Sandboxie v2.86

This thread is about Sandboxie ONLY. So please, stick to the subject.
You don't have to tell me how good or bad Sandboxie is. So no emotional outbursts or comments regarding Sandboxie, because these comments don't make me any wiser.
You don't have to tell me that Sandboxie causes some troubles on certain computers, all softwares have that in common and that doesn't make me any wiser either.
I don't want any comparision with other softwares either, this is about Sandboxie, nothing else.

I only want to know HOW Sandboxie works, in other words the philosophy behind Sandboxie. I'm using Sandboxie for two days, so I'm certainly not an experienced user of Sandboxie, but Sandboxie seems to love my total system so far.
The bottom line is : I want to figure out, if Sandboxie is worth my time to LEARN it in detail and use it in my frozen snapshot as a protection in the period between two reboots.
This thread might also be usefull for potential users and for discussions, but first I like to know if I understand the concept of Sandboxie and I would like to have an answer to my questions.
---------------------------------------------------------------------------------------------------
As far as I understand Sandboxie works like this, if I'm wrong please correct me :

1. You can choose which application has to run sandboxed or NOT.
Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
It seems to me you have to decide carefully which application will be sandboxed or not.
What are the general rules to run an application sandboxed or not ?

2. Once an Application is sandboxed :
a. It can only read objects on the REAL harddisk
b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

3. This means to me that the SANDBOX can contain GOOD and BAD objects.
a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.
If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.
If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.
----------------------------------------------------------------
If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

Thanks in advance for your co-operation.

 

1. Yes you choose. It only sandboxes (virtualizes..) what you want, or what you specifically assigned. Your FW is not sandboxed.
General rules? I don't know how to answer, you sandbox what you want to completly isolate from your system. Mostly browser, messenger, like that. Every change, download, etc. goes to the virtual container, the sandbox. Registry changes go to fake registry, files to fake file system...
To retrieve what you want, you define what folders you want monitored, and assine them to the "Quick Recovery". In the GUI, Configuration-Sandbox Settings-Set Automatic Cleanup options. Should be really simple to use. You add folders here, and choose how you want it to run. If you tick "automatically delete contents..", when you close the browser or whatever, if anything is in those folders, you'll be asked if you want to check them, using "Quick Recovery".
I could go on and on, but this is waste.

No post can explain better than SandboxIE's site:
http://www.sandboxie.com/index.php?HelpTopics
Read Getting Started, all the way down to FAQ. You'll read it easy. And understand. Trust me.

2. Yes. But you can set what folders are not to be allowed read.

3.
a. yes. It's you in control of what you keep. When you delete the sandbox, everything you didn't copy to the real file system, and left there, is deleted (or erased, if you want to associate an eraser to SandboxIE).

b.exactly.

Conclusion: yes.
----------

Sort of. You sure can look at everything that was writen to the sandbox. And only changes made exist, so it can be useful for that.

From what i read in your post, you don't want to miss the FAQ, and this.

But i really think you can/should read the whole site . Skip the fuctions you don't care, and it won't take you much time. It's a good read.

 

Why would you want to run your firewall sandboxed?

 

I think it also depends on how you define what a bad object is. Does a bad object always have to write to the hard-disk or change registry entries? If you download a password stealer program and run it, it can still do its damage even though it may not have written files to the hard-disk or modify the registry. A firewall program may or may not catch it when it sends out data.

 

I didn't ask that question out of stupidity. I would never sandbox my firewall. I just put it extreme, because I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie.
Where is the limit of usefull sandboxing ? What is absurd in sandboxing ?
It seems to me, I have to figure it out myself.

 

You should sandbox applications which may be used to install/download/execute malware. For the most part, browsers, mail clients, IM clients are the usual target for sandboxing. IMO, mail clients shouldn't be sandboxed if you read mail as only-text and discard unknown/unrequested mails/attachments. On the other hand, attachments which you trust can be saved to disk and executed inside the sandbox.
You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded.

Installing apps which require:
- Kernel drivers.
- Register of service.
- Add autostart entries to registry.

 

Thanks you guys. At first sight, Sandboxie seems to be good for immediately usage and it can be usefull in the future, when I want to know, what a malware exactly writes on my computer.
If I execute the malware for real in my frozen snapshot, I can check the Detailed Log, if FDISR removed the same bad objects during a copy/update FROM Freeze Storage.arx TO frozen snapshot. At least that's what I hope.

 

Lucas,
OK. I got the picture. Thanks.

 

Part of the beauty of Sandboxie is that you should be able to open sandboxed files with native programs, and the launched app will automatically run the file sandboxed.
i.e.: If I download/open a .pdf file (whilst browsing sandboxed), my pdf reader will automatically launch and open up the file in a sandboxed environment.
The same should apply to most app.s.

 

Sandboxie, or a sandbox interrupts the flow of processed information to the hard disk. The concept of a sandboxie is to keep the overall integrety of your machine security while not having to harden the controls and loosing useful function.

Some problems found with Sandboxie are that it needs to reduce conflict with third-party software and elimanate malfunctions such as system and program crash/lock-up as soon as it started and when closing. That said versions and fixes come regularly and Sandboxie has an active community.

Things to learn and of interest are SandboxieIni and Portable Sandbox.

When I have some more time I'll come back to this thread.

 

What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR.

 

One thing i still didn't figure out: what completes SandboxIE. Right now, despite the whole arsenal installed ) ), i'm only running active CPF, SandboxIE and Antivir.

With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password .

What completes what SandboxIE lacks

 

Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
I like the fact that CPU usage from my security programs is zero.

 

Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.

 

Great minds..

That's a very good point. Malware won't have privileged access, and easily detected by Comodo. Or is it?
But as i'm thinking of turning off certain features in Comodo, i would still like to know the answer, not envolving the firewall. You know, i got to install something

 

You have to think of Sandboxie as a "one-way" valve,
Stuff cannot be written TO harddrive, but stuff can be READ (accessed) from HD and potentially sent out.
Per Erik's observation above: Any nasties on your system will simply and completely go away upon shutdown.

Merely good outbound protection. Be it good firewall/HIPS, warning if anything should attempt to "phone home".

 

Addendum to prior post.
Although Sandboxie does allow you to surf with virtual impunity, some common sense browsing procedures should keep you quite secure.
For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side.

 

My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure, which is explained in this thread :
https://www.wilderssecurity.com/showthread.php?t=169704
Even a malicious keylogger is worthless with such a login procedure.
Thanks for the other explanations, all bits help.

 

My bank also has all sorts of high technological security stuff as well.
Call me old fashioned / overly paranoid, but it's no big deal after online banking to simply close browser, re-open.
My K-Meleon takes <1.5 seconds to open.

Regards

 

Kind of off topic, but the question is about sandboxie...
Is there anyway of viewing the sandoxed 'virtual' registry?

 

argus tuft :

You could dump the sandboxed registry held in registry.dat within the data folder. Sandboxie also creates values in the real registry in memory.

Erik :

You can also create and use a sandbox across machines portable sandbox.

You can tweak SB via SandboxieIni for example block drivers is a setting in SandboxieIni.

 

Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want.