Sandboxie Acquired by Invincea

Hi shmu26, I had Office in XP but don't use it in W7 or W10. So, I am not familiar with the different Microsoft Office programs that are available now. There are a few and I lost track how they function, I know some connect to the internet and that's really the key for answering your question.

Using older Microsoft Office programs that didn't require internet to work, it was OK to allow Word Direct access to your personal folders since you could run Word in a sandbox where no program was allowed access to the internet. So, for example, if you opened an infected Word document, the malware could hijack Word and use it to read your personal files, but that would be it, since it was not able to connect to the internet and phone home. And eventually, the malware is gone when you delete the sandbox.

So, the question is, Can you run Word in a sandbox where all programs are forbidden access to the internet? If you can, then yes, is safe to allow Word Direct access to your personal folders. If Word has to have access to the internet in order to work, then you better not allow Word access to your personal folders.

Programs like Libre Office, etc, you can do what you want as you dont have to allow this programs access to the internet in order to work properly.

Bo

 

Thanks Bo, great answer!

 

You are welcome, shmu26.

Congratulations........get all you can out of your new Sandboxie license, to the last drop.

Bo

 

Okay, that's for the risk of information theft.
Now, what about the risk of encryption?

 

I am asking about the special case where you granted the sandbox direct access to your personal files.

 

Of course encryption will occur. You can tighten the sandbox by allowing to run only specific exes though.
Also I use another layer like AppCheck to mitigate even more damage.

 

shmu26, you can set it up so only specific exes have Direct file access.:

Resource access>File access>Direct access, Click the Drop down menu to see if the program you want to allow access to the folder is there. If it is, Click it and Click Add, navigate to the folder and select it.

If the program you want to allow access to an specific folder is not listed in the Drop down menu, Click Add program, if the programs exe is listed in the Window to the left, you can select it from there. If its not, navigate to its exe to select it. Then Click Add, to add the folder.

Dont forget. Every time you allow a program access to a folder, you are opening a hole. I know you want the convenience but know that.

Bo

 

That's the risk with giving direct access, SBIE will no longer be able to protect against encryption, if apps like browsers and MS Word are somehow exploited. But that's why you also need to use AE/whitelisting, this will block malware from running in the sandbox. I combine EXE Radar with SBIE.

 

Me too.
Just picking people's brains about SBIE versus in-memory exploits, and I also was wondering about what permissions a sandboxed app would have to vulnerable system files that could be used in a ransomware attack etc.

 

Guys, tell me if I got it all wrong, but after a little reading, it sounds like SBIE at default settings is not designed to block sandboxed apps from accessing system resources. Rather, it redirects the writes to a virtualized and contained area, and it has mitigations to prevent anything from escaping the sandbox.

So, for example, if a malicious process running in a default sandbox wants to invoke powershell and run a script, it can do that. But the result will be sandboxed, and the real file system will remain as it was.

 

@shmu26
you got that right. that's exactly how it is.

 

@shmu26
Precisely. Couldn't describe Sandboxie better.

But good thing is you can tweak those defaults to tighten the sandbox to prevent access to system resources to any extent you like, until you break your app functioning.

 

What's a good way to tighten access to system processes? Let's say I block Google Chrome or MS Office apps from access to Windows folder. That will cause breakage, right?

 

Sandboxie can block IPC (inter-process communications) which it is (i believe) what we want against Process Hollowing from a sandboxed process towards an non-isolated one, but it is not set by default (the list is empty).
i never used it because i have Appguard to do this. So i dont know if the Process Hollowing attempt will be effectively blocked. I can just say it should theoretically do the job.

 

Thanks guest, very interesting!

 

I'm not too worried about in-memory exploits to be honest. To block that you could use a tool like HMPA, but I've always had problems with the HMPA + SBIE combo. It's probably best to block browsers and word processors from your most important data. The problem with SBIE is that you can not easily block access to a whole data-drive, and allow access to only certain folders.

 

Thats how Sandboxie work (everybody has correctly confirmed that to you), but no one has said something important. This interaction between sandboxed applications and the non sandboxed system, files and programs is what allows for a seamless experience when using Sandboxie. The way sandboxed applications interacts with the non sandboxed system is part of the beauty of Sanndboxie. When I run programs sandboxed it feels identically as if I was not running them sandboxed. Sandboxie developers could make SBIE more restricted by default, but I, as a long time Sandboxie user, do I want that? Absolutely not.

I am just going to tell you my experience about blocking system files. I block none, never have, and never seen any malware escape the sandbox or modify any system or user files. Thats as clear as I can be about that. Breakage? Yes, you ll get errors if sandboxed applications needs to access a file....and you block it. You could get away from getting errors if you instead make system files Read only, but then, why do that when files outside the sandbox are Read only by default anyway, and wont be modified by sandboxed applications.

Bo

 

AppGuard + SBIE =

 

No thanks, the only thing I like about AG is Memory Guard, but besides that I don't like it. Besides, SBIE already blocks sandboxed processes from communicating with non-sandboxed processes. So in-memory malware would not be able to inject code into system processes.

 

Perfect, throw in EAM, and EXERP.

 

Perfect, if what you want is to mess up Sandboxie and a conflict.

Bo

 

Explain your point.
No conflict here, use this set-up for over 2 years now.

 

So, you are saying you are using Sandboxie, Appguard, EAM and NVT, all together doing their thing without conflicts, Right?

1. If you are using Sandboxies paid version, your sandboxed programs most be taking a long time to pop up open when you click their icon to run them sandboxed. And deleting the sandbox, has to be taken a few seconds or more to delete. Perhaps 15 seconds. While for me, opening and closing sandboxed programs is immediate. No program interferes with Sandboxies process in any way.

Perhaps you dont see that as a conflict, but it is. Real time scanners scan the sandbox and do so also when you open programs sandboxed and you close them. Thats what they are supposed to do. Think about this. If you get hit by malware, when you try to delete the sandbox, you ll have 3 programs interfering with Sandboxie, all fighting to do their thing, while on the other hand, for myself, theres no fighting. The Delete process is smooth and easy.

And you never know, at the worst of time, when you get hit by some really nasty malware, when you need SBIE to be at its best to protect your computer, this bunch of programs that you have all interacting with each other actually weakens Sandboxie and instead of helping keep your PC clean, it helps the malware escape the sandbox.

What I just wrote above can happen.

2. There are conflicts that you dont see in the surface. Perhaps thats your case. But that doesnt mean they are not there. They are there and will flow to the surface (again) at the worst of times.

3. To get all those programs working semi OK along each other, you have to be doing a lot of exclusions and allow this and allow that. And this are holes. Every time you allow something in Sandboxie, you are opening a hole.

Bo