Which sandbox runs with chrome

Hi all

I could not get Chrome run restricted with GeSWall Pro, Please post the GW console setti8ngs when one of the members was succesfull in setting it up right.

On other PC DW 2.45 patch runs good with Chrome (only defense wall capture on window is not visible, but number of untrusted processes is correct, as is the inheritance of untrusted status of downloaded files).

SBIE gave also problems, same question, could members post their settings when they were succesfull in running chrome sandboxed with SBIE?

Thanks in advance

 

Hi,

I am using GesWall Pro with Google Chrome in untrust mode without any problem.

This is My config in Console:

Resource Type Access
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache% File Allow
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies% File Allow
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History% File Allow
%HKCU%\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\dr Registry Allow
\Device\NamedPipe\chrome File Allow
%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData%\Google\Chrome\ File Allow

 

Iphone,

Thanks. I have it in the same config, but when I want to run it restricted it just does not work. Are you sure you seeing the G icon when running it?

Would you check please, thx again

 

If you open the desktop link to Chrome and in the target line that ends in chrome.exe and add -no-sandbox (blah/blah/chrome.exe -no-sandbox) then it should work. I had the same problem with SRP as well as Sandboxie but this fixed it. Must be a conflict with Chrome's built in sandbox function. I discovered this in Google Groups.

Hope it works for you too.

Later...

 

"Iphone,

Thanks. I have it in the same config, but when I want to run it restricted it just does not work. Are you sure you seeing the G icon when running it?

Would you check please, thx again"

Yes, i have the G Icon and i have many "Chrome" process in the "isolated application" console.

I have just add another rules :
\Device\NamedPipe\lsass file alow

This is for the "About google chrome" function.
The check of the version work only if i add this rules.

I can dowload files with "G" restricted for the files ...

All work good.
I am sure that's working.

In fact, the only problem i have is when i switch from "trust" to "untrust" (for chrome update).
Somtimes, chrome crash but the next retry and all work.

 

Iphone,

Thanks a lot, try your last option with redirect in stead of allow (you do not want a webbrowser having full access to lsass)

cheers Kees

 

Tresspasser thanks,

I was testing whether DW (or GW thx to Iphone) was kicking in with drive by downloads or chrome stopped them (there fore needing the sand box of chrome).

 

Hi Kees1958,

I am interesting to know (if you are testing Defensewall) if DW working with Chrome.

Regards

 

Iphone,

Yes, DW patch 2.45 works well with chrome. Only the DW status title bar addition (tells you whether you run untrusted or not like the G of GW).

Regards Kees

 

Please excuse my ignorance as a non-techie, and let me ask the following question. If Chrome sandboxes each tab, why would you feel the need to sandbox over it with an additional sandbox like DW or Sandboxie? I could see virtualizing your C drive in Returnil before accessing Chrome.

 

One reason is that you cant disable ads and javascript in Chrome. So it would all be contained in Sandboxie and therefore safer.

 

In my case Google Chrome conflicted with Software Restriction Policy (SRP) and would not function properly. I was receiving the "Aw, Snap!" error page and it would not connect to the internet at all. I googled a little bit and found the "chrome.exe -no-sandbox" suggestion in Google Groups and was surprised to find that it worked. So, it came down to a choice between turning off SRP or using Chrome's built in sandbox. I chose SRP then added Sandboxie.

Hopefully, the Chrome devs will fix this conflict with SRP sometime in the future then I will try it again (without Sandboxie).

To be honest, as it stands right now I wouldn't dream of switching from Firefox to Google Chrome. IMO, you lose a lot of functionality and I'm not talking extensions either.

Later...