Sandboxie Configurations Learning Thread

just like Wilders.

 

Since SBIE seems to be the main resident security application used by many of us, it is important to have it be as secure as possible. That being said, would any more knowledgeable than me please take a look at my config and let me know hoe tight and secure it is? If you notice anythign that could be improved please say so.

 

This is from Blocked File Access (ClosedFilePath) window:
"If a file or folder matches any other File Access setting, but also matches any Blocked Access setting, the Blocked Access setting will take precedence."

Doesn't this complicate things a little?

ClosedFilePath=C:\Program Files\*
would block access to all programs in this path.

But if I want to open a path only for e.g. Firefox, I can't use
OpenFilePath=C:\Program Files\Mozilla Firefox\*
because the previous ClosedFilePath settings overrules this one.

So to allow access to Firefox folder, I have to deny every single folder in Program Files

Or is this just a lack of understanding

Cheers

 

No your reasoning is oke,but in OP's place i would follow the setup config. explained many times here,centered around the restricted rules by Wraithdu.

 

Oh, I see, it's a searching thread, not a learning thread.

However, does this mean if I have this two lines:
ProcessGroup=<restricted>,Start.exe,...
and
ClosedFilePath=!<restricted>,*
there is no need to add any other ClosedFilePath locations?
Because no program which is not in the ProcessGroup 'restricted' is allowed to access files from 'the real system'.

Cheers

 

For Wraithdu's rules, which section does the ClosedFilePath relate to in the sandbox settings? File, Registry, what? Forgive my idiocy but between the forums here and at SandboxIE, all these configuration suggestions are spread out all over Gods creation, and just when you think you've gotten something down, a couple pages later in a thread or in a completely different thread that may be a few pages back, somebody corrects the suggestion with something else. It's a pain in the ass to put it bluntly.

All I want to do is set up 5 sandboxes.

(Default box). IE7 that is able to update bookmarks and open PDF files instead of having to save them, and also to play embedded videos/music (I use WMP solely). I do not want anything else to have internet or any other access to data, or be able to run in this box unless it is needed to perform the functions I wish of this box.


2. Firefox that is able to update bookmarks and extensions, and open PDF files instead of having to save them, and also to play embedded videos/music (I use WMP solely). I do not want anything else to have internet or any other access to data, or be able to run in this box unless it is needed to perform the functions I wish of this box.

3. UTorrent that does nothing but run and upload/download to and from my specified download folder. No other internet access, no access to any other data/files.

4. Media that does nothing but play files already downloaded, specifically using WMP 11. Nothing else runs in it, nothing gets internet/data access (possible exception being giving WMP internet access so it can retrieve information about files playing. But if that's too risky, then no internet access).

5. Test box strictly for testing installs of smaller programs/games, accessing only what it needs.

If anyone will kindly just give an example setup to achieve this I would greatly appreciate it. I just need a good balance of functionality with security since this will likely be my only real-time security app coupled with Returnil Free. (slight possibility of adding Threatfire, but these 3 will be it).

 

Long time since there has been a discussion about sandboxie, This is my config;
Default box, Firefox, thunderbird, IE (I only use IE for updates).
Can anyone see where I can tighten the grip?

 

The Firefox box is short on the Internet Access Settings and has quite a few unneeded lines.

[FIREFOX]

Enabled=y
ConfigLevel=4
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
AutoDelete=y
NeverDelete=n
ForceProcess=firefox.exe
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\RawIp6
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Udp6
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Tcp6
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Ip6
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\RawIp
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Udp
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Tcp
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Ip
ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Afd*
ClosedIpcPath=!<restricted2>,*
ClosedFilePath=%Personal%\
RecoverFolder=%Desktop%
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*

Not Needed or canceled out by other settings:

ClosedFilePath=!<restricted2>,*
RecoverFolder=%Personal%
OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\places*
OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\bookmark*
LingerProcess=trustedinstaller.exe
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe
OpenKeyPath=iexplore.exe,HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
OpenProtectedStorage=y

 

[ThunderBird]

Enabled=y
ConfigLevel=4
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
LingerProcess=trustedinstaller.exe
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe
OpenFilePath=%AppData%\Thunderbird\*
OpenFilePath=thunderbird.exe,%Local AppData%\Thunderbird
OpenFilePath=thunderbird.exe,%AppData%\Thunderbird
OpenKeyPath=thunderbird.exe,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla Thunderbird
OpenKeyPath=thunderbird.exe,HKEY_LOCAL_MACHINE\Software\Mozilla Thunderbird
OpenKeyPath=thunderbird.exe,HKEY_CURRENT_USER\Software\Mozilla Thunderbird
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\RawIp6
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Udp6
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Tcp6
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Ip6
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\RawIp
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Udp
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Tcp
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Ip
ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Afd*
BoxNameTitle=y

Not needed:

RecoverFolder=%Favorites%
OpenFilePath=seamonkey.exe,%Local AppData%\Mozilla\Profiles\*\Mail*
OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\Mail*
OpenKeyPath=seamonkey.exe,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\SeaMonkey*
OpenKeyPath=seamonkey.exe,HKEY_LOCAL_MACHINE\Software\Mozilla\SeaMonkey*
OpenKeyPath=seamonkey.exe,HKEY_CURRENT_USER\Software\Mozilla*\SeaMonkey*

 

[IEXPLORER]

Enabled=y
ConfigLevel=4
AutoRecover=y
AutoRecoverIgnore=.jc!
AutoRecoverIgnore=.part
AutoDelete=y
NeverDelete=n
ForceProcess=iexplore.exe
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\RawIp6
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Udp6
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Tcp6
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Ip6
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\RawIp
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Udp
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Tcp
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Ip
ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Afd*
ClosedIpcPath=!<restricted1>,*
ClosedFilePath=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
OpenProtectedStorage=y
OpenKeyPath=iexplore.exe,HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms

Not Needed:

ClosedFilePath=!<restricted1>,*
RecoverFolder=%Personal%
LingerProcess=trustedinstaller.exe
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
LingerProcess=syncor.exe
LingerProcess=jusched.exe
LingerProcess=acrord32.exe

 

DefaultBox lists fact.exe as the only program that can access the internet, yet there are settings in the box for Firefox, IE, and Thunderbird. So I cant see what you want there, so I didn't edit it.

This line in Global is not used anywhere so you can delete it, unless you have a reason for it.
ProcessGroup=<restricted3>,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

Thunderbird box has no ForceProcess but that may be the way you want it - up to you.

 

Thank you mitch,

 

Please forgive my ignorance for asking this question. If I open FireFox sandboxied ,surf the net, then delete the contents of the sandbox ,is my system protected? With the as downloaded config.

 

what ever you delete from the sandbox is secure delete,no history,cookies or coffee

 

Yes. Default settings are very secure. As long as you don't recover anything malicious, you are protected. But you could save some time configuring SBIE to automatically delete the sandbox.

 

I have it set to empty when FF is closed. Thank you all for the replies.

 

With Sandboxie really the problem is not confinement of the Sandbox but more how you save and what you save.Also IMO editing the config ini file is tricky,You have to know very well what SBIE intentions are before closing or opening any path.

 

But couldn't some keyloggers steal your data before you close your browser?

Thanks

 

in theory, yes... sandboxes don't necessarily stop bad things from running within the sandbox, they stop it from being able to affect the system outside the sandbox... if a compromise happens within the sandbox and you enter sensitive data into an app running in that sandbox then that sensitive data can still be stolen... that's one of the reasons why sandboxing alone isn't complete protection...

 

Show me a website that automatically installs and executes a key logger?

 

Doesn't it help mitigate the keylogger issue by using Sandboxie's GUI to designate your browser as being the only sandboxed program that can access the internet?
http://www.sandboxie.com/index.php?ResourceAccess#internet

 

why is it that every time i say something is possible in theory people ask for links to examples? and why do people think it's ok to hand out links to live malware to strangers?

let's take another approach - we know there is such a thing as drive-by downloads, and we know from that that it is possible for a web page to cause the download and execution of arbitrary code on a suitably vulnerable system... since keyloggers are just code there's no reason they can't be downloaded and executed by visiting a web page...

it helps mitigate it to some degree (maybe even a large degree) if you have sandboxie setup that way, but consider this - there is such a thing as a keylogger implemented in javascript that runs inside your browser... sandboxie's execution/connection whitelisting capability won't do anything to help you there...

and besides which, there's also things like phishing pages and social engineering to get your sensitive data which sandboxing, again, does not help you with... sandboxes contain intrusions, they don't (and in some cases can't) necessarily do much about extrusions...

 

Exactly. However, with SandboxIE you can, or rather, you should empty the sandbox in between sensible/normal browsing.
Or use different sandboxes for different purposes.

I believe Peter does this as a method, and i think it's the best way to use it.

 

mira pedro si escierto,but what about if you are the type of person that likes to save alot of stuff?ofcourse it will be save in your regular os,then what?
probably is better run sandboxie with a good antivirus,maybe.que piensas?

 

If its a java based keylogger won't noscript protect against it