Proper way to use sandboxie? What is Sandboxie (+Restrictions)?

Discussion in 'sandboxing & virtualization' started by GrammatonCleric, Aug 20, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    You are right, and nor should there be a FQP. If one were to instead force a folder path such as c:\program files\internet explorer, then copy & paste iexplore.exe to the desktop, it will launch from there unsandboxed, as opposed to simply specifying Program Start => Forced Program => [iexplore.exe]. The latter restriction forces iexplore.exe sandboxed no matter where it's launched from. And as you mentioned, you can even re-name another executable to iexplore.exe and it will be forced sandboxed when launched from wherever it's located.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, I would say there are valid reasons for having an FQP, just as there are for not having one. In a default state, it works well not to have one. For more granular restrictions, it would be nice to have one.

    It is very much like SRP IMO in regards to this matter.

    Sul.
     
  3. wat0114

    wat0114 Guest

    Right, such as user space directories like my documents, desktop, application data, or some downloads directory, for example, anywhere write privileges are granted. That way single file executables when launched from these directories are forced sandboxed. You mention SRP. If SRP or applocker is combined with Sandboxie and one can swallow their pride and run as limited/standard user, the security implications of such a setup could be breathtaking - a veritable nightmare for even the most malicious malware lurking in the 'Net :D

    BTW, if you restrict forced programs to a FQP, how will this stop a malicious file named as one of them from launching in a different directory?
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It is really simple.

    Suppose I had a sandbox name "Firefox" whose job was to force firefox.exe into it, and to use a start/run restriction so that only firefox.exe is able to run in the sandbox.

    Under a non FQP situation, any file named firefox.exe will be forced into this sandbox, and may run. Any file not named firefox.exe will not be allowed to run in this sandbox.

    What are the dangers? Only that some other program named firefox.exe is running, and that it might harvest data it has access to and send it home.

    Now, if I had the same setup, but I used a FQP of "c:\program files\mozilla firefox\firefox.exe", then only that one executable would be allowed to run. Any other file named firefox.exe would not be allowed to, only the one at the FQP.

    It would be hard for that sandbox to get compromised. First, because the FQP firefox.exe is the only thing allowed to run, it would have to be running in the first place for a malicious file to be brought in from that sandbox. But, because the process is already running, it could not "easily" be replaced by a counterfeit firefox.exe. It is mutually exclusive then that it cannot happen from firefox.

    Now, if we suppose that you used IE, and it got a malicious file that masqeuraded as firefox.exe, it would then be able to replace the real firefox.exe with the fake firefox.exe - providing the real firefox.exe was not already running. Now you cannot count on the security as an outside source modified the real firefox.exe to a fake firefox.exe. And because it replaced it at the FQP, it would be allowed to run, although it would be sandboxed.

    The best deterrent would then be to use an FQP and to make sure other processes like browsers or email clients ran at user level, which can be either done with UAC or with Integrity Levels. This way you ensure no firefox.exe can run except the FQP one, and your other programs are not allowed to modify anything in %program files% without explicit permission.

    Sul.

    EDIT: One must also remember that if you run IE sandboxed, you don't have to worry about a fake firefox.exe, as the fake firefox.exe would only reside within the IE sandbox. This is one reason why I always use different sandboxes for different browsers. If you use one sandbox for all your browsers, then the IE process could put a fake firefox.exe in the sandbox, and when you start firefox.exe, it is possible that it loads the firefox.exe that is in the sandbox (the one IE put there), and you are no longer starting the real firefox.exe that exists at %program files%, but instead you are starting the firefox.exe that lives at c:\sandbox\box-name\drive\program files.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Why not simply sandbox all programs? =p
     
  6. Gizzy

    Gizzy Registered Member

    Joined:
    Oct 5, 2007
    Posts:
    149
    Location:
    NJ, USA
    Just to clear things up, Something that I haven't noticed mentioned yet,
    If you setup a sandbox to only allow "firefox.exe" to run then even if a file was downloaded into the sandbox named "firefox.exe" it wouldn't be able to run. it has to be outside of the sandbox.

    Files added into the sandbox are excluded from the Start/Run and Internet Access list.
     
    Last edited: Aug 22, 2011
  7. wat0114

    wat0114 Guest

    Very nicely explained Sully, and now I see a key benefit to using separate sandboxes :thumb:

    What are your thoughts on malware named as firefox.exe somehow written to, say, a user's desktop, and to make matters worse, the user is running as administrator, and inadvertently launches it. It runs unsandboxed unless, of course, the user forces these user spaces and other download directories sandboxed, and could compromise the system?

    Yep, one could use a VM :)
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    VM wouldn't do it properly though. In a VM you protect your host system but anything in the VM is still vulnerable. Specialized sandboxes for each program would give the best possible protection -- but would there be performance issues?
     
  9. wat0114

    wat0114 Guest

    One just has to restore a snapshot, so vulnerabilities in the vm should not be an issue, but resource usage is going to be higher in a vm, i would think. Specialized sandboxes might just might be the best route to go, as Sully and others are doing.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    But a VM contains your entire system. So if Firefox in your VM is exploited the rest of your system is compromised.

    On a system with multiple sandboxes you can have Firefox exploited but it's controlled in the VM.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It is a distinct possibility, thats for sure.

    Using an FQP would be advantageous in certain situations, but not all.

    Suppose I created two sandboxes for my browsers: firefox and opera. I force firefox and opera into thier respective sandbox using a FQP. I restrict those sandboxes to only allowing firefox and opera to run, along with maybe foxit or something like that. AND I NEVER USE ANY OTHER BROWSER... PERIOD! Unless of course I make a sandbox for it ;)

    I then create a sandbox for my email client, if I use one. Again, I set the restrictions in place. And suppose I create yet another sandbox for my media players, with restrictions in place.

    Now these sandboxes are created with a very specific intent - to create my virtual environment for my common internet facing applications - and I want to use a FQP on them.

    Since I am using FQPs, I have the distinct possibility that "somehow" a fake firefox.exe or opera.exe could exist somewhere. But what if we were to create a "catch all" sandbox that had all of the same executables that I used in the other specific sandboxes, but it had the capability to have a "not" filter, so that I could say NOT firefox.exe at the FQP.

    I would then be able to have some certainty that my real firefox at the FQP is only going to be allowed to run in one sandbox, and I also know that ANY OTHER file named firefox.exe would be forced into a sandbox with maybe limitations such as no outbound network access. Now that would be pretty nifty, and easy to setup because you are being very specific with a very small amount of items.

    You don't need to worry about whether you are admin or not, nor do you have to sandbox everything, only the very specific items that you feel need targeted.

    As you suggest though, what if it were possible to get a strange firefox.exe on the desktop? First I would ask, how does it get there? The answer would be that you would not knowingly place it there if you thought it was malicious. If you were in question, then you could scan it or run it in your test sandbox, or a VM, whatever is needed for you to "trust" it. If you trust it, then whether you are admin or UAC, if it wants root, you trust it so you give it root. Game is over, same end scenario no matter what you do.

    But, what if you only got that fake firefox.exe there by recovering from a sandbox, where it was downloaded into? The prompt came up to recover, you said yes, BAM! it is on the real desktop. That I could see happening pretty easily.

    I have actually ran that scenario through my little bitty pea-brain on more than one occassion. That is one reason why I almost never recover anything from my browser sandbox. I mean it, never. But, I do something in place of it. I set all my browsers to download to the c:\users\user-name\downloads directory in win7. And in every sandbox I give direct access to this directory. So, I never recover to anywhere, as all downloads are already in a real, physical location.

    To keep this downloads location safe, I created a sandbox just for it. This sandbox forces any and everything in the downloads directory into itself. It allows anything to execute, but it allows nothing network access. If I get a drive-by, and it executes, it is running within my limited "downloads sandbox". Further, I set this downloads directory to Low Integrity Level as well. I assume that the sandbox will always force these items into itself, but I figure an extra layer in the real OS can't hurt either.

    So, while what you describe is very real, I circumvented it. It simply cannot happen unless I deviate from my protocol, which I practically never do. People around here might wonder why I don't use an AV and such stuff, and might even wonder if my claims of remaining problem free are true. Well, they are true, and I just explained one of the ways I go about doing it. I am not stupid, I have MBAM available if needed. I have uploaded things to an online scanning house at times. But usually, I just follow my protocol, and thankfully know enough to inspect what a certain "untrusted" file is doing. I might start it in vmWare if I really want to know, and load up some various tools in the VM to inspect it.

    But, it all starts by segregating my sandboxes, and understanding what is going to happen when I do certain things. Sandboxie is my frontline and middle line of defense, and part of my backline too. I still rely on some inbuilt security mechanisms like Integrity Levels, and I also rely on my knowledge, but more than anything it is my protocols and practices that I follow that give me that comfy and secure feeling.

    Sul.
     
  12. wat0114

    wat0114 Guest

    Sully, you might just have the Holy Grail setup for Sandboxie :thumb: Until last night, I couldn't see the point in FQP, but it makes complete sense to me now. My mindset was stuck on AppLocker, where path rules are not recommended and for good reason, but obviously in Sandboxie it can be a good idea. Time to re-think and re-tool things :) This is a great thread because not only are people posting how they use Sandboxie, but also why they choose the way they use it.


    True, it contains the entire system, but if one keeps all private data off the vm, then it really shouldn't matter if it does get compromised. I run my Win7x64 vm in my host's Win7x64 standard account, and I don't have anything of personal/private matter in the vm related to me. Any time I do some experimenting whether with legit (mostly) or dangerous (rarely) programs, I immediately restore to last known good snapshot when I'm done, and of course if something were to leap, Ninja-like, out of the vm to the host, the latter is a standard account protected by AppLocker, EMET and semi-strict firewall rules.

    Actually, there was a forum member, who doesn't post any more, who successfully ran his Virtualbox vm in Sandboxie, virtually (no pun intended) guaranteeing complete isolation between the vm and host. Of course there is also the possibility, amongst others, of running Sandboxie within the vm, which would be my preference.
     
    Last edited by a moderator: Aug 22, 2011
  13. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Ok one extra question.

    Assuming I do create "direct Access" for my browsers who are sandboxed to my downloads folder on Windows 7.
    Now assuming the browser gets a drive by and it downloads to the Direct Accessed folder and autoexecutes. I presume that drive by will auto execute with the sandboxed browser rights within the sandbox correct? I mean it was spawned by exploiting the sandboxed process so it should have inherited that process permissions.

    I do not want to create a sandbox for my downloads folder since that is why I gave direct access to that folder.
    Basically I want to have the ability to download files into real folder where I don't have to perform "recovery" meanwhile still have the protection of a sandboxed browser.

    Mainly I download drivers and files that I want to execute so I don't want to break out from two sandboxes just to execute a file that I want to install.


    Mainly in a gist, what is a safe way to setup a sandboxed browser while still having the ability to access a real download folder without the need to recover?
    Is the fact of providing direct access to folder punching a hole in the sandbox security?
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If what you are downloading is safe for you, then don't force the downloads directory into a sandbox. The integrity of your system will be on your shoulders then, as the downloads directory will not be sandboxed. Not a big deal. Maybe you plan on running as UAC or you use AV and other tools.

    You could also monitor your downloads directory in the QuickRecovery section. Any directory in that list will be monitored, and the popup box will ask you if you would like to recover. It is a method you can use that will be relatively easy since SBIE will prompt you, yet not punch a hole in SBIE the way DirectAccess does.

    I don't consider direct access to my downloads directory to be a flaw or anything. I know what is placing files there, and as you suggest, if my sandboxed browser places something there, and then it executes it, it will be sandboxed.

    The concern lies in executing what you download. So whether you sandbox it or scan it or whatever, that is where your worry might come from.

    Sul.
     
  15. RT808

    RT808 Registered Member

    Joined:
    May 16, 2011
    Posts:
    9
    side issue, if you use Xmarks for firefox, you can deny firefox access to the bookmarks on your hard drive
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.