Sandboxie Acquired by Invincea

The Firefox and Chrome sandbox should indeed make them harder to hack. So normally speaking I wouldn't want to disable it, unless it's causing problems with or without Sandboxie. But the thing is, even if your browser gets exploited, it's Sandboxie's job to contain malware. That's the whole point.

If you trust in your browser's own sandbox, you don't need to Sandboxie. But as we have seen in the last couple of years, it has been possible for hackers to bypass both the Chrome and Firefox sandbox, so running Sandboxie on top is not always a bad idea. It's simply an extra layer that hackers need to bypass.

 

I don't believe a word they say.

 

@Page42 That makes two of us............so far.

 

Totally agree. Since April, when the word Sophos comes to mind, I think of lies, deceit, cant be trusted, that sort of thing.

Bo

 

mood said earlier today: There might be hope on the horizon:
Comment [Sophos] (July 18, 2019)

Comment [Sophos] (July 18, 2019)

Comment [Sophos] (July 26, 2019)

Thank you mood. BUT, nine days and counting. Where is the update on the future of Sandboxie? Best to not say anything rather than stringing things along.

 

Yes, I did some of this on my old W7 system. Spent a lot of time on it, then, for some reason (corruption probably), had to build a new sandbox and decided to just forget the read restrictions. I now use Sandboxie to keep things clean when using Firefox, with auto deletion set so I don't have to worry about all of the mess that FF will accumulate. Plus no "normal" malware can attack me. Noscript and Ublock keep the ads away and HTTPs everywhere keep links secure. I love Sandboxie and will despise the day it goes away.

My point in bringing up Tzuk's comment was about how surprising it was to Me that, while using Sandboxie, your entire system was open to reading by any site you linked to. I had thought that Sandboxie completely locked you down, thus the surprise.

 

Hey Bo. Yea, as I recall you did a mini primer on how to lock down reads while using Sandboxie. Man, that was a while ago.

 

Hi @bo - if you have a moment and don't mind, would it be OK to explain step by step what to do to make it so that sandboxie can't read your system? I too, didn't realise sandboxie could do this. Reading above I understand you wrote something on the old forum about it but that's no longer available. Thanks.

 

https://www.sandboxie.com/ResourceAccessSettings
--
https://www.wilderssecurity.com/threads/sandboxie-basics-the-sandboxed-file-system.333004/
--
https://www.wilderssecurity.com/threads/sandboxie-configuration-recommendations.240008/

 

I could be wrong, but I think if you prevent all reading of the O/S from Sandboxie, you will break application compatibility. As a result, you will run into functionality issues. There has to be a certain amount of, even if it's limited, interaction with some Windows mechanisms.

 

Hi Cats, Sandboxie has settings that can be used to either block sandboxed programs from having access to files and folders, or for hiding files within a folder, but still allowing the sandboxed programs to write to that folder. You can choose the setting that best suits you. Or you can use them both, block some files and folders but use the Hide settings for other folders. See the explanation for each setting under:

Sandbox settings>Resource access>File access>Write only access/Blocked access



Personally, I rather use the Blocked access setting, and don't use Write only at all. But both settings work well and have their place for using them. I prefer to block because of preference.

Important. I believe Tzuk created this settings with personal files and folders in mind. To protect your sensitive files and folders. In other words, to be used to either block or hide the content inside your personal files and folders from being accessed by programs that run in the sandbox, by using this settings, sandboxed programs cant read or steal your sensitive files. By using Blocked access, sandboxed programs are blocked completely from having access to folders and files. By using Write only, sandboxed programs can write to folders but cant read or see files inside those folders.

This settings can also be used to hide or block System files, AppData files, but IMO, this is not necessary as the system is by default Read only (sandboxed programs cant modify real system files), and doing it, can create issues. Why? Like WAT said, sandboxed programs require having access to the system and AppData to work, sandboxed programs need to interact with the system and AppData to work properly, without this interaction, they wouldn't work.

If someone wants some sort of "more" protection for system files, is probably best to use the Read only access setting (see picture above). By using this setting, sandboxed programs can still read files but files and folders were you apply this setting will not suffer any modification within the sandboxed environment. Personally, I dont think is necessary at all to hide, block or set as read only system files or folders/AppData files or folders, but, it can be done if someone wants to do it. I dont block or hide any System or AppData file or folder, and only use this settings to protect my sensitive data.

Bo

 

Firefox is NOT your problem if it happen. intrusion comes regular from system (installed adware) and that always effects firefox whether sandboxed or not. in your case it looks like your profile is outside sandboxie. pity.

 

I actually have no idea what you are going on about.

 

Thanks bjm and wat0114 - lots to consider in all those links. Bo - thanks so much for the comprehensive explanation. All very helpful!

 

Seems we are experiencing quite a dry spell as far as Sandboxie beta releases.
5.31.2 was last one, and it came out a couple of months ago.

 

Hi Page. I am going to say something that perhaps I shouldn't, but I will. Beta 5.31.3 has been ready for more than 3 weeks. But Sophos has not given the green light to release it.

Bo

 

Hi Bo,
And it's not that the next beta is bound to be so spectacular. Frequent beta releases are simply a reflection of a software that is under constant development. The drop off from a high rate of beta releases tells me this software is headed for Abandonwareville.

 

You are welcome, cats. Let me give you more details that might help.

After you read my previous reply to your question, now you know, that if you want to block access to folders and files or set folders as Write only, you open the Window in Sandbox settings that's pictured in that post. If you notice, in that picture, its written, "The list below applies to All programs". It says that because that's how I set access to those folders and files (total block), but there are other options how access can be set.

For example, if you only want one program to be blocked from having access to files and/or folders, after you open the window in Sandbox settings, you click Add program, select the program. Now the access setting window would look like in the picture below. Next step would be to click "Add" for navigating to the files and/or folders you want this program to be forbidden to have access to. And select them. After you are done, the list of files and folders selected would be blocked or forbidden to be written to by the program.exe labeled in the Drop down window. And all other programs that run in the sandbox, will still be permitted access.



If you would like to make things the opposite. In other words, forbid all programs that run in the sandbox from having access to files and/or folders, except one program (the one exe that labels the drop down window). Then, you click the Exclamation blue icon to the right of the Drop down window. This click reverses the setting. Look at picture below.



After doing so, the window will look like below. See where it says, "The list below applies to all programs except program.exe".




There are a lot options. And every option has its uses. Like I told you earlier, I prefer to use total block but I ll give some examples how settings folders as Write only can be helpful. For example. I have now Firefox 68.0.1. If I wanted to test Firefox 69 as if it was a brand new installation, you can do that installing it sandboxed, but you would have to set Firefox folders in AppData as Write only, otherwise, the installation would go thru as an upgrade of Firefox 69 over 68. By setting the AppData folders as Write only, Firefox would be able to write new files to those folders but the existing files in those folders will be like they are not there to the installation. If instead of using Write only, I blocked access to the Firefox folders in AppData, the installation in the sandbox would give errors and fail. This is one type of case use were using Write only works perfectly.

Another case example were I can see the usefulness of using Write only is, if you wanted to hide the content of your Downloads folder but still be able to download to that folder. If you wanted to do something like that, you would set your Downloads folder as Write only in your browser sandbox. This are examples that can give you ideas of where and why to use one setting or the other.

Bo

 

Thanks Bo. I have to say this is all a little more comprehensive than I realised, lol. I think perhaps I should revisit this thread when I am not quite so sleep deprived before I make changes. Basically I would just like to prevent sandboxie from being able to read my user folders (docs, pics, onedrive etc). Not that I have anything terribly interesting to anyone else, but I do value my privacy. I don't want to make adjustments than run the risk of breaking stuff or causing errors though. Thanks again Bo - I really appreciate you taking the time to explain all this. The only adjustment I've made to my my sandboxie installations (other than create several sandboxes), it to set each sandbox to auto-delete. Otherwise my set up is "out of the box" as it were.

 

Constant development isn't really required on the well-being of a soft, a well coded soft shouldn't need tons of beta updates, just security/bug fixes if noticeable issues are discovered.
If the soft doesn't get new features, has few minor bugs but its mechanism's efficiency/compatibility performs properly, you won't see much updates.

 

The SuperEasy way to do what you want. Lets say, your sensitive files and folders are located in C:\Users\catspyjamas\Documents.

Open Sandboxie control, go to Sandbox settings>Resource access>File access>Blocked access, Click Add, navigate to C:\Users\catspyjamas\Documents, select the Documents folder, and click Apply. Thats it.

By setting your Documents folder that way, no program that runs in the sandbox will be able to read, or steal any files that are within the Documents folder.

If you like to check that the setting is working, try uploading a file thats within that folder to Virus total, or uploading a picture that you have in that folder to an image hosting site and access will be denied. You wont be able to do it as access to that folder is blocked.

Cats, this is simple stuff. Tzuk made things simple in Sandboxie. We users complicate things changing things from default too much.

Personally, I think thats fine. I think Default was created with the perfect balance between security and usability in mind by Tzuk. Out of the box, very easy, to just install Sandboxie and start using it with very little knoledge required.

Other than setting sandboxes to auto delete (like you are doing), and protecting your sensitive files, the only other changes from default that I think are a must do, is to allow bookmarks to be saved out of the sandbox in browser sandboxes. And to set saving downloads out of the sandbox (recovering files out of the sandbox). I think doing this things is important for better usability, for convenience.

Bo

 

thats the major problem concerning firefox and users and or sandbox. people often think that firefox is causing adware - but the opposite is. adware/malware is a matter of system (operation system, OS), not firefox. adware harms the profile, maybe firefox. so it does not matter if you use firefox inside the box or outside while adware is working outside. the result ofc - page content and more stays in the box but that wont matter after box deletion.

if your (firefox) profile is outside sandboxie then its vulnerable.
if your firefox installation is outside sandboxie then its vulnerable.
a sandbox wont help this way.

thats all about the latest discussion between guest and bo here with no result. sorry for warming it up again, wont be continued.

all about closedfilepath was written. from my view it is not needed when running firefox with a decent adblocker in the box.

 

Ok

 

I've made multiple attempts this evening (July 31, 2019) to access the "temporary" Sandboxie forum at Sophos. But it appears to be down.

 

No problems here.