Sandboxie technical tests and other technical topics discussion thread

If your going to use Sandboxie please learn how to configure and use it with apps.

Download folder locations can be restricted & C:\WINDOWS prevented from "write access".

Use firewall that monitors inbound/outbound connections. (rules/apps/processes)

 

Specifically, there is benefit in ensuring that a) internet-facing apps get no access to user data areas and b) programs accessing user data areas get no internet access (both being enforced by the relevant sandbox). I find that quite easy to do, the main risk is with Outlook which necessarily sees the internet and has access to the email store (the functions ought to be separated but are not).

 

If Outlook dont have access to your mails, you cant use Outlook. Thats not Sandboxie. Anyway, when you apply EMail settings in Applications for Outlook, that makes outlook.exe the only program in the sandbox thats allowed access to your mails (saved out of the sandbox). That alone makes Outlook users more secure by running the client sandboxed than not. Hopefully you don't believe that you are better off to run Outlook unsandboxed (like Mr Brian yesterday theorizing that is safer to run PDFs unsandboxed).

Bo

 

Like I already said, if you want to restrict apps running in the sandbox, use anti-exe, anti-logger/HIPS and a firewall. Or harden the sandbox with extra restrictions and data protection. Problem solved. We already came to the conclusion that SBIE does not stop all behaviors that are possibly malicious. But it will contain them.

For example, it does not block "code injection" inside the sandbox, because if it did, some tools like download managers (with video sniffer) would not work. But if it was malicious it would not be able to inject code into processes running outside the sandbox, and can't infect the system.

 

I agree, Pete. I never used Outook but when I used Outlook express, never experienced issues using the program sandboxed but I only ran OE, Firefox and Foxit in that sandbox. No addons or anything that interacted with the client.

Bo

 

Oh, I agree, what I'm after is a properly architected form of email client where the communications/protocol handler part/process is separate from the mailstore/search and view functions. And each of them appropriately sandboxed. They could communicate fairly securely using file-drop or IPC, but they would be distinct.

We know, for example, that email or attachment viewers/editors are attacked, and they should run in a sandbox which has no internet access, and preferably, no access to other email data or other user data areas.

Clearly, not going to happen with Outlook.

 

No, but I'm wondering about running Mailpile on a RPi locally, or maybe in a little VM, and browsing to that (from a sandboxed browser of course). That achieves separation of communications and viewing/editing, but not between communication/storage/search.

 

Hi deBoetie, I know your main concern has to do with personal files being stolen. Sandboxie has the settings to keep those files from being compromised. On post 878, I mentioned that Outlook is the only program running in your Outlook sandbox that has access to your mails stored out of the sandbox. No other program running in the Outlook sandbox has access to them. Other programs can not read those mails.

To tighten things up further more, you can set Outlook as the only program allowed access to your personal files or folders. For example, you can make Outlook as the only program in your Outlook sandbox with access to your desktop. And other programs that you allow to run, like your PDF reader or Excel, they don't need internet to work, don't allow this programs internet access. Doing what I am saying in this two short paragraphs makes things really tight.

Bo

 

Got a question for Bo or any of the other SB experts. I have used SB for years, paid version. I use it rather simply, only when surfing or using my email client, Thunderbird. I have only used one sandbox, the default, which I immediately delete when finished. The only fancy stuff that I have done is using the restrictions; only Firefox, and Thunderbird, and any of the applications that they need to work, can start in the sandbox or access the Internet.

I like the way that the creator of SB set it up so that your Thunderbird email will be saved even after you have deleted the sandbox. That got me thinking: what if any of the emails contained a virus or Trojan, would the bad guys also get saved? How does that work?

It has been suggested to me by a member of Wilders that I set up a separate sandbox just for my email client. What would be the advantages of that? If that is the recommendation of the experts here, what is the SIMPLE way of doing that for this simple mind.

Thanks more than you will know,
Acadia

 

Peter, this shows you my ignorance. I have not the faintest idea.
Acadia

 

If you got a virus in an attachment, it gets saved out of the sandbox unless your AV detects it and either you or the AV deletes it. This is the way that I look at mails stored in the computer when running programs like Outlook or TB under Sandboxie. The end result is like if you have never opened those mails. That simple, Acadia.

My friend, I am no expert on anything related to computers. Sandboxie? I dont know. Anyway, you should definitively setup a separate sandbox for Outlook. That way you can restrict that sandbox according to what you do when you are running Outlook. You can restrict it more. Remember, sandboxing is isolation and the more that you separate programs from each other, the better.

Bo

 

Bo, thanks, you NOT an expert on SB, yeah right.

BUT I don't even have Outlook.

What be a SIMPLE way to created a separate sandbox for Thunderbird?
Thanks,
Acadia

 

I meant, in your case, Thunderbird.

Bo

 

You create the new sandbox in:
Sandboxie control>Sandbox>Create new sandbox

You can name it Thunderbird. Then go to Sandbox settings, set it up to delete on closing. To make TB work with Sandboxie, make to sure you tick Thunderbird in:

Applications>Email reader

And make Thunderbird a Forced program:

Sandbox settings>Program start>Forced programs

Then do a test to make sure that the program is working correctly under SBIE. You can send and receive an email to your self sandboxed, Then, close TB. And afterward, open TB unsandboxed to see if the mails show up in sent and received.

I would then run TB unrestricted for a few days and restrict the sandbox by only allowing to run programs that you use often while using TB. For example, add your browser. If you open PDF files in the sandbox, then allow your PDF reader to run, etc. And keep in mind that programs like the PDF reader, Excel, don't require access to the internet to work. So, don't allow this programs internet.

Bo

 

When you setup Outlook to run sandboxed, only Outlook has access to the pst file. Look in Sandbox settings for your Outlook sandbox (Resource access>File access>>Direct access), in the Drop down Window, select Outlook, there you ll see the files that ONLY Outlook has access in that sandbox.

For Word, you dont need to allow it access to the internet.

Bo

 

Thank you, Bo,
Acadia

 

My joy, Acadia.

Bo

 

I said that not because I observed "Sever not found", I find it redirect to 127.0.0.1 via Hosts Server but I'll test it tomorrow as well as SRP(sorry, now I'm sleepy -_-.

BTW, I can't understand this fuss about MrBrian's posts. This thread is "Sandboxie technical tests and other technical topics discussion thread", right? It is not about "How to use SBIE for secure my system from malware", though it will be hard to draw clear boundary. We, at least Mr Brian and I, are trying to find out how exactly SBIE work. I know Pete and bo are guys who are more wi
lling to help people, and it's your virtue. Unfortunately, the heaven didn't give that talent for me, instead seems to have given curiosity about fundamentals. I hope you guys understand there're other sense of value in the world. In this thread, I'm only interested in technical things. We may give examples of theoretical risks more, but it doesn't accompany any more intention, I strongly hope you don't read too much into those conversation, though pointing out miss-wording is always welcome (I admit some words in MrBrian's posts can bring confusion or misunderstanding to some user especially newbies, and same can well happen for me).
Changing hosts enables a process in sandbox can make DNS spoofing which can be risk in some limited situation. Again, I emphasize I don't have much interest in how it is likely or how it can be compared to obvious benefits by SBIE. I only interested in how technically SBIE works, and in this particular case what system parameter SBIE automatically protect while what not. On top of that, any those risk can be prevented by proper access block/read or write only settings, but our finding may be a reference of what to protect by those settings. I once actually added tremendous entries into those settings cuz I didn't know what SBIE automatically protect and what not, but found it causes noticable slowdown so removed most of them. I'm thinking renewal of those settings now.

 

That kind of sandboxing will only be possible with Chrome type of sandbox. While Chrome already do similar things for web browsing, I don't know any email client which employ such sandbox.