My friend wants to learn how to use sandboxie.

Discussion in 'sandboxing & virtualization' started by cheater87, Aug 11, 2011.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Let us not forget that if you use some of the presets that come with SBIE, they are designed to keep some settings in the real system, such as bookmarks, etc. Depending on the configuration, simply deleting the sandbox does not delete everything that happened when it was sandboxed.

    Normally these settings only effect the user profile for something like firefox, not the program data. But, if you have changed an option for updating or something while in the sandbox, and you have it set to apply those changes to the real profile, then deleting the sandbox does not change what was saved in the profile. It all depends on the settings.

    Just something to think about.

    Sul.
     
  2. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,979
    Location:
    Eastern PA, USA
    Thanks for fleshing that out, Sully. I was trying to gauge the depth of context for sooflymami's question and didn't give a comprehensive answer - not sure I could have as well as you, anyways.
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Has anyone had any real issues with experimental protection mode? I've just installed SBIE but haven't enabled that feature yet.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    In my brief time trying out the latest Sandboxie I had no issues with it. And if you ever do you can just go into Safe Mode and disable it.
     
  5. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    I haven't looked into Sandboxie's innards for a while. But I had the impression that the preset was to keep everything inside the sandbox with the facility of over-riding and allowing direct read/write access as set by the user.

    In other words, my understanding was that even changes to things like bookmarks, for example, would be restricted, by default (= preset?), to the bookmarks file(s) within the sandbox and not the one outside. Of course, the user could set up things to write to the outside version.

    This should be easy to confirm but I that I'd add to my post count first :D
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I was under the impression that the presets opened a hole into certain files or directories, so that when you save a bookmark, it actually saves to the real bookmarks file. If you were to then delete the sandbox, these bookmarks would be kept because they are in the real location.

    I am almost positive about that, but I rewrote my .ini file with many customizations, and never use the ones that are built-in. At least, for the last few years that has been the case.

    Sul.
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    :D I was almost positive the other way. Looks like it's time to roll up the sleeves. My preference is that programs running in the sandbox don't write anything outside. So if that's not how things are, I'll have to fix it ASAP.

    Serves me right for not monitoring the Sandboxie forum.
     
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    It's pretty sad. I just started using the program and I don't even remember how it came default. I've made so many changes.

    It was easier to learn than I thought. I was afraid at first, but probably the best $43 I've ever spent on my computer. I don't really use forced folders or programs. There are times I don't want to run sandboxed, for updates or to tweaks settings. I've always been a right-click/open guy anyway, not a double clicker. So I just chose when I want to run sandboxed. I'd rather just do this than the method to set a timer to run outside when it's forced.

    But having multiple sandboxes run at once is great. I've already made a bunch of them, unique in their own ways, custom tailored for various programs. I think I'm obsessed. Have 2 running right now as I type.

    Don't know why it took me this long to discover this program.
     
  9. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Ok thanks.

    Seems i'm having my first issue. All indictations are my google browser is running sandboxed(yellow triangle with red dots in taskbar) but the main window of sbie control is empty, other than the Sandbox DefaultBox entry.

    When i first downloaded it and set google to be sandboxed it did show in main window along with the sbie entries but now that is not the case.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    To confirm if it is sandboxed...
    SBIE control dialog.jpg
    SBIE control dialog II.jpg
     
  11. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    I think it has to be pointed out that if only FireFox is allowed to run in the browser and no other thing. Then only firefox will run in there but that setting will NOT PROTECT AGAINST KEYLOGGERS. People might misunderstand that having that set will protect against keyloggers.

    I mean it's true if one downloads a keylogger by mistake during the sandboxed browsing session (drive by download). However, if your system is already infected with a keylogger and the keylogger resides in a real system then it will still log all keys regardless if Firefox is in Sandbox or not.

    Just trying to point that out for the new users who might misunderstand what running "Just Firefox in sandbox" does.
     
  12. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    Yes BUT. If sandboxie is configured properly and the user knows what to allow and NOT allow out of the sandbox that has been downloaded keyloggers would not be much of a worry. With proper restrictions on the sandbox settings the keylogger wouldn't be able to run or send data back or even both.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Did you figure out what the default settings are? If not, just create a
    new sandbox, it will be created with default settings.

    Bo
     
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    It really doesn't matter to me. I just made that comment because the people above me were debating about how a certain setting came "out of the box"... ironically. I figured I'd just point out my lack of short term memory for all our amusement.

    And please... do NOT tempt me to make more sandboxes! I've already made 8 of them. Pretty soon I'll have every single program, file & folder on my computer sandboxed.

    I had as many as 4 of them running simultaneously already: Firefox, UTorrent, VLC & Sumatra PDF. That's why I paid for the program. I don't use the "forced" feature.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You might want to add something like Sumatra as an allowed application to your browser sandboxes. I personally use Foxit, but I usually add it to my browser boxes. If it were adobe, I might not, but with Foxit or Sumatra, I don't really think allowing them to run along with the browser in the same sandbox is much of a fear.

    I also lumped all my media players into one sandbox as well. I like having multiple sandboxes, but I also like to group things that I feel are not going to pose an issue, such as media players.

    Maybe you have already given these consideration, but if not...

    Sul.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unless it hijacks the browser's own process. One needs to allow the browser's process to run and access the Internet, don't we? :D

    Now, I'm not saying that something like this is likely to happen. There are easier ways to steal credentials and $ from average users. But, the same is not to say that keyloggers wouldn't be able to run and access the Internet. If the application's process is hijacked, not even Sandboxie will be of any good.

    And, the user doesn't even need to execute anything. An exploit works fine (if there's a security flaw allowing such).
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What's the problem in allowing Adobe Reader in the browser's sandbox?

    Sure, one shouldn't sandbox it with a browser's sandbox, if the browser's sandbox is also used for other sensitive info, at the same time. Indeed, it's a popular PDF reader.

    But, if one has a sandbox just for general browsing, then what's the issue?

    Sensitive tasks should be performed in a different sandbox, anyway... with "special" settings. So, I see no issues with running Adobe Reader in the general browsing sandbox.

    Are you considering something else?
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It isn't whether it is safe in a sandbox or not, but rather if I used adobe, I consider it to be more targeted, thus more prone to exploits. If it were my .pdf viewer, I would put it into its own sandbox and then open all .pdf files in a sandbox, which is probably what LucidDream is doing.

    Right now I don't bother sandboxing Foxit at all for normal .pdf files. It is only sandboxed if a browser downloads and opens a .pdf file or I open a .pdf in my downloads directory.

    So you see, I do want to have some .pdf files sandboxed, but not all, unless I don't trust my .pdf viewer, which in the case of adobe I would not trust it just on principle that it is an adobe product ;)

    Sul.

    EDIT: oh, there is nothing wrong at all with using adobe in a browser sandbox, or any sandbox. I am thinking that if it is the default .pdf viewer for the system, I would make it have its own sandbox rather than put it in a browser sandbox.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I also force it (pdf reader) to its own sandbox. I actually do not open pdf files from within the web browser anymore.

    I just dislike one thing, though. If I choose to run the web browser unsandboxed, by explicitely telling Sandboxie I'd like to run it outside its sandbox, then if I open a pdf file from within the web browser, it (the pdf reader) will also open outside of its own sandbox.

    Sometime ago I suggest that, in such case, when the user tells Sandboxie he/she wants to run, say, the browser unsanboxed, then (as an example), Sandboxie should detect if the pdf reader has its own sandbox, and if so, force it to run there.

    I think this should be a default behavior. If a process is being forced to run in its own sandbox, then it should be forced to run it that sandbox, even if initiated by another sandboxed process.

    Another example is an e-mail client. If I click a link in an e-mail, then Sandboxie should force the browser to open in its sandbox, and not inside the e-mail clients sandbox.

    Maybe I'm dreaming too high... :D :blink:
     
  20. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.

    So how would one protect themselves from that? Soofly doesn't have HIPS or anything like that so is there a setting in sandboxie you can do to fix that?
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Using EMET and using a secure browser.
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    What about SBIE's DropRights?
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My solution is to have one sandbox and one browser for senstive activity, such as online transactions. Use another for normal stuff.

    When I implemented this, I chose to use an obscure browser, QTWeb. Security by obscurity may not be true security, but it beats using the most targeted for me.

    Anyway, I installed my image to make sure the system was known clean. I installed QTWeb. I disabled the network adapter. I started QTWeb and set all of my settings the way I wanted them. Then I created a sandbox for it, with restrictions to make sure QTweb was the only thing able to run and access the internet. I also told this sandbox to delete contents on program ending, and a few other tidbits.

    After this was setup, I enabled the network adapter. The result is that the browser had never been online, and my system was in a known clean state to start with. When it runs, it is ran in a clean sandbox, ensured by deleting its contents every time it ends. Since all of my other browsers and in general all online activity are in different sandboxes, I don't worry that anything will mess with the QTWeb files. In fact, because it is obscure it only helps in that regard. I also don't have any exceptions for this sandbox. It does not keep bookmarks or have direct access to anything.

    I think it is safe to say that one never knows whether a website is compromised. Services designed to help you know this are fine, but none of them are 100% fool-proof. I therefore limit my use with this browser to only sites I trust to be secure. I could use a service to tell me, but I don't. Others might find that gives them a better feeling though, but I don't think for my limited use and the places I traverse it would be of any use anyway.

    This is how I decided to do it. It might work for others, or at least give some ideas for you to create your own setup.

    Sul.
     
  24. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    Good question.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Unless I am mistaken, DropRights will only be of service if a keylogger etc were to want to install to %programfiles% or some other activity that required root. If the keylogger etc is designed to run in user space, it is allowed to because.. that is allowed.

    The combination of restricting what runs in a sandbox and DropRights is probably the best method to really tighten things up. What m00nbl00d is saying though is true. Providing you visit someplace that exploits in the right way, there is nothing in sandboxie that alerts you to this. Your only protection is your system stays safe, and if you restrict what runs, only the browser (for example) that is being sandboxed can cause mischief.

    I don't know if EMET works in Sandboxie or not. With a lot of OS things, they don't apply within the sandbox, but would if the process ever broke out of the sandbox. I have never thought to look to see how EMET applies to it.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.