Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Once again it comes down to one's perspective on how these types of exploits can be avoided. From the links provided in post #5949, this new Angler exploit kit re-directs the victim to a malicious site, then scans for and attempts to exploit outdated and vulnerable Flash, Adobe, Java and Silverlight plug-ins.

    From my humble perspective I would simply rely on using a browser script control extension to avoid the malicious site re-direct, and keep all my browser plug-ins updated, and especially avoid Flash.
     
    Last edited: Dec 26, 2019
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I believe you're missing the point. I completely agree that the chance you will get infected by some in-memory browser exploit is very small. Especially if you're using ad-blockers + anti-executable software. Most of these attacks will still try to download and run some file from disk, or they will try to use one of the LOLBins. I guess pulling off a complete in-memory attack is simply way too hard. Plus, if the user exits the exploited app, the infection is gone.

    But the point that I was trying to make is that SRP and whitelisting won't help in certain cases. Like I already said, you can also get lured to a website, and adblockers won't help then. And don't forget that the browser itself can also be targeted, it's not just browser plugins. See the link that I posted about the "Coinbase" attack on Firefox, where two browser exploits were used to get remote code execution plus a browser sandbox bypass. So these guys didn't even need a Windows zero day exploit.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have stopped following VS since the developer left this forum, and I always found it to be more complex than EXE Radar. About HMPA, its main objectives is to block exploits and ransomware, I believe that is clearly stated on the website. The reason why I chose not to use tools like HMPA and MBAE is because I'm afraid they will at some point start to conflict with Sandboxie, since they are both "hooking" the browser. And like I said, the chances of ever getting infected with in-memory malware is extremely small.
     
  4. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    First, Voodoo is very good at blocking all forms of malware. Except for the kind of malware that HMPA is specifically meant to stop. It's also good at stopping DLL injections and every kind of fileless malware that uses code inside of one application to command a windows system file or any other application you've added to the vulnerable apps list. like conhost, net, reg and all the others. You can also tell Voodoo to never allow by a parent process, thereby eliminating the need to add to the list of default vulnerable apps. Adding even the free version of voodoo to a system with sandboxie is an unbeatable combination.

    To the possible issue of conflicts with Sandboxie. There's a setting you can add to the configuration file that makes HMPA work with sandboxie. And since the two products are owned by the same parent company, sophos, the two products work just fine with each other as long as the entry for HMPA is added to the global rules.

    I can't get any of NoVirusThanks' products to run smoothly on my PC. Every time I open one of their UIs I get errors over and over.

    If what you have works, like...REALLY works and doesn't JUST run smoothly. Then why change your setup?
     
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    angler (the article is from 2014, is retired 2016) has already been replaced with two and more sequels - [...], neutrino, empire then nebula. dont mind on him.
    reason not to care for people using this by purpose. and ofc a vulnerable browser needed.
    but the major problem is that all EK are tested against all current antvirus programs and a re no-detectable this way. and Antiexploit tools may (!) ask after learning period but EK are clever.

    not note that malware.dontneedcoffee is not up to date and no longer relevant. you need to follow external content.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, I'm sure VS is pretty good, but I never really liked it. If in-memory malware was a huge problem then I would be using HMPA or MBAE, but luckily it isn't. Most of these attacks are still file based and they often use LOLBins. I know that HMPA should be compatible with SBIE, but this may always change after updates, I've seen it myself. Anti-executable + sandbox is good enough protection for me.

    I can see that you still don't get it. It's not about the Angler exploit-kit! What I was trying to explain to wat0114, is that it was only an example of how in-memory malware can bypass SRP. Yes, just like most exploit-kits, Angler was using malvertising and tried to exploit browser plugins, but that's not the only way you can get infected via browser exploits, is it? Have you ever heard of social engineering?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Just for informational purposes, here are some links about the "Coinbase" attack which used a couple of Firefox zero days. And no, they didn't use in-memory malware, but they could have if they wanted to.

    And no, Sandboxie isn't the only protection tool which could have mitigated this attack. And yes, an adblocker or scriptblocker might have helped, but that's not the point. The hackers could have also asked for users to disable those extensions.

    https://blog.coinbase.com/responding-to-firefox-0-days-in-the-wild-d9c85a57f15b
    https://www.technologyreview.com/s/...oinbase-was-scary-good-even-though-it-failed/
    https://www.zdnet.com/article/firef...ack-against-coinbase-employees-not-its-users/
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @Rasheed187

    thank you for those links. They're interesting, but far from mind blowing. Three things I, personally, get from them:

    1. if the email recipient hovers their pointer over the sender's email address, they'll see it's not from Gregory Harris

    2. No one should frivolously be clicking on email links.

    3. there are many ways of dealing with software potentially vulnerable to zero day attacks, several of which you and others have discussed. My way is non-mainstream, to say the least, so it's not really worth mentioning here, but it's effective.

    Actually, your way is also non-mainstream too. Mainstream is antivirus :rolleyes:
     
    Last edited: Dec 27, 2019
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I never said it was mind blowing. In fact, most of these attacks can be stopped with current security tools. But there is a difference between us over here on WSF and 95% of the rest of the world. They would likely fall for this stuff. And yes, people shouldn't be clicking on email links. But it's easier said than done, especially if social engineering plays a role. Remember, these guys were being tricked.

    But this is yet another reason why Sandboxie is so cool. With some extra configuration, you can use it as a process execution blocker, this way people can still normally install software, without having to disable SRP or whitelisting, and browser exploits are blocked and contained inside the sandbox. You could even block file access to protect against data-stealing trojans that run in-memory. So Sandboxie is actually more than simply containment.
     
  10. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    I have a whole bunch of global rules protecting critical stuff on my system in sandboxie. I also have blocked access rules for my sandboxes.
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    if your security rely on sandboxie, just do it. for real it would fail on any way. sandboxie is hicing, not more. hmpa is part of concept, but not more. basic and good security is delivered with windows.
     
  12. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    I'd like to run Cliqz browser with Sandboxie. It does not work the regular way.
    Need some help.
     
  13. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Rename the cliqz.exe to firefox.exe. Re-Create/Update shortcuts. Done. ^^

    P.S. Remember to redo the rename after an update!
    Optionally you may want to open a request with sophos so that they *might* consider adding cliqz.exe as a firefox based browser internally to automatically apply the same rules but I wouldn't hold your breath.
     
    Last edited: Dec 29, 2019
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Did you install it inside the sandbox? Sometimes it won't work, then you would need to install it outside the sandbox (if you trust it), and then you can force it to run sandboxed. Go to Sandbox Settings --> Program Start --> Forced Folders or Forced Programs. That should work normally speaking.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What are you babbling? No BS please, keep it to yourself. Thanks in advance.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The only problem is that to me the file protection part is not that userfriendly. You can't exclude folders and there is no way to quickly disable it if you need access to certain files.

    But the thing that makes SBIE so cool besides the ability to block exploits, is app virtualization. I can run or even install apps without having to worry they might pollute my system. I currently run Opera, Brave, Edge, Firefox and Chrome all sandboxed. And when I want to get rid of them I only have to clean the sandbox, no need to uninstall. After all these years I still think this is awesome. :thumb:
     
  17. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    Thank you.
     
  18. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    How do you get Edge working with Sandboxie?
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I downloaded one of the first beta versions, and I was able to install it inside the sandbox. I can't tell you if the newest version will also work, I haven tried it yet. It depends on if Sandboxie supports it. Often, portable versions work just fine. I use portable versions of Firefox and Brave. I was able to install Vivaldi, Opera, Chrome (old version) and Edge inside the sandbox.
     
  20. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    sbie is not capable of running edge or any other win app under virtualization. but you can run edge chromium under supervision of sbie. but, with every new update, you might run into issues with it.
     
    Last edited: Dec 29, 2019
  21. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    The reason for this is most likely that Edge runs as appcontainer. While Chromium Edge still hasn't enabled appcontainer by default.

    As was mentioned before sandboxie is not compatible with appcontainer.
     
  22. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    yes, that is the reason.
     
  23. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Sorry, I'm having trouble figuring out what you're trying to say. Are you saying sandboxie is good or bad? what does "hicing" mean?

    As for the argument that all you need is the security built into windows. Well, Windows defender has a good database, but as soon as it encounters a threat it can't identify on the spot, it can't protect you from it.
     
  24. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Not all of my sandboxes have rules to protect my personal files. Just the ones where I use my I.M. clients and web browsers and such. But all of those sandboxes have admin rights auto-denied.

    And yes, Sandboxie is more than just security, you can use it as a tool to contain any changes made by software while you're using it and then with two clicks, you can wipe out those changes in a few seconds.
     
    Last edited: Dec 29, 2019
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I won't argue on that front, MUCH.

    There certainly isn't an EASY way...but there are ways...

    Sandboxie allows you to create ClosedFilePath=
    rules with exclusions (!)
    these exclusions can be created via ProcessGroup=<GroupName>,1.exe,2.exe
    etc but obviously, like all the other things in SBIE require that you restart the program in the box.

    In fact I made heavy use of such group rules in my ini back in the day....and they were mostly in the global (aka generic) template as it happens ^^

    Here is a heavily redacted and likely nearly pointless ini from way back when I still used sandboxie that I will instead now use to reinforce my point:

    [GlobalSettings]

    ActivationPrompt=y
    BorderColor=#00FFFF,off
    EditAdminOnly=y
    FileRootPath=S:\Data\zzBOX\%SANDBOX%
    ForceDisableAdminOnly=y
    ForceDisableSeconds=1200
    ForgetPassword=y
    MonitorAdminOnly=yes
    Template=AutoRecoverIgnore
    Template=GenericRules
    Template=WindowsMedia
    TemplateReject=7zipShellEx
    TemplateReject=ActualWindowManager
    TemplateReject=LingerPrograms
    TemplateReject=OfficeLicensing

    [Template_AKL]

    InjectDll=C:\Program Files\zSecurity\Sandboxie\Addons\AKL\SbieAKL.dll
    InjectDll64=C:\Program Files\zSecurity\Sandboxie\Addons\AKL\SbieAKL_64.dll
    Tmpl.Class=Security
    Tmpl.Title=AntiKeyLogger

    [Template_BPA]

    InjectDll=C:\Program Files\zSecurity\Sandboxie\Addons\BPA\sbiextra.dll
    InjectDll64=C:\Program Files\zSecurity\Sandboxie\Addons\BPA\sbiextra_x64.dll
    Tmpl.Class=Security
    Tmpl.Title=Block Process Access

    [Template_BPAmSI]

    InjectDll=C:\Program Files\zSecurity\Sandboxie\Addons\BPA_NoSysInfoProt\sbiextra.dll
    InjectDll64=C:\Program Files\zSecurity\Sandboxie\Addons\BPA_NoSysInfoProt\sbiextra_x64.dll
    Tmpl.Class=Security
    Tmpl.Title=Block Process Access (-NtQuerySystemInformation)

    [Template_GenericRules]

    AllowSpoolerPrintToFile=n
    AutoDelete=y
    AutoRecover=n
    BlockIEEmbedding=y
    BlockNetworkFiles=y
    BlockPassword=y
    BoxNameTitle=-
    ClosedFilePath=!<Adobe>,*\Appz\*\Adobe
    ClosedFilePath=!<Browsers>,*\Appz\*\Browser
    ClosedFilePath=!<ExcludePipe>,*\Device\NamedPipe
    ClosedFilePath=!<ExcludePipe>,*\Device\NamedPipe\
    ClosedFilePath=!<ExcludeQoS>,*\Windows\*qwave.dll
    ClosedFilePath=!<ExcludeQoS>,*\Windows\*traffic.dll
    ClosedFilePath=!<ExcludeVDrive>,\Device\HarddiskVolume11
    ClosedFilePath=!<ExcludeVDrive>,V:\
    ClosedFilePath=!<ExcludeWDrive>,\Device\HarddiskVolume13
    ClosedFilePath=!<ExcludeWDrive>,W:\
    ClosedFilePath=!<ExcludeXDrive>,\Device\HarddiskVolume6
    ClosedFilePath=!<ExcludeXDrive>,X:\
    ClosedFilePath=!<Gamez>,W:\Ent\zGames
    ClosedFilePath=!<Media>,*\Appz\zMulti\MPC
    ClosedFilePath=!<Media>,*\Appz\*\MediaPlayer
    ClosedFilePath=!<MPC>,*\Ent\Movies
    ClosedFilePath=!<MPC>,*\Ent\Shows
    ClosedFilePath=!<Origin>,*\Origin
    ClosedFilePath=!<Origin>,*\Appz\*\Origin
    ClosedFilePath=!<Office>,*\Appz\*\Office
    ClosedFilePath=!<Steam>,*\Steam
    ClosedFilePath=!<Steam>,*\Appz\*BOX\Steam
    ClosedFilePath=!<TeamViewer>,*\Appz\*\TeamViewer
    ClosedFilePath=!<WinSCP>,*\Appz\*\WinSCP
    ClosedFilePath=*\Microsoft\Windows\Start Menu\Programs
    ClosedFilePath=*\Appz\*.lnk
    ClosedFilePath=*\Appz\*\Adobe\Illustrator
    ClosedFilePath=*\Appz\zzShorcuts
    ClosedFilePath=*\Appz\*.bat
    ClosedFilePath=*\Appz\*\UltraISO
    ClosedFilePath=*\Appz\zSystem
    ClosedFilePath=*\Appz\zzBoxBackups
    ClosedFilePath=*\Program Files\zSystem
    ClosedFilePath=*\System Volume Information
    ClosedFilePath=*\Users\*\Start Menu\*.lnk
    ClosedFilePath=*\Users\Default
    ClosedFilePath=*\Users\*\Desktop\*.*
    ClosedFilePath=*\VMware\
    ClosedFilePath=*\Windows*uwf*
    ClosedFilePath=*\Windows*.mof
    ClosedFilePath=*\Windows\System\
    ClosedFilePath=*\Windows\Sandboxie.ini
    ClosedFilePath=*\Windows\ServiceProfiles
    ClosedFilePath=*\Windows\Web
    ClosedFilePath=*\Windows\*\Config
    ClosedFilePath=*\Windows\*\drivers
    ClosedFilePath=*\Windows\*\DriverStore
    ClosedFilePath=*\Windows\*\GroupPolicy
    ClosedFilePath=*\Windows\*\WindowsPowerShell
    ClosedFilePath=*\Windows\*\slmgr
    ClosedFilePath=*\Windows\*\spp
    ClosedFilePath=*\Windows\*\wbem
    ClosedFilePath=*\Windows\*\winevt
    ClosedFilePath=*\Windows\*Tasks
    ClosedFilePath=*\Windows\*\aspnet_*.exe
    ClosedFilePath=*\Windows\*\at.exe
    ClosedFilePath=*\Windows\*\attrib.exe
    ClosedFilePath=*\Windows\*\auditpol.exe
    ClosedFilePath=*\Windows\*\auto*.exe
    ClosedFilePath=*\Windows\*\bash.exe
    ClosedFilePath=*\Windows\*\bcd*.exe
    ClosedFilePath=*\Windows\*\bginfo.exe
    ClosedFilePath=*\Windows\*\bitsadmin.exe
    ClosedFilePath=*\Windows\*\boot*.exe
    ClosedFilePath=*\Windows\*\byte*.exe
    ClosedFilePath=*\Windows\*\cdb.exe
    ClosedFilePath=*\Windows\*\cert*.exe
    ClosedFilePath=*\Windows\*\cmd.exe
    ClosedFilePath=*\Windows\*\consent.exe
    ClosedFilePath=*\Windows\*\csc.exe
    ClosedFilePath=*\Windows\*\csi.exe
    ClosedFilePath=*\Windows\*\dbg*.exe
    ClosedFilePath=*\Windows\*\debug*.exe
    ClosedFilePath=*\Windows\*\device*.exe
    ClosedFilePath=*\Windows\*\dfsvc*.exe
    ClosedFilePath=*\Windows\*\disk*.exe
    ClosedFilePath=*\Windows\*\dism.exe
    ClosedFilePath=*\Windows\*\dnx.exe
    ClosedFilePath=*\Windows\*\eventvwr.exe
    ClosedFilePath=*\Windows\*\fsi*.exe
    ClosedFilePath=*\Windows\*\fsutil.exe
    ClosedFilePath=*\Windows\*\gp*.exe
    ClosedFilePath=*\Windows\*\ieexec.exe
    ClosedFilePath=*\Windows\*\iexplore.exe
    ClosedFilePath=*\Windows\*\inf*.exe
    ClosedFilePath=*\Windows\*\ipconfig.exe
    ClosedFilePath=*\Windows\*\journal.exe
    ClosedFilePath=*\Windows\*\jsc.exe
    ClosedFilePath=*\Windows\*\kd.exe
    ClosedFilePath=*\Windows\*\mmc.exe
    ClosedFilePath=*\Windows\*\mrsa.exe
    ClosedFilePath=*\Windows\*\msbuild.exe
    ClosedFilePath=*\Windows\*\msinfo32.exe
    ClosedFilePath=*\Windows\*\net*.exe
    ClosedFilePath=*\Windows\*\nslookup.exe
    ClosedFilePath=*\Windows\*\ntkd.exe
    ClosedFilePath=*\Windows\*\ntsd.exe
    ClosedFilePath=*\Windows\*\odbcconf.exe
    ClosedFilePath=*\Windows\*\pkgmgr.exe
    ClosedFilePath=*\Windows\*\quser.exe
    ClosedFilePath=*\Windows\*\rcsi.exe
    ClosedFilePath=*\Windows\*\runas.exe
    ClosedFilePath=*\Windows\*\runonce.exe
    ClosedFilePath=*\Windows\*\sc.exe
    ClosedFilePath=*\Windows\*\services.exe
    ClosedFilePath=*\Windows\*\setx.exe
    ClosedFilePath=*\Windows\*\stash.exe
    ClosedFilePath=*\Windows\*\syskey.exe
    ClosedFilePath=*\Windows\*\systeminfo.exe
    ClosedFilePath=*\Windows\*\systemreset.exe
    ClosedFilePath=*\Windows\*\take*.exe
    ClosedFilePath=*\Windows\*\vbc.exe
    ClosedFilePath=*\Windows\*\vss*.exe
    ClosedFilePath=*\Windows\*\arp.exe
    ClosedFilePath=*\Windows\*\wbadmin.exe
    ClosedFilePath=*\Windows\*\WFServicesReg.exe
    ClosedFilePath=*\Windows\*\whoami.exe
    ClosedFilePath=*\Windows\*\windbg.exe
    ClosedFilePath=*\Windows\*\winrs*.exe
    ClosedFilePath=*\Windows\*\wmic.exe
    ClosedFilePath=*\Windows\*\*.msc*
    ClosedFilePath=*\Windows\*\*asm.exe
    ClosedFilePath=*\Windows\*\*cacls.exe
    ClosedFilePath=*\Windows\*\*iexpress.exe
    ClosedFilePath=*\Windows\*\*legacy*.exe
    ClosedFilePath=*\Windows\*\*install*.exe
    ClosedFilePath=*\Windows\*\*script.exe
    ClosedFilePath=*\Windows\*\*settings.exe
    ClosedFilePath=*\Windows\*\*task*.exe
    ClosedFilePath=*\Windows\*reg*.exe
    ClosedFilePath=*\Windows\*runscript*.exe
    ClosedFilePath=*\Windows\*cscapi.dll
    ClosedFilePath=*\Windows\*keymgr.dll
    ClosedFilePath=*\Windows\*linkinfo.dll
    ClosedFilePath=*\Windows\*lxssmanager.dll
    ClosedFilePath=*\Windows\*mstasks.dll
    ClosedFilePath=*\Windows\*scrobj.dll
    ClosedFilePath=*\Windows\*system.management.automation.dll
    ClosedFilePath=*\Windows\*tscfgwmi.dll
    ClosedFilePath=*\Windows\*virtdisk.dll
    ClosedFilePath=*\Windows\*wininet.dll
    ClosedFilePath=*\Windows\*netjoin.dll
    ClosedFilePath=*\Windows\System32\Microsoft
    ClosedFilePath=*\Users\Public
    ClosedFilePath=*\zEngine
    ClosedFilePath=*$Recycle.Bin
    ClosedFilePath=*PowerShell\*
    ClosedFilePath=*.scf
    ClosedFilePath=*.sys
    ClosedFilePath=*:\boot*
    ClosedFilePath=!<ExcludeMisc>,*:\Misc
    ClosedFilePath=*:\Y
    ClosedFilePath=\Harddisk*\DR*
    ClosedFilePath=\Device\*Ip6
    ClosedFilePath=\Device\000000
    ClosedFilePath=\Device\AppID
    ClosedFilePath=\Device\COM
    ClosedFilePath=\Device\FsWrap
    ClosedFilePath=\Device\*HarddiskVolume1
    ClosedFilePath=\Device\HarddiskVolume5
    ClosedFilePath=\Device\HarddiskVolume7
    ClosedFilePath=\Device\HarddiskVolume8
    ClosedFilePath=\Device\HarddiskVolume10
    ClosedFilePath=\Device\HarddiskVolume12
    ClosedFilePath=\Device\HarddiskVolume14
    ClosedFilePath=\Device\HarddiskVolume15
    ClosedFilePath=\Device\HarddiskVolume16
    ClosedFilePath=\Device\HarddiskVolume17
    ClosedFilePath=\Device\HarddiskVolume18
    ClosedFilePath=\Device\HarddiskVolume19
    ClosedFilePath=\Device\HarddiskVolume20
    ClosedFilePath=\Device\HarddiskVolume21
    ClosedFilePath=\Device\HarddiskVolume22
    ClosedFilePath=\Device\HarddiskVolume23
    ClosedFilePath=\Device\HarddiskVolume24
    ClosedFilePath=\Device\HarddiskVolume25
    ClosedFilePath=\Device\HarddiskVolume26
    ClosedFilePath=\Device\HarddiskVolume27
    ClosedFilePath=\Device\HarddiskVolume28
    ClosedFilePath=\Device\HarddiskVolume29
    ClosedFilePath=\Device\HarddiskVolume30
    ClosedFilePath=\Device\HarddiskVolume31
    ClosedFilePath=\Device\HarddiskVolume32
    ClosedFilePath=\Device\HarddiskVolume33
    ClosedFilePath=\Device\HarddiskVolume34
    ClosedFilePath=\Device\HarddiskVolume35
    ClosedFilePath=\Device\HarddiskVolume36
    ClosedFilePath=\Device\HarddiskVolume37
    ClosedFilePath=\Device\HarddiskVolume38
    ClosedFilePath=\Device\HarddiskVolume39
    ClosedFilePath=\Device\HarddiskVolume40
    ClosedFilePath=\Device\HarddiskVolume41
    ClosedFilePath=\Device\HarddiskVolume42
    ClosedFilePath=\Device\HarddiskVolume43
    ClosedFilePath=\Device\HarddiskVolume44
    ClosedFilePath=\Device\HarddiskVolume45
    ClosedFilePath=\Device\HarddiskVolume46
    ClosedFilePath=\Device\HarddiskVolume47
    ClosedFilePath=\Device\HarddiskVolume48
    ClosedFilePath=\Device\HarddiskVolume49
    ClosedFilePath=\Device\HarddiskVolume90
    ClosedFilePath=\Device\HarddiskVolume91
    ClosedFilePath=\Device\HarddiskVolume92
    ClosedFilePath=\Device\HarddiskVolume93
    ClosedFilePath=\Device\HarddiskVolume94
    ClosedFilePath=\Device\HarddiskVolume95
    ClosedFilePath=\Device\HarddiskVolume96
    ClosedFilePath=\Device\HarddiskVolume97
    ClosedFilePath=\Device\HarddiskVolume98
    ClosedFilePath=\Device\HarddiskVolume99
    ClosedFilePath=\Device\HarddiskVolume110
    ClosedFilePath=\Device\hc
    ClosedFilePath=\Device\*IPSEC*
    ClosedFilePath=\Device\MountPointManager
    ClosedFilePath=\Device\Mup\
    ClosedFilePath=\Device\NamedPipe\srvsvc
    ClosedFilePath=\Device\NamedPipe\wkssvc
    ClosedFilePath=\Device\NDMP
    ClosedFilePath=\Device\NetBT
    ClosedFilePath=\Device\NTPNP
    ClosedFilePath=\Device\PROCEXP
    ClosedFilePath=\Device\RaidPort
    ClosedFilePath=\Device\sam
    ClosedFilePath=\Device\SPDevice
    ClosedFilePath=\Device\USB
    ClosedFilePath=\Device\Video
    ClosedFilePath=\Device\Partmgr
    ClosedFilePath=\Device\VM
    ClosedFilePath=\Device\Volmgr
    ClosedFilePath=\Device\vstor
    ClosedFilePath=\Device\WFP
    ClosedFilePath=\Device\WMI
    ClosedFilePath=A:\
    ClosedFilePath=B:\
    ClosedFilePath=C:\*\zMulti*
    ClosedFilePath=D:\
    ClosedFilePath=E:\
    ClosedFilePath=F:\
    ClosedFilePath=G:\
    ClosedFilePath=H:\
    ClosedFilePath=I:\
    ClosedFilePath=J:\
    ClosedFilePath=K:\
    ClosedFilePath=L:\
    ClosedFilePath=M:\
    ClosedFilePath=N:\
    ClosedFilePath=O:\
    ClosedFilePath=P:\
    ClosedFilePath=Q:\
    ClosedFilePath=R:\
    ClosedFilePath=T:\
    ClosedFilePath=U:\
    ClosedFilePath=V:\zMisc
    ClosedFilePath=V:\VM
    ClosedFilePath=Y:\
    ClosedFilePath=Z:\
    ClosedIpcPath=!<ExcludeLogon>,\RPC Control\SECLOGON
    ClosedIpcPath=*\BaseNamedObjects\*Explorer:*cache*
    ClosedKeyPath=*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso
    ClosedKeyPath=*\Software\Classes*\UltraISO*
    ClosedKeyPath=*\SOFTWARE\Classes\.iso
    ClosedKeyPath=*7-Zip*
    ClosedKeyPath=*Actual Tools*
    ClosedKeyPath=*b5eedee0-c06e-11cf-8c56-444553540000*
    ClosedKeyPath=*F9717507-6651-4EDB-BFF7-AE615179BCCF*
    ClosedKeyPath=*C39EE728-D419-4BD4-A3EF-EDA059DBD935*
    ClosedKeyPath=*EasyBoot Systems*
    ClosedKeyPath=*ImgBurn*
    ClosedKeyPath=*ue64ctmn.dll*
    ClosedKeyPath=*uedit64*
    ClosedKeyPath=*UltraEdit*
    ClosedKeyPath=*VMWare*
    ClosedKeyPath=*WinInet*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\BCD00000000
    ClosedKeyPath=HKEY_LOCAL_MACHINE\HARDWARE
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\diskpt
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\mountmgr
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\PROC*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\Ras*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\RTL*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\Term*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\uwf*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\vhd*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\VM*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\vol*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\*\services\vstor2*
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SYSTEM\WPA
    ClosedKeyPath=HKEY_USERS\z
    ConfigLevel=7
    DropAdminRights=y
    LingerProcess=dllhost.exe
    LingerProcess=rundll32.exe
    NeverDelete=n
    NotifyStartRunAccessDenied=n
    NotifyInternetAccessDenied=n
    OpenProtectedStorage=n
    ProcessGroup=<Downloads>,<Adobe>,<Browsers>,<Office>
    ProcessGroup=<ExcludeCodec>,<TeamViewer>
    ProcessGroup=<ExcludeLogon>,<NothingYet>
    ProcessGroup=<ExcludeVDrive>,<SBIE>,<Downloads>,<NetFlix>,<Office>,<Origin>,<Steam>
    ProcessGroup=<ExcludeWDrive>,<Media>
    ProcessGroup=<ExcludeXDrive>,<Media>
    ProcessGroup=<ExcludePipe>,<MC>,<Origin>,<Steam>
    ProcessGroup=<SBIE>,SandboxieCrypto.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,Start.exe
    ProcessGroup=<StartRunAccess>,dllhost.exe,rundll32.exe
    ReadFilePath=!<ExcludeWindows>,C:\Windows
    ReadFilePath=*\Microsoft\Windows\Explorer
    ReadFilePath=C:\Program Files*\zSecurity
    TemplateReject=WindowsFontCache
    Tmpl.Class=Security
    Tmpl.Title=Generic Restrictions
    WriteKeyPath=*\Control Panel\International*
    WriteKeyPath=*\SOFTWARE\*CurrentVersion\Uninstall*
    WriteKeyPath=*\SOFTWARE\*Policies*

    [Template_IP6]

    ClosedFilePath=*\Windows\*\dhcpcsvc6.dll
    ClosedFilePath=*\Windows\*\ras*.dll
    ClosedFilePath=*\Windows\*\wlan*.dll
    ClosedFilePath=*\Windows\*\wship6.dll
    ClosedIpcPath=\RPC Control\dhcpcsvc6
    Tmpl.Class=Security
    Tmpl.Title=IP6, RAS and WLan

    [Template_WindowsMedia]

    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WindowsCodec*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMA*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMC*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMD*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMP*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMS*.dll
    ClosedFilePath=!<ExcludeCodec>,*\Windows\*\WMV*.dll
    Tmpl.Class=Security

    [UserSettings_Portable]

    SbieCtrl_ActiveView=40021
    SbieCtrl_AddContextMenu=y
    SbieCtrl_AddDesktopIcon=n
    SbieCtrl_AddQuickLaunchIcon=n
    SbieCtrl_AddSendToMenu=n
    SbieCtrl_AlwayOnTop=n
    SbieCtrl_AutoApplySettings=y
    SbieCtrl_AutoRunSoftCompat=n
    SbieCtrl_EditConfNotify=n
    SbieCtrl_EnableAutoStart=y
    SbieCtrl_EnableLogonStart=n
    SbieCtrl_HideWindowNotify=n
    SbieCtrl_NextUpdateCheck=1511831252
    SbieCtrl_ProcessViewColumnWidths=184,70,154
    SbieCtrl_ReloadConfNotify=n
    SbieCtrl_SettingChangeNotify=n
    SbieCtrl_ShouldDeleteNotify=n
    SbieCtrl_ShowWelcome=n
    SbieCtrl_TerminateNotify=n
    SbieCtrl_TerminateWarn=n
    SbieCtrl_UpdateCheckNotify=n
    SbieCtrl_UserName=Portable
    SbieCtrl_WindowCoords=1157,93,442,775
    SbieCtrl_HideMessage=2314,gldriverquery.exe
    SbieCtrl_HideMessage=2314,7zFM.exe
    SbieCtrl_HideMessage=2314,adobe_licutil.exe
    SbieCtrl_BoxExpandedView=,

    [Adobe]

    AutoDelete=n
    BlockPort=*
    ClosedFilePath=InternetAccessDevices
    ClosedIpcPath=!<StartRunAccess>,*
    Enabled=y
    ForceFolder=S:\Appz\Adobe\Photoshop
    ForceProcess=Photoshop.exe
    LeaderProcess=Photoshop.exe
    NeverDelete=y
    OpenFilePath=Photoshop.exe,V:\Downloads
    ProcessGroup=<Adobe>,adobe_licutil.exe,PDapp.exe,Photoshop.exe,sniffer_gpu.exe
    ProcessGroup=<StartRunAccess>,<Adobe>
    Template=BPA

    [Browser]

    BlockPort=*,80,443,8443
    BorderColor=#00FFFF,ttl
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedIpcPath=!<StartRunAccess>,*
    ClosedIpcPath=*\KnownDlls\*wininet.dll
    Enabled=y
    LeaderProcess=firefox.exe
    ForceFolder=S:\Appz\zNet\MyBrowser
    ForceProcess=firefox.exe
    OpenFilePath=firefox.exe,V:\Downloads
    OpenFilePath=firefox.exe,S:\Data\Browser\Profile
    ProcessGroup=<Browsers>,firefox.exe
    ProcessGroup=<InternetAccess>,firefox.exe
    ProcessGroup=<StartRunAccess>,<Browsers>
    Template=AKL
    Template=BPA
    Template=IP6

    [Gamez]

    AutoDelete=n
    BlockPort=*
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    Enabled=y
    ForceFolder=W:\Ent\zGames
    NeverDelete=y
    OpenPipePath=!<Fix2205>,W:\Ent\zGames
    ProcessGroup=<ExcludeCodec>,*
    ProcessGroup=<Gamez>,*
    ProcessGroup=<ExcludePipe>,*
    ProcessGroup=<ExcludeWDrive>,*
    ProcessGroup=<ExcludeWindows>,Riven.exe
    ProcessGroup=<Fix2205>,hl2.exe
    ProcessGroup=<InternetAccess>,FEAR.exe,hl2.exe
    ProcessGroup=<Steam>,BorderlandsPreSequel.exe
    Template=BPA

    [MediaPlayer]

    BlockPort=*
    BoxNameTitle=n
    ClosedFilePath=InternetAccessDevices
    ClosedFilePath=*:\Person*
    ClosedIpcPath=!<StartRunAccess>,*
    ClosedIpcPath=X:\Y
    Enabled=y
    LeaderProcess=mpc-hc64.exe
    OpenFilePath=<Media>,X:\Ent\zMusic\zPlaylists\*.mpcpl
    ProcessGroup=<Media>,mpc-hc64.exe,explorer.exe
    ProcessGroup=<MPC>,<Media>
    ProcessGroup=<StartRunAccess>,<Media>
    Template=IP6

    [Office]

    BlockPort=*
    ClosedFilePath=InternetAccessDevices
    ClosedIpcPath=!<StartRunAccess>,*
    Enabled=y
    ForceFolder=S:\Appz\FoxitPhantom
    ForceProcess=<Office>
    OpenFilePath=<Office>,V:\Downloads
    ProcessGroup=<Office>,hh.exe,Foxit PhantomPDF.exe
    ProcessGroup=<StartRunAccess>,<Office>
    Template=IP6
    Template=BPA

    [Origin]

    AutoDelete=n
    BlockPort=*,80,443,1900,3216,3659,5222,9999,10051,10073,17400-17600,42230
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedFilePath=S:\Appz
    ClosedFilePath=*\Origin\SelfUpdate
    ClosedFilePath=W:\
    ClosedIpcPath=!<StartRunAccess>,*
    Enabled=y
    ForceFolder=V:\Origin
    ForceProcess=<Origin>
    LeaderProcess=Origin.exe
    NeverDelete=y
    OpenFilePath=<Origin>,V:\Origin
    ProcessGroup=<Origin>,ActivationUI.exe,DragonAgeInquisition.exe,GetGameToken32.exe,GetGameToken64.exe,igoproxy.exe,igoproxy64.exe,Origin.exe,OriginThinSetupInternal.exe,OriginWebHelperService.exe,QtWebEngineProcess.exe,UpdateTool.exe
    ProcessGroup=<InternetAccess>,<Origin>
    ProcessGroup=<StartRunAccess>,<Origin>
    Template=AKL
    Template=BPAmSI

    [Steam]

    AutoDelete=n
    BlockPort=*,80,443,3478,4379,4380,27000-27030
    Enabled=y
    ForceFolder=G:\Steam
    ForceProcess=Steam.exe
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedFilePath=S:\Appz
    ClosedIpcPath=!<StartRunAccess>,*
    LeaderProcess=Steam.exe
    NeverDelete=y
    OpenFilePath=<Steam>,V:\Steam
    ProcessGroup=<InternetAccess>,<Steam>
    ProcessGroup=<StartRunAccess>,<Steam>
    ProcessGroup=<Steam>,GameOverlayUI.exe,Forced.exe,Grim Dawn.exe,Launcher.exe,portal2.exe,SaintsRowIV.exe,ShadowOfMordor.exe,Steam.exe,steamwebhelper.exe
    Template=AKL
    Template=BPA

    [TeamViewer]

    AutoDelete=n
    BlockPort=*,443,5353,5938
    ClosedFilePath=!<InternetAccess>,InternetAccessDevices
    ClosedIpcPath=!<StartRunAccess>,*
    Enabled=y
    ForceFolder=S:\Appz\zNet\TeamViewer
    ForceProcess=TeamViewer.exe
    NeverDelete=y
    ProcessGroup=<InternetAccess>,TeamViewer.exe
    ProcessGroup=<StartRunAccess>,<TeamViewer>
    ProcessGroup=<TeamViewer>,TeamViewer.exe,TeamViewer_Desktop.exe,TeamViewer_Note.exe,TeamViewer_Service.exe,tv_w32.exe,tv_x64.exe
    Template=BPA

    Granted, trying to pull that off with just the user interface would be laughable if not near impossible...but, SBIE can handle it even if the GUI can't...
     
    Last edited: Dec 29, 2019
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.