like that. Every change, download, etc. goes to the virtual container, the sandbox. Registry changes go to fake registry, files to fake file system...
To retrieve what you want, you define what folders you want monitored, and assine them to the "Quick Recovery". In the GUI, Configuration-Sandbox Settings-Set Automatic Cleanup options. Should be really simple to use. You add folders here, and choose how you want it to run. If you tick "automatically delete contents..", when you close the browser or whatever, if anything is in those folders, you'll be asked if you want to check them, using "Quick Recovery".
I could go on and on, but this is waste.

No post can explain better than SandboxIE's site:
http://www.sandboxie.com/index.php?HelpTopics
Read Getting Started, all the way down to FAQ. You'll read it easy. And understand. Trust me.

2. Yes. But you can set what folders are not to be allowed read.

3.
a. yes. It's you in control of what you keep. When you delete the sandbox, everything you didn't copy to the real file system, and left there, is deleted (or erased, if you want to associate an eraser to SandboxIE).

b.exactly.

Conclusion: yes.
----------

Quote:

Originally Posted by ErikAlbert

If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

Sort of. You sure can look at everything that was writen to the sandbox. And only changes made exist, so it can be useful for that.

From what i read in your post, you don't want to miss the FAQ, and this.

But i really think you can/should read the whole site . Skip the fuctions you don't care, and it won't take you much time. It's a good read.

[lucas1985]

Why would you want to run your firewall sandboxed?

[lu_chin]

I think it also depends on how you define what a bad object is. Does a bad object always have to write to the hard-disk or change registry entries? If you download a password stealer program and run it, it can still do its damage even though it may not have written files to the hard-disk or modify the registry. A firewall program may or may not catch it when it sends out data.

[Peter2150]

Hi Erik

I am posting in this format as I am a bit lazy.

As far as I understand Sandboxie works like this, if I'm wrong please correct me :

1. You can choose which application has to run sandboxed or NOT.
Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
It seems to me you have to decide carefully which application will be sandboxed or not.
What are the general rules to run an application sandboxed or not ?

Yes you can chose what is sandboxed. You wouldn't want to run a firewall sandboxed. What you really want to run sandboxed is applications that download from the web, or something like winzip if you have occasion to be suspicious of the contents. I run Opera and IE sandboxed, and chose not to run my email clients sandboxed. If an Email were to have an attachment I am curious about, I would leave it alone in Outlook, and go on the web, and use the web based email to check it out.

2. Once an Application is sandboxed :
a. It can only read objects on the REAL harddisk

It can also read files in the sandbox.

b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

Yes. Although you can specify exceptions.

3. This means to me that the SANDBOX can contain GOOD and BAD objects.
a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.

YES

If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

No you normally don't have to copy paste. First there is an automatic clean and recover which I don't use. There is a manual recover which allows you to easily recover files to where you placed them or even choose another location. Should you select the delete sandbox option, if there are recoverable files, you will first be given a recovery option.

If I chose a non standard download area like my D: drive, then I might have to copy and paste.

b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.

Yes it will.

If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

Correct.

Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.

This is true. No substitute for thinking
----------------------------------------------------------------
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

It should be.

Erik you are protected to a degree, as Sandboxie won't let you install a service. For instance when I tried installing KAV in the Sandbox when it tried to install a service it couldn't so the install failed and KAV rolled it back. Online Armor let me install, but once I tried to start it, it couldn't start it's service so it failed. Deleted the sandbox and everything was gone.

Pete

[ErikAlbert]

Quote:

Originally Posted by lucas1985

Why would you want to run your firewall sandboxed?

I didn't ask that question out of stupidity. I would never sandbox my firewall. I just put it extreme, because I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie.
Where is the limit of usefull sandboxing ? What is absurd in sandboxing ?
It seems to me, I have to figure it out myself.

[lucas1985]

Quote:

Originally Posted by ErikAlbert

I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie.

You should sandbox applications which may be used to install/download/execute malware. For the most part, browsers, mail clients, IM clients are the usual target for sandboxing. IMO, mail clients shouldn't be sandboxed if you read mail as only-text and discard unknown/unrequested mails/attachments. On the other hand, attachments which you trust can be saved to disk and executed inside the sandbox.
You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded.

Quote:

Originally Posted by ErikAlbert

What is absurd in sandboxing ?

Installing apps which require:
- Kernel drivers.
- Register of service.
- Add autostart entries to registry.

[ErikAlbert]

Thanks you guys. At first sight, Sandboxie seems to be good for immediately usage and it can be usefull in the future, when I want to know, what a malware exactly writes on my computer.
If I execute the malware for real in my frozen snapshot, I can check the Detailed Log, if FDISR removed the same bad objects during a copy/update FROM Freeze Storage.arx TO frozen snapshot. At least that's what I hope.

[ErikAlbert]

Lucas,
OK. I got the picture. Thanks.

[Bob D]

Quote:

Originally Posted by lucas1985

....You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded.

Part of the beauty of Sandboxie is that you should be able to open sandboxed files with native programs, and the launched app will automatically run the file sandboxed.
i.e.: If I download/open a .pdf file (whilst browsing sandboxed), my pdf reader will automatically launch and open up the file in a sandboxed environment.
The same should apply to most app.s.

[Meriadoc]

Sandboxie, or a sandbox interrupts the flow of processed information to the hard disk. The concept of a sandboxie is to keep the overall integrety of your machine security while not having to harden the controls and loosing useful function.

Some problems found with Sandboxie are that it needs to reduce conflict with third-party software and elimanate malfunctions such as system and program crash/lock-up as soon as it started and when closing. That said versions and fixes come regularly and Sandboxie has an active community.

Things to learn and of interest are SandboxieIni and Portable Sandbox.

When I have some more time I'll come back to this thread.

[ErikAlbert]

What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR.

[Pedro]

One thing i still didn't figure out: what completes SandboxIE. Right now, despite the whole arsenal installed ( ), i'm only running active CPF, SandboxIE and Antivir.

With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password .

What completes what SandboxIE lacks

[Jarmo P]

Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
I like the fact that CPU usage from my security programs is zero.

[ErikAlbert]

Quote:

Originally Posted by Pedro

With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password .

What completes what SandboxIE lacks

Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.

[Pedro]

Quote:

Originally Posted by Jarmo P

Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
I like the fact that CPU usage from my security programs is zero.

Great minds..

Quote:

Originally Posted by ErikAlbert

Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.

That's a very good point. Malware won't have privileged access, and easily detected by Comodo. Or is it?
But as i'm thinking of turning off certain features in Comodo, i would still like to know the answer, not envolving the firewall. You know, i got to install something

[Bob D]

Quote:

Originally Posted by ErikAlbert

Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.

You have to think of Sandboxie as a "one-way" valve,
Stuff cannot be written TO harddrive, but stuff can be READ (accessed) from HD and potentially sent out.
Per Erik's observation above: Any nasties on your system will simply and completely go away upon shutdown.

Quote:

What completes what SandboxIE lacks

Merely good outbound protection. Be it good firewall/HIPS, warning if anything should attempt to "phone home".

[Bob D]

Addendum to prior post.
Although Sandboxie does allow you to surf with virtual impunity, some common sense browsing procedures should keep you quite secure.
For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side.

[ErikAlbert]

Quote:

Originally Posted by Bob D

For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side.

My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure, which is explained in this thread :
http://www.wilderssecurity.com/showthread.php?t=169704
Even a malicious keylogger is worthless with such a login procedure.
Thanks for the other explanations, all bits help.

[Bob D]

Quote:

Originally Posted by ErikAlbert

My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure....

My bank also has all sorts of high technological security stuff as well.
Call me old fashioned / overly paranoid, but it's no big deal after online banking to simply close browser, re-open.
My K-Meleon takes <1.5 seconds to open.

Regards

[argus tuft]

Kind of off topic, but the question is about sandboxie...
Is there anyway of viewing the sandoxed 'virtual' registry?

[Meriadoc]

argus tuft :

Quote:

Is there anyway of viewing the sandoxed 'virtual' registry?

You could dump the sandboxed registry held in registry.dat within the data folder. Sandboxie also creates values in the real registry in memory.

Erik :

Quote:

What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR.

You can also create and use a sandbox across machines portable sandbox.

You can tweak SB via SandboxieIni for example block drivers is a setting in SandboxieIni.

[Peter2150]

Gave Sandboxie a trial by fire last night.

Downloaded DFK - Threat Simulator by Morgud. Ran it on my VM machine.

First pass I disabled all security software, and ran it. Geesh, did it take hold of the machine. I rebooted and it even created it's own password protected account. I was able to boot back to my account and ran a KAV scan. It found some 29 different malware.

I reset the machine back to it's pretest state, and ran another pass, this time Sandboxing the first exe that starts the whole thing. Also had security software totally disabled. While it was able to seemingly take parts of the machine, Sandboxie by blocking some of the service installs prevented some of the stuff from getting in. I rebooted, and the DFK account wasn't there. Once back in, I deleted the sandbox and did a KAV scan and the machine was clean.

Did a third test same way, only before rebooting, I just terminated all sandbox processes, which made the apparent effects of the take over go away, and then deleted the Sandbox. Again a KAV scan showed clean.

So while there were some visible effects, in fact Sandboxie alone protected me from the threat simulater. Very impressive.

Pete

[ErikAlbert]

Quote:

Originally Posted by Peter2150

So while there were some visible effects, in fact Sandboxie alone protected me from the threat simulater. Very impressive.

Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want.

[Peter2150]

Quote:

Originally Posted by ErikAlbert

Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want.

What I really like is no complicated worries about where I save files I download, and no reboots to clean up. If I was using a frozen snapshot for just surfing, I think it would be bye bye frozen snapshot.