Sandboxie Configuration Recommendations

Hi ssj100,

as step 5 you recommend: In each sandbox, configure Read-Only access to C:\WINDOWS

To understand the background, why should there be a limited access to the Windows folder?

1. Does it make sense if the sandbox is set to auto-delete?
2. On Vista an application can not write to C:\Windows

 

Hi mate. Yes, Read-Only access is not really needed, to be honest. I didn't have it configured like that until Wilders user demoneye suggested it. I think demoneye was just trying to "show off" Sandboxie's power haha!

 

Ok

 

ssJ100, thank you so much for sharing your experience with this neat product.. Seriously i believe you when you say you can raise an argument about running an OS only with SB installed. I can really feel for that. this program is magnificent and anyone with the time and patience could really step up his overall safety & browsing experience. During the fine tuning of this little gem and reading through posts related you really understand how your OS works. Funny!!

I has taken me a long week and a lot of research but i managed to create a SandBox only for my banking purposes (more will follow). Eventually i think i will be able to do all my Surfing, downloading etc etc through Sandboxie. I include my config file for anyone that would like to maybe copy or take notice of what maybe going on there:


[GlobalSettings]

FileRootPath=L:\%SANDBOX%
ProcessGroup=<StartRunAccess_Banking>,iexplore.exe,jqsnotify.exe,jqsnot~1.exe,sandboxiedcomlaunch.exe,sandbo~2.exe,start.exe,sandboxierpcss.exe,sandbo~1.exe,rundll32.exe
ProcessGroup=<InternetAccess_Banking>,start.exe,sandboxiedcomlaunch.exe,sandbo~2.exe,sandboxierpcss.exe,sandbo~1.exe,jqsnotify.exe,jqsnot~1.exe,iexplore.exe

[UserSettings_179E0303]

SbieCtrl_UserName=dmitriy
SbieCtrl_ShowWelcome=N
SbieCtrl_ReSyncContextMenu=N
SbieCtrl_NextUpdateCheck=1555555555
SbieCtrl_UpdateCheckNotify=N
SbieCtrl_EnableLogonStart=Y
SbieCtrl_EnableAutoStart=Y
SbieCtrl_AddDesktopIcon=N
SbieCtrl_AddQuickLaunchIcon=N
SbieCtrl_AddContextMenu=Y
SbieCtrl_AddSendToMenu=Y
SbieCtrl_BoxExpandedView_DefaultBox=Y
SbieCtrl_BoxExpandedView_Banking=Y
SbieCtrl_WindowLeft=1193
SbieCtrl_WindowTop=153
SbieCtrl_WindowWidth=660
SbieCtrl_WindowHeight=450
SbieCtrl_Hidden=N
SbieCtrl_ActiveView=40021
SbieCtrl_AutoApplySettings=Y
SbieCtrl_BoxExpandedView_SafeBrowsing=Y
SbieCtrl_ColWidthProcName=250
SbieCtrl_ColWidthProcId=70
SbieCtrl_ColWidthProcTitle=310
SbieCtrl_BoxExpandedView_Program=Y
SbieCtrl_HideWindowNotify=N
SbieCtrl_BoxExpandedView_Downloading=Y
SbieCtrl_SettingChangeNotify=N
SbieCtrl_BoxExpandedView_Browsing=Y
SbieCtrl_ReloadConfNotify=N
SbieCtrl_EditConfNotify=N

[Banking]

Enabled=y
ConfigLevel=5
Template=IExplore_Force
BoxNameTitle=y
BorderColor=#00FFFF,off
AutoDelete=y
NeverDelete=n
CopyLimitKb=1000
NotifyInternetAccessDenied=y
ClosedFilePath=D:\
ClosedFilePath=E:\
ClosedFilePath=F:\
ClosedFilePath=G:\
ClosedFilePath=H:\
ClosedFilePath=I:\
ClosedFilePath=J:\
ClosedFilePath=K:\
ClosedFilePath=L:\
ClosedFilePath=M:\
ClosedFilePath=N:\
ClosedFilePath=P:\
ClosedFilePath=\Device\Mup\
ClosedFilePath=c:\AUTOEXEC.bat
ClosedFilePath=c:\boot.ini
ClosedFilePath=c:\ntldr
ClosedFilePath=c:\NTDETECT.COM
ClosedFilePath=!<InternetAccess_Banking>,\Device\RawIp6
ClosedFilePath=!<InternetAccess_Banking>,\Device\Udp6
ClosedFilePath=!<InternetAccess_Banking>,\Device\Tcp6
ClosedFilePath=!<InternetAccess_Banking>,\Device\Ip6
ClosedFilePath=!<InternetAccess_Banking>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Banking>,\Device\Udp
ClosedFilePath=!<InternetAccess_Banking>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Banking>,\Device\Ip
ClosedFilePath=!<InternetAccess_Banking>,\Device\Afd*
NotifyStartRunAccessDenied=y
DropAdminRights=y
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
ClosedIpcPath=!<StartRunAccess_Banking>,*
ReadFilePath=C:\WINDOWS\


What i've done here is basically blocked everything of. I use Firefox as my main browser but for my banking needs i installed an instance of IE8, clean no addons etc.

Only a couple of things i cannot figure out and i would really appreciate if somebody could help.
I've got Keyscrambler installed and i was wondering how can it be enabled in my sandbox and function properly when all prgrams are disallowed except Internet Explorer and Java. It doesnt make sense.
Als when i choose to print something to OnNote the process happens and OneNote opens even though it does not have permission to do start.

Thanx alot guys!!

 

I have a similar sandbox setup and for me, sandboxIE automatically detected keyscrambler was running when i launched my browser and just added it to the list of allowed applications for me.

 

thanx bro for that. do u have any problems with IE. it runs really slow.About 15-20 sec to load. A weird behavior that originally i didnt have. From my last post.. the one above until now, i reformatted my PC. After, i setup my Sandbox with the exact same settings I've only added additional restrictions to User Accounts and My Documents. And now i cannot load Pop-Ups from various banks. I do have pop up blocker disabled and all IE settings are at default state, which normally running in an Unsandboxed browser wouldnt cause any problem :<

 

I have seen several posts recommending the following settings, but I do not understand why these are needed, or the reason for setting them. And, I do not know much about the inner workings of windows.

Code:

ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM

I understand the importance of ClosedFilePath = sensitive data areas. The above settings seem to be related to startup of Windows, and I think that under normal circumstances after Windows boot up, they are not accessed by any programs at all. So, I don’t see any harm closing those paths, but, are they necessary? Are there any other paths or core system files that one will consider to block the read access in the sandbox?

Code:

ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\

I think the above are autorun related. Again, I don’t see any harm closing those paths, but, are they important in that one should block read access to those paths? Are there other registry paths that one should consider blocking too?

 

Very good question and I'd also like to know the answer to that. The only ClosedFilePaths I use are to my "My Documents" folder, as it potentially contains some sensitive material. I don't use any ClosedKeyPaths.

Any experts out there care to recommend otherwise, and state their reasons? Thanks.

 

Sorry to bump this but I could really use some input/guidance. Thanks.

 

i guess, but not sure, the Setting

ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM

stoped sandboxed Program from reading those files...
Or if we set it to read only, than the sandboxed Programs can't rename them or doing something else with them..

And one more question, or maybe a feature request, can we set the Sandboxed Programs for exsample: ClosedFilePath=C:\ but execlude \program path\ and %personal%temp etc.? By this way, the sandboxed Progs can run, but can't read anything else from the partition, it may be increase the security...

 

I think Sandboxie's processes are allowed by default and not needed to be in there?

Wouldn't the below entries be suffice for a restricted banking sandbox?

 

I think that'd suffice too, espeically if you only use one particular browser to do banking and other sensitive browsing. I have mine to auto-delete too, so that I always start with a freshly installed browser each time I open it. Also, I always block access to "My Documents" in all my sandboxes, including the banking one.

 

Here's an updated version of how I configure my Sandboxie (I've added steps 13-15).

Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
13. Create separate sandboxes for each USB/external drive hardware you have connected (or would connect) to your computer. Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
14. Create separate sandbox(es) for your CD/DVD drive(s). Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
15. Create a separate sandbox for your Virutal Machine program, and force run it in this sandbox. Other configurations/restrictions may be applied here (see above).

 

Yesterday I added several programs to Restrictions->Start/Run Access. Now I get error when I try to print from IE8 and Firefox 3.52. IE8 and Firefox 3.52 have separate sandboxes with basically the same configuration. How can I correct this?

Thanks in Advance.

 

@ssj100: Just one question - why would you want to run a virtual machine sandboxed??

 

To get IE8 to print I had to remove the following:
Resource Access->File Access->Read Only Access->C:\WINDOWS\

Then to remove an error about rundll32.exe not being able to run due to access restrictions I had to add rundll32.exe to the Start/Run Access.

Restrictions->Start/Run Access->rundll32.exe

Does anyone know what needs to be written to C:WINDOWS\ in order to print?

Thanks in Advance.

 

Hi, TheKid7.

Read Only for the file access is just too restrictive.

Read Only for registry, this is a much better setting. Gives the right balance of protection and real-time usability.

 

Just because some people say malware can leak out of a virtual machine haha. Don't ask me how, ask them.

 

got a quick question about sandboxie lets say thers malware in a zip or rar file etc. and u unzip the archive to a folder. is ther a way the malware can activate just from extraction without actually executing the file inside. if so how can u set Sandboxie to protect u from that?

 

No, I don't see how that's possible and literally years of downloading these files has proven my thoughts. I've seen hundreds upon hundreds of viruses and malware stuffed into these things, and at no time has unzipping or exploring inside them without actually unzipping them caused anything to ever infect. If there are multiple files inside, I simply delete the malicious file/files and keep the rest.

 

alright thx or clarifying then, no need to worry about sandboxie protecting archivers then

 

is it suggested to run utorrent sandboxed?

 

Yes, I sandbox my utorrent.

And yes, unzipping an archive file will not infect your spontaneously. PrevxHelp has confirmed this.

 

ah ok well good to know a professional has confirmed it then, that makes me feel better

but what do u do about network access for utorrent, does it cause any issues with trackers when u add utorrent to internet access?

 

is ther any danger in allowing firefox direct access to its cookies and its profile folder? or is ther a way to safely do this without giving direct access? cuz its a pain having to start firefox unsandboxed when i need a certain cookie saved...