Sandboxie restriction advice

What advice can you give me as far as which programs are good to add into a sandboxed browser's Internet Access and Start/Run Access settings?

All input is appreciated.

 

Hi Page,
I started by allowing the browser and its updater. As you use SB if anything needs to run, usually SB will notify you of what needs to be allowed. I would also run SB with "Drop Rights" which if I'm not wrong it is equivalent to a standard account.

 

Hi Osaban... thanks for the reply, and info and screenies.
I definitely have Drop Rights enabled in each of the 4 sandboxes I have created.

I have now added Internet Explorer to both the Internet Access and Start/Run Access.

The way I understand it, the moment I enter a program name into one of the Access settings, I have effectively reversed the "All programs can access the Internet" (or can start and run) setting, and I have then changed the access from all to just the one (or more) programs I have entered.
To me, that seems huge.
Isn't this is a sure-fire way of stopping a keylogger... it can't access the net or start/run.

One thing I am not clear on, is what this statement (at the bottom of the Restrictions dialog) is actually saying?

What feature is it referring to? And I don't get the description... what it mean?

 

Now I think you understand why SB is such an amazing application!

It allows SB to notify you about what it has blocked. If it happens while you are doing something that you started (example: google update) than SB will block the updater, and will inform you about what it has blocked. If you think that what it has blocked is legitimate, you can add it to the list of programs allowed to to start or to access the Internet.

There could be more to it, hopefully some of the real experts might chime in.

 

With the caveat that the listed apps are running in a sandbox. Since that may not necessarily be true it is not a substitute for a HIPS and/or personal firewall.

 

Why not? If all your browsers/email clients are sandboxed, and you are diligent in not introducing untrusted source files into the real OS, why would you even need HIPS/firewall with sandboxie?

Not downplaying what HIPS/firewall do etc, just asking why SBIE cannot be a substitute, in your opinion anyway.

@Osaban & Page42

You have the function of that option correct, it informs you when something attempted to run etc that was not on the allowed list. The same thing happens if you right click the tray icon and use the "disable forced programs" option, then start a program that is normally forced -- a prompt comes up which says a program was started outside the sandbox.

Sometimes these can be annoying if they happen a lot. I wish there was a feature that you could toggle to use these type of messages to configure Sandboxie, sort of "add this to the allowed list for this sandbox" or "never show this again".

Sul.

 

I have those messages turned off. Everything is as I want it to be, so no need for the "annoying" (but, I guess needed) alerts.

@Page42

I know others have responded to you, and this a little info on how I have mine for Chromium, whenever I need to download stuff. Yeah, I'm using Sandboxie to be able to download stuff!

I only have chrome.exe as the only process with Internet access permission. I have disabled the warning for alerts when processes get blocked such access. chrome.exe is the only one I wish to grant access, so I made the decision to stop the warnings.

Regarding processes that can be allowed to run in the sandbox (not Internet access), obviously one is needed, in my case, chrome.exe. Makes sense. lol

Then, I guess it all comes down to a matter of preference. Do you wish to run, for example, pdf files in the pdf reader's own sandbox? Or not? If not, then you can allow the pdf reader's main executable to run in the sandbox.

Same for media player, if you use to listen to music from some website, which requests a media player. You do not need to allow Internet access, because the web browser is the one that actually downloads the content and the media player just plays it.

Really, it's a matter of preferences. I personally do not have any of those Sandboxie processes allowed; no harm done in allowing them, but I was just lazy setting things up that way, and guess what? It works. lol

I would, of course, add dllhost.exe to start access, otherwise you'll find Sandboxie quite chatty with warning saying it can't do this or that when you try to save some file to the Desktop.

 

Something else may not be diligent like you. Some people share computers.

Someone may not have everything necessary sandboxed. You mentioned your browser and email client, but not your media player or pic viewer or pdf viewer or one of 1000 apps someone else may own. Some of these apps are potentially vulnerable. So are their operating systems.

It won't stop apps from phoning home, unless you sandbox them, but how would you know if they are phoning home in the first place?

What if SBIE is itself vulnerable or what if it "breaks" during a session?

What if someone has a port open (and no firewall or router) and it is exploited remotely? Would SBIE have helped someone with this?http://support.microsoft.com/kb/826955/

Your statement "...if...you are diligent in not introducing untrusted source files into the real OS..." is a pretty big "IF". A whole security industry has been built around this "IF" not being followed correctly.

 

You would be wise to utilize blocked access settings for commonly exploited programs such as java and flash. That should take care of about 90% of the exploits out there and act as a better substitute for the NoScript addon.

 

Very true. That is why I predicated it upon the assumption the user is dilligent and aware. It goes without saying there are many circumstances like you mention that defeat the purpose.

I see where you wanted to go with this, but it doesn't work as you suggest fully. For what you suggest to happen, you would have to download something, a .pdf or media file, then run it outside of the sandbox. This is not being diligent at all, it is being sloppy and carless. The whole purpose of using the sandbox is to contain online matters, for many at least. If I want to view a .pdf, the browser will initiate it, thus the pdf viewer will start in that sandbox. If I want to watch media, the browser should either play it or spawn the player, again starting it in the sandbox.

But isn't that logic flawed from the start? What if any program "breaks" or has a vulnerability? You could "what if" on that forever. What if you don't have services holding ports open? What if you don't have idiotic services running that are exploitable? What if your HIPS/firewall is configured wrong and thus provides no security, or no connectivity? What if you don't understand the syntax of the HIPS prompts? These are all "what ifs" that are only a real concern to people not interested in computers.

I beg your pardon, but I wasn't thinking of suggesting that a novice/noob use only sandboxie and that would be enough, although I do think it stands as good a chance as any hips/firewall combo

We are strictly speaking in opinions here, because none of this can really be emperically proved, but I 100% disagree with this above statement, with all of my being. I do just what I say. It isn't a pretty big if at all. The security industry you say? The reason the security industry exists in the first place is because people do what they want with no regard. Simplistic schemes such as downloading files from trusted sources, using technologies like sandboxes to contain internet facing applications, implementing restricted tokens if you are admin or even better using a true User account, turning of services you don't need, or setting them to manual. Applying registry settings to close off certain threats...

all of these require no great arsenal of security tools. No firewall, no hips, no AV. Granted, not everyone can do this, but only because they don't want to learn how. This forum is chock full of people sharing how to do things. I guess I must be lucky, becuase that pretty big "IF" has been working very well for me

Note, I don't disagree that many users need the help of security tools, based on thier lack of knowledge or desire, but I do disagree that you "need" those tools to become secure, I think that is a facade and simply untrue.

Sul.

 

What if SOMEONE (this isn't Just About Sully, Sully) downloaded a malicious file, viewed it in the sandbox and liked it so much they saved it to the hard drive. Then a few days later they run the file using their media player. Their SBIE won't be protecting them. Or SOMEONE (this isn't Just About Sully, Sully) could accidently autorun something (from CD, DVD, USB dive, etc) outside the sandbox. There are many other examples.

It could happen to anybody, especially if you think in your head that it is "above you" since you are so smart or have much experience. I am confident, after reading your posts, (especially that bit about ONLY running the e-mail client and browser sandboxed!) that it could easily happen to you. I would recommend a layered approach + forcing many of your apps to run sandbxed, not just two. But only YOU can decide what's best for you.

 

I don't think Sully mentioned the media player example to say he doesn't sandbox media players. Considering Page42 mentioned a web browser, that's why Sully mentioned that a media player would be started sandboxed via web browser.

Obviously media player, pdf reader, etc should be added to a sandbox, or, at least, run the file sandboxed.

There are things that, unfortunately, are not as straightforward to have sandboxed, like installing fonts, for example. You'd need to start every application you'd be needing such fonts under the same box or install the fonts in different sandboxes, and remember that you'd need to start xyz every time under that sandbox. It becomes annoying, I must confess.

At some point, there will be something we'll be running outside a sandbox; which is why, I believe, some use images backup as a strategy as well. But, this does demand me to make me a question: How will you know these fonts, in my example, are OK? (Besides downloading from "trustworthy" sources.) Unless you're some expert and don't mind spending quite a few time analyzing a few/many fonts , then I guess it's up to some other security measure?

 

Hey Sul
Speaking of "disable forced programs", I think it would be a good thing if this feature wasn't such an all-or-nothing option. (Maybe it is and I just haven't discovered it.) What I'm saying is, if I only want to disable forced start of the browser for a little while, why should I also have to disable forced start of the other internet-facing apps I have configured to force start (email, pdf, media player)? Just wondering, is all. What do you think?

 

Hey noway,
Layered approaches are very much in favor around these parts, as you must know. In fact, some folks have redundant layers, and the key becomes recognizing that and doing what you can to pare it down.

You suggested that Sul "force many of (his) apps to run sandboxed, not just two". Would you elaborate... the "force many" part? Name some of the many, please.

And so I can be clear, are you a SBIE user?

 

Just to tell you how I have SBIE set up so far, I have 4 separate sandboxes... 1 each for browser, email client, pdf reader and media player. This works nicely for me, to date.

And for each of the 4 sandboxes, I have now entered ONLY the program executable into each specific sandbox for both Internet Access and Start/Run Access.

In other words, in my IE sandbox, I have now added iexplore.exe as the only program allowed in both the Internet Access and Start/Run Access restriction dialogs pictured in my initial post.

In the pdf reader sandbox, I have entered foxit_reader.exe as the only program allowed in both the Internet Access and Start/Run Access restriction dialogs.

In the email sandbox, I have entered msimn.exe as the only program allowed in both the Internet Access and Start/Run Access restriction dialogs.

In media player sandbox, I have entered wm_player.exe as the only program allowed in both the Internet Access and Start/Run Access restriction dialogs.

I have done this because, going back to an earlier statement I made, the way I understand it, the moment I enter a program name into one of the Access settings, I have effectively reversed the (default) "All programs can access the Internet" (or can start and run) setting, and I have thus changed the access from all to just the one program I have entered. To me, this seems huge. And I should be prompted if anything else (besides the executables I have authorized) tries to access the internet or start/run.

To my way of understanding, when SBIE is set up in this manner, SBIE becomes very, very powerful, the minute a user enters some program (preferably the executable that goes with the specific sandbox) into those Internet Access and Start/Run Access restriction dialogs... because nothing else is authorized! But if left to default, the sandbox will continue to function as an "All programs can access the Internet" sandbox.

Anyone agree/disagree with this?

 

Yes, SBIE user.

As far as what to force, that depends on how elaborate anyone's system is. But in addition to browser and e-mail, many users might consider forcing their pdf viewer, their graphics viewer, MS Word, download manager, media player. That's all I run forced but my system is very minimal. Remember, I am talking about "Program Start-Forced Programs" (if any of the following programs starts unsandboxed, it will be forced to run in this sandbox) not "Restrictions-Internet Access" or "Restrictions-Start/Run Access".

I guess my concern is that there is sometimes a difference between how lean you run on your own system vs. what you would recommend to others.

 

by SOMEONE, you mean someone who knows nothing, like Grandma Joesephine? Or SOMEONE like many of those here? Or SOMEONE like yourself? Or SOMEONE who uses a Mac Don't presume on these forums when people give advice they mean for ANYONE. Obviously I refer to SOMEONE who IS ABLE to do without a plethora of "layers" provided by 3rd party tools.

Again, while I can say it works for me, I have not advocated everyone else should also use this approach. I simply wanted to hear if you hold to the prescription that one "must use X, Y and Z to be secure", and if so, or if not, why. It never has been just about me, it is about hearing different viewpoints/data, that just might help SOMEONE (even Sully) to gain some valuable insight/information

Yes, very true. But that would be rather silly to do that, don't you think? If I download something I cannot implicitly trust, I would personally be monitoring what it does in sandboxie, and if needed in vmware, and if needed beyond that, perhaps jotti. Some people might want an on-demand AV for such purposes, or upload to jotti. Some simply don't have the where-with-all to do such things, and should not be doing such things without learning a bit about the topic (although that isn't how it normally works, is it? )

Autoruns are easily taken care of by SBIE if you like or many other methods that might or might not employ 3rd party tools. It is pertinent to security, true enough.

Ok, now I don't take any offense, because there is nothing here really to take offense with. I also understand why you view it like this, as I did not give you a full breakdown of how I use sandboxie, or for that matter what my security scheme is. I will even say that for a moment, I considered your wisdom of providing a layered approach, which is good advice. Lets just say that I have been down that road before, you know, the one with HIPS and Firewalls and Antiviruses, antimalware, antispyware, anti this and anti that, yep, been there done that. What I have decided is best for me, and that I am happy to share with many who have also been down that road (or realize they are on that road and want to get off), is that all is not lost -- you don't have to employ such things to have security if you don't want to.

We can leave it like this, you like for your reasons, to have a layered approach consisting of HIPS/firewall or whatever. I like to have a layered approach that only includes sandboxie and imaging and built-in OS tools. I was never saying those are useless, only questioning why you thought not having them was so "risky".

Oh, it sounds as if you consider my "attitude" as high and mighty, or holier-that-thou. I sincerely wish that were not the case, simply because I try hard not to come off like that, I really really don't like that kind of attitude

Sul.

 

The way it works to my knowledge is that when you (from the tray icon) "disable forced programs" you have 10 seconds to start something that would normally be sandboxed. After that 10 seconds, normal "forced" protection is resumed.

So, it isn't really all or nothing, only a small window for you to "conveniently" start something outside of the sandbox. I use it when I want to make a change to a config or something. I delete the sandbox, start the program with sandbox disabled, make my config changes, then exit the program. Now, the next time I start the program (forced into a sandbox), because the sandbox is empty, the new changes I made will be there for good. I try my changes in the sandbox, and when I find what I like to keep, I do what I described above.

Now, you must understand that if you force adobe and firefox into a sandbox, and you start firefox outside of the sandbox, and firefox then spawns the adobe reader, that process is also run outside the sandbox. However, if you were to execute the adobe reader by double clicking a downloaded .pdf file, then adobe reader would be forced into the sandbox.

So you have the case where once firefox was started outside the sandbox, anything it does, even forced programs, also start outside the sandbox, BUT the forced programs are still forced IF they are not started with the program (firefox) that has been "excluded" temporarily from being forced.

HTH.

Sul.

 

Typically, from what I have seen, most users who understand sandboxie will examine all of thier programs that touch the internet (primarily) and decide which ones pose a risk. Of course it goes without saying that if you download torrents or go to warez or look at pr0n, you likely have a greater risk than someone who simply checks a few forums and hotmail.

I personally like multiple boxes to give segregation to things such as browsers. I like to lump the "forcing" of media players into one box. email clients get one box for all if I use them. I have other boxes for other purposes, some locked down for testing, others opened up for testing, all depends. I currently have 15 sandboxes.

Once you decide what programs will be your risk, you also must choose how much to restrict. I personally like to restrict, in all sandboxes, some common registry startup keys, and some common files. I restrict net access and program execution to those in my approved list, and include in the approved list only those peripheral applications that will be needed. I sometimes go so far as to install adobe flash into the sandbox so it is not on my system, but that differs depending on how soon I am replacing my image.

While things like registry startup keys and common files (boot.ini, autoexe.bat, etc etc) are virtalized if they are for some reason "tampered" with inside the sandbox, one must remember that until you delete the contents of the sandbox, it is live. Meaning, if you get a keylogger or something to autostart, it might not effect your real system, but it does take effect (if it can) inside the sandbox environment. Therefore, I lock down autostart keys and other basic areas, along with restricting what can actually execute and have network access. If all you are doing is looking at naked pictures, and not giving any data out etc, then maybe you don't need to worry about such things. But if you ever do ANYTHING with passwords/accounts, it is best to ensure your sandbox environment stays cleanly limited to only what you want. Also, as has been mentioned many many times, online transactions work very well if you delete the sandbox after you use it for transactions, and only use that sandbox/browser for transactions. Use 2 browsers, one for transactions ONLY, one for everything else.

Oh, I didn't see this earlier. Spot on thinking. I have a clearer picture now. Very important that others have the know how for sure. One might also assume on this forum in particular, that with so many different ways to approach things, by so many different programs/tools, you almost are forced to research a bit. I could not imagine my wife trying to read this and apply even a fraction of my sandboxie/system settings herself... just not going to happen

Sul.

 

That's OK.

But, if you use to downloads files to Desktop, Sandboxie will be prone to give error messages saying it can't run dllhost.exe (I don't quite remember the exact warning.).
Now, if you never download anything to Desktop, then there's no need to allow dllhost.exe to run in the sandbox, at all.
If you do, then not allowing dllhost.exe won't stop you from saving files to Desktop; you'll only see a few error messages in a row - most likely - but, you can choose to ignore the error messages and just save it anyway.

One trick that I've found useful was to, instead of directly Save As - choose Desktop, I actually write C:\Users\username\Desktop, after Save As. This prevents the error messages.

-edit-

Just a little note. When I mention, if you wish so, to allow dllhost.exe, I don't mean to allow Internet connection; only to run in the sandbox.

 

You can choose to run a sandboxed program unsandboxed by right-clicking on its shortcut/executable, and then press CTRL+SHIFT and choose Run sandboxed. This will make the program open outside its sandbox. You do not have to globally disable all sandboxed programs.

 

On my sandboxed browser box only Firefox has internet access and start
run is limited to Firefox, Plugin Container and Foxit. Never added dllhost,
even though sometimes I download files to the desktop, neither have
allowed start/run to the SBIE processes.
I am not getting messages from SBIE for not allowing dllhost, like
Moonblood has. If you get messages, add dllhost but otherwise, don't.
Personally, I don't mind SBIE messages because it tells me if something that
I need to run is not being allowed. Sandboxie messages are rare, not an
every week thing.

Bo

 

Hi Bo, I'm not getting the dllhost messages either. What I am getting is rundll32 error message when I print from IE. I found that I could simply close the SBIE1308 message and continue with the printing. But I decided to add rundll32 to the Internet & Start/Run Access. From what I have read on the SBIE forum, and in other places, I am not creating a problem by allowing rundll32 that is located in the windows/system32 folder.

 

Thanks, m00nbl00d. I'll have to remember that.

 

Excellent plan. I set things up that way today on my computers... I added a 2nd IE sandbox strictly for "financial" dealings, and I can delete that sandbox contents immediately upon closing it without impacting my other IE sandbox. I like it!