Sandboxie Acquired by Invincea

In a way, I think sandboxing Outlook is more important than modern browsers like Chrome with their own sandbox. Even the experienced (coughs) - can make a mistake opening an infected attachment (both AV and Sandboxie protected me recently).

It's also possible (and I think sensible) to give the Outlook box direct access to the Outlook files, but block its ability to read any of your data directories.

Just to check your Office 2013 Professional Plus, is this a physical copy licensed for 1PC (rather than the downloaded types which use App-V)? Have to say, that wouldn't be an option for me because of the cost....

 

Hi Osaban. I have Office in my XP, in W7 I am using the portable version of Libre Office. For both programs, the option to "Run Sandboxed" by right clicking files and folders in Windows Explorer is available. I suggest you check to make sure the Run sandboxed by right clicking files option is ticked in Sandboxie control>Configure>Windows shell integration.

If its ticked, untick it, close the Windows shell integration window and open it again. And tick it back. Since the Run sandboxed option for Office files is available in XP, I think it should be available for W8 as well.

I think there are two easier ways to set programs as Forced programs than you writing their names. I have never set a programs as Forced by writing their name, if I had, I probably would had made mistakes with the names as you did with Word.

I think the easiest way to set programs as forced is to open this window, Program Start>Forced Programs. once there, I click "Add program" and navigate to the programs folder in Programs file. Then select the exe for the program. And that's it. I seen some people forcing the program folder but that is totally wrong, it doesn't work and it wont force the program.

I do as I described above for programs that are easy to know the correct exe to force. Programs such as Firefox are easy to figure. But if I want to force something new that I am not familiar with and I am not sure what is the correct exe to force, then what I do is run one of its files sandboxed by right clicking the file. After closing this file, I go back to Program Start>Forced Programs. once there, I click "Add program" and look at the window to the left. This Window shows programs that have recently run sandboxed. And I choose the correct exe from there.

The way I create Word or Excel files in my XP is like this. I actually create the file unsandboxed by right clicking the desktop, choosing New and choosing Word. But when I click on this new Word file, since Word is forced, it runs sandboxed. Then I ll do the letter or whatever and save the file out of the sandbox. So pretty much, files are never executed unsandboxed. You can create a Word file while sandboxed by opening an existing Word file, open a new file in the left corner and save the file out of the sandbox. But that's not how I do it. I do them as I described at the beginning of this paragraph.

I think files that we create with Word and Excel are pretty safe and its probably a little too much to do them sandboxed but by doing them sandboxed its like getting into the rhythm of things, to get used to doing this sort of thing all the time, so I do it with all programs. I am used to doing things like that. I do them automatically and to me it just feels normal and don't have to think about it when I am doing it.

Now, in my W7, I don't have Office. I have used programs like Kingsoft and Libre. Both of this programs connect out. So for programs like this, specially Knigsoft, creating your Office files sandboxed and using a restricted sandbox is a must in my opinion. Kingsoft is the worst program that I ever seen connecting out a bunch every time that I clicked on an Office file.

That program is probably the one program that has giving me the hardest time ever to set it right, restricting it in a way in which using the program was still convenient and easy to run sandboxed. It was a challenge. Libre is easy to set but it tries to connect out every time I run a file. So, in my opinion, creating files using programs like this it is a good practice to create them sandboxed. Thats one of the reasons I feel safer creating Office files under Sandboxie.

Another reason why I create files sandboxed is to keep the program intact. For example, I have Word looking and set pretty much with the tools that I regularly use but while using the program to create a file, I might change things around. And then, I wouldn't know how to get it back how it was before I made the changes. So here Sandboxie comes to the rescue since the program will go back to how I prefer to have it set once the sandbox gets deleted.

Bo

 

@bo
Thanks a lot mate for the insight on this office thingy

 

My pleasure Sr X.

Saludos

Bo

 

I've actually got a copy from my employer which has a key covering a certain number of computers. I would never buy it, it's ridiculously expensive... As for sanboxing Outlook, it is important if you receive mail directly, in my case it imports mail from gmail (IMAP). I've used gmail for many years, and I've never ever experienced anything untoward with them.

 

Bo, your post should become a sticky on this thread as it explains in very easy terms how to configure SB, in this case about forced programs. I have tried all of your suggestions and indeed they work to a certain extent, but you are using XP and Win 7, my main machine is with Win 8. What I'm trying to say is that there are some differences between Win 7 and Win 8, particularly when we deal with shortcuts and Metro.

I'll give you some examples: Word 2013 is the only office application that seems to work perfectly sandboxed; PowerPoint works well when I create a new presentation, but as soon as I try to sandbox an old presentation there are all sorts of errors that come up. Same with Excel no problems with a new spreadsheet but no joy trying to sandbox a received one. Outlook can only be sandboxed with the 'Sandbox DefaultBox' but displays erratic behaviour developing errors more often than not; if I try to create a dedicated sandbox for Outlook (using your method) it just will hang forever... All in all not worth spending more time trying to do it, and as I said not a big problem for me as I believe I have other ways to cover contingencies with Office 2013. I'm sure many will benefit from your explanations Bo...Thanks.

 

Thanks, I guess the point with anything which comes down to the physical machine, needs to get executed sandboxed (e.g. as Bo has described) because you do not know the payload, and Google can't necessarily protect you from that (it's different when you view the doc in the browser because that's already sandboxed). Obviously, Word is commonly targeted, and then there's those exes which are called zip or something begging you to double click on them. Which you really really don't want to do!

Again for some perspective, I'm running all the Office 2010 main apps sandboxed (Word, Excel, Powerpoint, Outlook and OneNote) and that works OK; and it's one of the reasons I will not upgrade to O2013 (aside from the hideous cost for the "real" licences, and that there isn't anything compelling in functionality). I am also running VMs for anything internet facing (whether sandboxed or not), simply because the data isolation, rollback and recovery is so easy.

The "trust no application" mantra is a good one to keep in mind, and all the popular applications have had vulnerabilities and exploits in the past, sometimes unexpected ones.

 

Thanks a lot for the heads up on Kingsoft and Libre office. I thought of shifting to Kingsoft because I assumed it would be easy enough to sandbox - obviously not! But it has no OneNote...

The dialling out every time you open a document gives me the shivers, that's a privacy disaster if nothing else, and would be completely unacceptable to me. The office documents contain the real sensitive information, and I'm not going to have them transmitting anything out (which is what I restrict in their sandbox).

 

Pete, in one short sentence.

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=19229&p=102342#p102272

Bo

 

Hi deBoetie, Kingsoft (now called WPS) works fine sandboxed and is easy to sandbox if you allow everything to run and connect. The tricky thing for me was to achieve the perfect balance between security and usability which is something that I always try to accomplish, restricting the sandbox as much as possible without loosing any usability. Using Kingston, in sandboxes where I ran Office files, I could not restrict the sandboxes as I would have liked to.

This was so, particularly, in my Downloads sandbox. In that sandbox, I had to allow all programs to run, otherwise, the sandbox would not delete automatically when running a Word or Excel file with Kingston. Fortunately, restricting internet access was fine but in one of the sandboxes where I ran Kingston, I had to Hide the internet SBIE message, otherwise, the sandbox would hang. Probably, that was the case because there was Kingstion attempting to connect once, twice, three times and Sandboxie was issuing message after message. It was terrible.

A few months ago, when Kingston became WPS, I tried their newer version under Shadow defender. And that version was even worst. Now, the program its bundled with garbage. And even though I was very careful about what I clicked and not clicked, after installing the new version, there were extra folders in Program files. I am not sure if the bundled software got installed or not but the folders were there and some Speed up thing appeared in Control panel>Programs. I always try not to say "I got rid of" when I uninstall a program but in the case of Kingston, I am glad I got rid of that thing.

I recommend you try Libre office portable. It works great sandboxed, I am able to balance my sandboxes perfectly. It tries to connect but Sandboxie blocks it OK.

Bo

 

Hi Osaban, I read yesterday or the day before that Sandboxie is not going to continue supporting W8. I guess that means that you would need to upgrade to W8.1, in the future, for Sandboxie to be at its best.

Some Sandboxie messages can be hidden, if you hide the ones that you are getting now and Outlook still works fine as a sandboxed program, that's what I would do if I was you.

I seen programs, IE in my W7, in the past that work perfectly in one sandbox, like in your case Outlook working in your DefaultBox and then not working in a new default settings sandbox. It doesn't make sense but I know it can happen. I got an idea about something that you could do for Outlook. Perhaps, you could leave your DefaultBox as your dedicated Outlook sandbox. And create new sandboxes for your browsers, etc.

Its a workaround, that way, you ll be able isolate programs from each other. Thats what I would do if I was you. Best regards, Osaban.

Bo

 

Bo, I have never bothered to force say LibreOffice sandboxed. I know it can be done once figured out how be sure the documents are to be restored to main system. It is just a matter of convenience.

In my case I have TinyWall to block internet access and AppGuard to safeguard, so I am kind of lazy of not doing that sandboxed. AppGuard and Sandboxie sort of overlap in many cases with their protection, without any conflicts. Like the USB protection.

I would not ever be without SBIE protection though to my browsing or if I used email clients, which I don't. Or just about any other internet apps. I used a torrent client too sandboxed those few times I have.

 

Jarmo, there's nothing to figure out........you save documents in Libre, MS Office, etc, the same way you do it in your browsers. There is no difference, really.

If you are using Libre right now, do the following, run Calc in a sandbox that is set to save files to your desktop, make changes to the file and save it to the desktop, that's it.

You said yesterday that one good reason to sandbox Chrome is for keeping settings in the browser from changing, Right? I take that a little further, to keep my programs from being changed by malware.....or me, I run all kind of programs sandboxed.

Bo

 

AppGuard should do the same. Maybe my post was seeing Pete who uses it talking about sandboxing office applications. I can't deny that SBIE might be even more protective, but I feel AG is enough for me protecting those and also USB drive stuff. I mean I payed for it, got to use it too

Also I was not once so convinced about SBIE USB drive protection with forced folders, some documents i clicked started unsandboxed. They might have been just jpg pictures. Invincea may have corrected that, but AG is a much simpler program and not so easy to brake.

Anyways I love Sandboxie same as you.

 

There is nothing to fix Jarmo, thats just the way sandboxing programs handle files when they run out of a Forced folder using Windows picture viewer or WMP. You can easily workaround this by switching your default programs that open this type of files or by Forcing programs. But keep in mind something which I think its important and a great security feature of Sandboxie.

When you first insert a flash drive, your USB folder opens up using a sandboxed version of Windows explorer. By doing so, if a file runs, it runs sandboxed. I don't care what kind of file it is, if it runs, it will run sandboxed. Test it. And that includes JPG pictures.

Bo

 

To make you happy Bo, I WILL add my D: E: G: F: drives to forced folders. It does not hurt to have 2 programs guarding those things, SBIE and AppGuard.
I already came back using browsers Sandboxie forced because of that EMET thing i have been playing with for about a month, so why not just start using also that USB protection of SBIE again hehe

Still my question goes to Pete. Are you not trusting AG for needing to sandbox those office apps? Or just as a a security buff wanted to test how it is done in both.

 

Thats a good idea, Jarmo.

Remember, immediately after you insert the flash drive, anything and everything that's executed will run sandboxed. But if you close the USB folder that pops up using a sandboxed Windows explorer as you plug the flash drive and later navigate back to the USB folder... JPG pictures, WMV, etc, might not run sandboxed.

Bo

 

It is a pity if SB ceases support for Win 8, as my Samsung notebook is a high end machine which loses some of its functions (switchable graphics, brightness control, battery charge drops significantly just to name a few) when upgrading to Win 8.1. I don't know whether I'm more upset with MS or Samsung for this mess, but certainly MS with its new business model to churn out new OSs every two years is creating quite a few problems for developers.

I have always used SB for browsing, as I regularly backup data and OS, I believe I shouldn't have any problems with my mail system even if the worst happened. The rare occasions when I want to be extra careful with an email or anything really suspicious I launch Shadow Defender and check... Furthermore as much as some people would never use Gmail for privacy reasons, they have their own policies to check their servers about infected material, their spam filter is one of the best, and executables are not allowed...

 

Beta 4.15.3 is out now....feeling pretty.

Fixes in 4.15.3

1) Several problems fixed in new hooking code.
http://forums.sandboxie.com/phpBB3/viewtopic.php?f=49&t=19837#p104534

Bo

 

Thanks Bo. Running well here.