Sandboxie Acquired by Invincea

Why would it not? Shouldn't anything it touches also be copied into the sandbox?

 

Direct access is fine, malware cant take advantage of it but if you allow Full access (like Rasheed), you are opening a big hole in Sandboxie that can be taken advantage by programs you download, install, drive bys, anything running in the sandbox would have access to. So, if you are browsing using a sandbox that has Full access to some folders, you are opening a Grand Canyon type of hole, malware can get in.

Bo

 

Ok, thanks for the clarification. I was confused by this:
"I could make them download stuff inside the sandbox, but that will not help to protect against ransomware running inside the sandbox."
as it said "stuff inside the sandbox".

 

From what I understood, if ransomware runs in the sandbox itself, then all files in the sandbox are encrypted. But it won't be able to touch files outside the sandbox.

 

The problem can happen when you allow Full access, read the description for Full access.

You said you allow Full access for convenience. You shouldn't. Perhaps is OK using the setting for testing a well know program but using the setting left and right is an absolutely bad idea.




Bo

 

This is absolutely necessary because if you don't, it will confuse noobs. So the solution is to auto-sandbox all that is downloaded into certain folders on the real machine. If noobs want to install some app non-sandboxed, they should perhaps have an option to run software outside the sandbox via context-menu.

 

That was the point I was trying to get at but was unclear on whether or not full access to unsandboxed folders was allowed. I do not allow it access to anything that is not in the defaults.

 

Direct file access is safe: When you allow Direct access, only programs that are installed in your real system can have this access. Malware that gets in the sandbox, cant take advantage. Programs you install in the sandbox, cant take advantage.

The problem can happen if you allow Full access.

Bo

 

If you are using Forced Folders for your Downloads directory and want to launch a program unsandboxed, you can press "Ctrl+Shift" while you click on "Run Sandboxed". Now the program is running unsandboxed.

 

When EXE Radar Pro had an Online Help File. Full Access was, as I recall, instructed. I've always had Full Access *\mailslot\NVTInj\* in my sandboxes.

 

I think I'm starting to get confused. Basically, I give full access to some folder on the desktop. This means that noobs can save all files to this folder. If they execute ransomware, it can encrypt the whole system, no matter if you use direct or full access, correct?

Of course, like Mood said, you can use the "forced folder" feature. This means that ransomware can't encrypt files outside the sandbox, but all files inside are encrypted. Also, if the noob-user saves it to another non-forced folder, it can still encrypt the whole system. The solution would be to auto-sandbox all executables except for certain folders. Does this make sense?

 

Have you tried giving Direct file access to the folder in the desktop instead of Full access? Rasheed, you should be able to do so. You dont need to allow Full access to bypass sandboxing for downloading by a browser.

I am no malware expert or even a 1000 miles close, Rasheed. But I am not sure Forced folders is gonna help if your files get encrypted.by way of you allowing sandboxed programs Full access to a folder. Remember, Forced folders kicks in when you run a file placed in a Forced folder. So, if the ransomware can encrypt files in that folder without having to get out of the browser sandbox, just by having access, it can encrypt. But if the ransomware has to drop a file in the folder, and run from there to encrypt files in the system, then Forced folders would protect.

Bo

 

The question is if it even matters in the scenario that I described. If malware is downloaded into the folder and runs, it can encrypt files no matter if it has only direct access, is this correct? If not, then direct access should indeed do the trick.

Actually, I have always chosen direct access and NOT full access, luckily. So what would this mean, would ransomware not be able to encrypt files both in the sandbox and real system? EDIT: I just saw you already answered it.

Perhaps it's also an idea to run a tool like 360 Document Protector inside the sandboxed folder, to make sure that even if ransomware manages to encrypt files, you still have an back-up. But I'm not sure how trustworthy this tool exactly is.

https://blog.360totalsecurity.com/en/360-document-protector/

 

If you use Direct access, the ransomware can not have access to your Download folder.

If the ransomware runs in your browser sandbox, it can encrypt within the sandbox but all is gone when you delete the sandbox.

If you download the malware, and it runs out of a Forced folder, the infection is sandboxed, brother. It can not hurt you.

Bo

 

Quick question...Is it more secure to add the entire folder of a program rather than just the .exe for example TeamViewer.exe? I've always wondered this but never thought to ask.

 

The right way to force programs is to add the exe.

Bo

 

Forced Programs:
If you add TeamViewer.exe, no matter where the file is, it will be run sandboxed.
Forced Folders:
Any program in this folder will be run sandboxed.

Directory names can change sometimes (after installing of a new version), and if you forgot to add the new folder to Forced Programs, it will be run unsandboxed.
With adding of TeamViewer.exe to Forced Programs you can make sure that it will be run sandboxed.

 

Thanks guys I was just curious

 

Can someone please confirm the process of automatically opening applications sandboxed from the docker? I'm using the Default Box as ObjectDock itself is an excluded program. What I did was add the apps' exe.s to Forced Folders but sandboxing upon initial run of, say, Firefox is inconsistent. Thanks!

 

Hi plat1088, I am unfamiliar with docker or how it works but to force programs, you should use Forced programs. Forced folders is supposed to be for folders like your Downloads folders, USB drives, folders were you save files, and you want those files to run sandboxed automatically when they get executed.

So, try adding the apps' exes as forced programs. I would also create a new sandbox for this programs, for the new sandbox, dont copy settings from existing sandboxes.

Bo

 

Ah, OK. Looking at Sbie's configuration notes, it says that Forced Folders take precedence over Forced Programs, that's why I configured it that way. Yes, I had created a new sandbox for Firefox and it was recognized already, but it seems I'll need to set up another one for some others in the docker. I'm pretty confident you set this straight, so thank you in advance @bo elam. -

 

Thats even better. The more you isolate programs from each other by using separate sandboxes for different programs, the better you are (more secure, less chances of compatibility issues).

Bo

 

So... if I use SBIE 5.23.1, am I good to run Firefox 57.x on my PC now? I've been holding off.

 

Yes, you are. No need to hold off. I think most users are OK without having to do any kind of workaround. If for some reason you run into a problem, it should be easy to fix it.

Bo