Sandboxie Configuration Recommendations

Sorry, but that's just beyond me. I don't even understand what's going on in that screenshot. Still, it feels like you're using Sandboxie for something that it was never intended for. Hasn't Tzuk already said/implied that you're not meant to drag and drop files into the Sandboxie folders like that?

Also, what has Tzuk said about your question?

 

Yes it is. It is only deleted in the virtualized environment. The contents in the REAL C:\Windows never gets touched.

 

Yes, I wasn't talking about the REAL C:\Windows.

And that's why many people have asked why it's needed to be set. As I've said, I don't think it's needed at all. It was just an idea by demoneye just to show off the configurability of Sandboxie.

Anyway, didn't realise you were using LUA too now?

 

I'm not using LUA. what makes you think that?

 

Ah never mind then. Just that you said (the REAL) C:\Windows is read-only by default, which it is in LUA, but not in administrator mode. I guess you were giving information for my context. Cheers.

 

Not sure if this is relevant, but I find that if Sandboxie Control is open when I shut down a sandbox, the sandbox will always delete. If Sandboxie Control is not open, the sandbox never seems to delete. I use "seems" because I can't say for certain it has always happened like that, but it has every time I have tested it.. At least, that is how it works on my machine / set up...

 

That is a little bit inconvenient though ... for me ... having to open the Sandboxie control (btw do you mean everytime right clicking taskbar icon and then right click/delete sandbox contents?). But yeah, there is definitely a problem somewhere with the deleter on my set-up, like yours. Also, the SDelete option doesn't work. I have tried many times to get it working but it dont wanna play. Heidi eraser is the only option that works 100%, for me.

Anyway. /end of growl

 

No, I meant if Sandboxie Control is actually running (ie it been called since logging on, even if "quiet" down in the bottom right corner) before say a browser or other sandbox is exited, then for me that user's sandbox gets emptied. Also, if I download something, and Sandboxie Control is running, then at the end of that download it automatically and immediately asks if I want to recover the download. If SC has not been opened (at all), then it leaves it and I have to physically recover it myself at some stage.

Yes, I suppose it can be inconvenient.. I guess if I wanted recovery and deletion always to happen automatically, I would simply put Sandboxie Control into my start up programs.. Then for my set up - that's set and forget.. Obviously, that is just my set-up, so not sure if that helps you..

 

Does anyone see a problem with this rule?

I'm trying to make a configuration for my gf who has a knack for getting malware on her computer. She doesn't want to deal with any security software herself and doesn't want anything I install to limit her programs. So in regards to Firefox, it has to have access to her bookmarks, history, cookies and saved passwords. I read that letting Firefox access the entire Profile could be questionable so I felt the above line would be a little safer in regards to saved passwords.

 

Not a Firefox user but there are templates for browsers which gives the user some ease of use accessible via Sandbox settings > Applications > Web browser. Have you tried to enable those templates for Firefox?

 

Yes I have all the options selected for Firefox except for "access to entire Firefox profile folder" since there is no consensus on whether or not it is safe. Without access to signons.sqlite, passwords did not seem to work. I figured giving access to one file is better than giving access to the entire folder.

 

Is there any use for an add-on like Keyscrambler if you run internet browsers sandboxed? The scenario I am imagining is my gf opens a sandboxed browser, goes to a torrent/mp3 site, picks up a keylogger inadvertently, and decides to do some banking. Should I be worried enough to install something like Keyscambler?

 

Go to: Sandbox settings-> Restrictions-> Internet access, then just add only your selection of programs that are allowed Internet access from the sandbox. I'm sure some eager beaver will, however, jump in with a much better solution than this one, so hang tight as the suggestions come pouring in.

 

I like wat's suggestion. I would also configure the browser sandbox(es) to also have restrictions with what programs can start/run (as well as those internet access restrictions).

But to be even more "100%" against potential keyloggers, may I suggest this:

As you can see in this way, the browser in step 9 will always open "freshly installed", and there will be no chance for any keyloggers to hide within that sandbox.

 

Agree with the two answer above but there is one extra very important point that everyone should follow using Sandboxie and that is that whenever going to a site that will require the entering of sensitive information like credit card details you must close the browser first and then reopen it, this ensures that there is nothing in the sandbox, do your transaction and then close the browser again to ensure that there is nothing for a keylogger to see if you pick one up later on.

 

Yes, that is very important if you want to be super-secure. Arguably, you should close all other running sandboxes too.

 

Thanks for the replies. It seems I've been able to get her to agree to restart the browser before doing any banking/financial stuff but not e-mail and such. So I'll set up forced Firefox that automatically deletes contents.

I suppose I have another noob question. Do I need to give my AV start/run access so that it can scan files downloaded in the sandbox? Maybe I haven't downloaded a big enough file but I don't see it scanning at the end of a download automatically.

 

I did not need to give my AV (Eset) any special permissions, such as Start/Run Access. It scans my sandboxes just like it scans my non-SBIE files. As recently as four days ago Eset lit up when I was trying to download a sandboxed version of the newest version of VDownloader (apparently there's something in the latest VDownloader that Eset doesn't like). But the bottom line is my AV scans sandboxed files without any special settings being needed.

Sit tight and see if other SBIE users concur or have different experiences.

 

Correct.

 

Both of you are very correct. I caught my AV scanning. Thanks again.

 

Instead of creating a new thread, I thought I'd just continue in this old one. A couple of Wilders users have asked me how to conveniently open a folder with a sandboxed explorer.exe. As usual, this is for Windows XP systems:

1. Right click your desktop
2. Left click "New" - "Shortcut"
3. Browse to "C:\Program Files\Sandboxie\Start.exe"
4. Left click "Next" - "Finish" (you can choose to change the names etc as you please)
5. Right click your newly created shortcut file and click "Properties"
6. Here is the slightly tricky part: enter this new command in "Target":

Okay, here's what the bits in bold mean:
1. ABCDEFG = the name of the sandbox you're wanting to open the folder with. Make sure this is the exact name.
2. 1234567 = the system address of the folder you're wanting to open sandboxed. For example, if you're wanting to open "My Documents" sandboxed, it would be as follows: "C:\Documents and Settings\XXXXXXX\My Documents"
(where "XXXXXX" is the name of your current user/admin account).

I hope that helps.

 

Nice. You can also manipulate a context menu for directories only, that force explorer.exe insance into a specific sandbox, much like the 'open command prompt here' method. Merge this registry file with the correct /box:BOX NAME HERE data.

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell\Sand_Dir\command]
@="\"C:\\Program Files\\Sandboxie\\Start.exe\" /box:downloads_box \"%1\" %*"

Benefit to this is that you only need to right click on any folder/directory and it will open at that specific directory instead of a generic explorer shortcut. Nothing wrong with generic shortcut, but sometimes you might want to be already in explorer looking at some directories, and rather than navigate to that same directory again with the generic shortcut this one gets you right where you want to be.

You can also manipulate file types. Suppose you desired to open every .mp3 file inside a certain sandbox. It can be done with a context menu reg value as below. In this case, the default player will still load, but by putting the sandboxie reg value under the 'mp3file' key, you now have an option specifically for those file types. One could EVEN go so far as to make the default action for a filetype be to start in a sandbox, thus you could force items into a sandbox yourself. Not the way I would want to do it for many items, but it can be done.

Code:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\mp3file\shell\sand_play\command]
@="\"C:\\Program Files\\Sandboxie\\Start.exe\" /box:downloads_box \"%1\" %*"

Just some more geekness for those who are interested.

Sul.

 

hey guys,how do i sandbox windows media player?......thanks

 

Have you tried sandboxing media player? If so, what did you try and what were the results?

I don't have media player installed so I can't help specifically but if you can provide a little more info others may help.

 

Hi, how do I allow direct access to the adblock filters? (patterns.ini)