Confirming Drop Rights Settings

I just installed Sandboxie Plus, and I'm loving it (life-long Sandboxie user here from the old days). I just wanted to verify something.

I noticed "Drop Rights" wasn't checked by default, but was recommended. So I checked that. Is that better, worse or the same as far as functionality? My biggest thing is not having any issues pop up or compatibility settings go wrong.

Also, does that follow I should also check the "Make applications THINK they are running elevated" for extra functionality?

 

I had no luck when I checked the drop rights option. Lots of errors and basic things did not work.

A sandbox already drops the rights of most things so the drop rights only seems to affect things already isolated in the sandbox.

I have had much better luck with restrictions, only allowing a very few programs to run in any given sandbox.

 

"Drop Rights" is default in the more secure sandboxes so yes it should definitely be used. I use it not only for securing my browser but also to containerise a lot of other software and I've never had a problem.
It appears (from the note in the Elevation restrictions section) that if you're running Windows with an admin account then it's more important to be running with Drop rights, but I could be wrong about that.

I only enable this if I'm installing an application into a sandbox and it fails because it needs admin rights, but I'm not aware of any risk in opening this up by default.

 

Hi johnny. For everyday regular use of Sandboxie, the functionality doing activities like browsing, reading webmail or watching videos, is the same whether you are using Drop rights or not. What you get out of using Drop rights is more security in the sandbox as Drop rights will not allow malware to install sandboxed.

At the same time, as Drop rights don't allow malware or malicious programs to install in the sandboxed environment, it would also not allow good programs to install sandboxed. So, just remember when you want to install a program sandboxed, run the installation in a sandbox were Drop rights in not enabled since the installation will fail otherwise.

Bo

 

About the application wont install, sone will with the fake admin privileges option:



So its worth a try to enable this before disabling drop rights.

For classic users use notepad and add
DropAdminRights=y
FakeAdminRights=y
to the appropriate Sandboxie.ini section

 

Thanks for chiming in. As this also speaks to another question I had relating to installs. I often like to run unknown program installers in my sandbox first, just to see if I really want to keep them (and not let it gum up my system if it's something I really don't want). Will having both "Drop Rights" and the "Make apps think" option allow these to work better in the sandbox, while also keeping them contained from the rest of my system (and not ACTUALLY allowing them to install)?

Also, would buying a token for one of the other dev boxes be a better option for this kind of thing?

 

Well the less isolation the better the compatibility, usually.
So the expectation is that a green "Compartment Type" box will have the best chances of successfully running an installer.
followed by a normal yellow box without drop admin rights and with special MSI Installer exceptions (if you are using a MSI based installer)
followed by a normal yellow box without drop admin rights
and least compatible would be a box with without drop admin rights and fake admin rights.
In a box without real of faked admin rights most installers will not run (except those that install to a user folder and don't need services or alike)

So yes for testing software that is not out right suspected of containing sophisticated malware a green box is the best choice.

 

Thanks for all that info! Everything working great now!