Sandboxie and/or SRP

You mean the option to only elevate signed apps? Open Start menu > Search box, and type secpol.msc, right-click it and execute it with administrator privileges.

Then, go to Local Policies > Security options > User Account Control: Elevate executables that are signed and validated only, right-click it - Properties - Enabled.

The wording may be a bit different.

If you have unsigned apps that you need to run elevated, you can bypass the above restriction by running them via an already elevated application. The best way is using batch files.

Imagine you got an application named Hasta La Vista Baby under Program Files.

Create a batch file, containing the following:

Code:

@echo off

cd %PROGRAMFILES%\Hasta La Vista Baby\"
start hastalavistababy.exe

That's just an example. You only need to execute the batch file with admin. rights and the unsigned app will run.

 

@m00nbl00d, thank you, i will try it. Hasta La Vista Baby lol

Yes it is working

 

Thanks, that´s exactly what i want to do, but still not figured how can someone provide me a simple step by step guide? Thanks

 

Did you folks actually try to sandbox the Sandbox folder? Just remove start/run permissions from it.

I didn't try it... but you may be willing to try it, perhaps.

 

Remember, things can still *execute* in the sandbox... meaning a drive by can still run and READ data.

By running applocker deny rules on the Sandbox, it actually prevents anything new from downloading and running. All the files on your computer still execute, but anything your web browser or PDF reader tries to run will be blocked.

Just a note, SRP will not work on the Sandbox folder. It runs in user mode, and is fooled by Sandboxie. Applocker, on the other hand, can effectively block the sandboxed files from running.

 

Not necessarily. Allow execution only to a bogus process name. Something like hastalavistababythesequele.exe

 

This is why I have multiple sandboxes. I have a box for browser A, and within that sandbox, only browser A is allowed to execute, and maybe 'helper' programs if needed, like foxit or something. I also set the sandbox so only browser A can have network access.

I create a different sandbox, with the same basic restrictions, for browser B and browser C. I create one for media players with the same basic restrictions.

The result is that browser A is executed in the sandbox. If browser A gets a drive-by download, the download cannot execute within the sandbox, and if it did, should have no network access.

Further, because my downloads all go to one location, and that location is itself forced into a sandbox, if browser A were to get something to execute, whatever executed would start up in the downloads sandbox.

I employ a lot of different sandboxes with different settings depending on the use. Some sandboxes might allow reading of anywhere, some might have specific locations/files/registrykeys restricted from reading. Some might have wide open rights, some might have direct access. Sometimes browser A might spawn program X into a different sandbox, and program X might desire to spawn browser B, but that too depending on restrictions, might be allowed, but it starts in its very own sandbox.

It might sound a little crazy and too complicated, but in reality it is very easy to implement and actually makes a lot of sense. In they same way you would use a whitelist approach to say that programX should never be allowed to start, or it should start restricted, so too you can do the same with an individual sandbox. But IMHO, better than what the OS can do with all its tools, the sandbox approach offers much more flexibility.

Sul.

 

True, but then SuRun/UAC will kick in (if activated).

Not implying that your approach is wrong by sandboxing the download folder, but if not sandboxed, SRP will stop the execution (if activated).

/C.

 

Oh, I am not referring to sandboxing being better than SRP/Applocker, or even how to them work together. I am just comparing how one can use Applocker/SRP and pick and choose what they want to happen with specific apps/dirs, especially parental controls sounds that way... and how I do a very similar approach per app/dir but use SBIE instead, but obviously don't "block" which is the only real option in SRP anymore (or allow depending on the situation).

I don't know if SRP would stop execution or not. In XP, if you used the "basic user" setting on a directory, it would run inside SBIE without realizing the restriction. Whether that is SBIE creating the process with its own rights prior to the shell creating the process and applying reduced rights, I don't know for sure. Maybe you could test it and see, if you haven't already. Then again, win7 doesn't work like XP in a few regards to SRP, so who knows.

Sul.

EDIT: also, not that it matters in this discussion, but I do set the downloads directory to force Low IL as well, so I don't look to "block" execution at all, merely restrict and/or contain

 

If you are talking about the start/run restrictions in Sandboxie, they are somewhat useless. Its purely done by extension... and .exe extensions nonetheless. I can't count the number of times I saw malware run as a .tmp file..

 

I started to mess with this sort of thing, but then I had some difficulty with certain programs not being allowed internet access. I'd get errors if a program launched in a sandbox and it had an updater. It would throw an error, or then I clicked on a torrent, and I'd get an error.. I'd have to keep making exceptions, and it was just a little tedious.

I made the conscious decision that I didn't want any *new* processes to run from a sandbox. I could still save a program and run it Sandboxed if I wished, but I'd have to save it to a "real" folder. With the Applocker rules, everything else gets denied. I achieve my personal goal

I'm not saying one way is better... I know a lot of people like to just click and run things inside their browser Sandbox, and this obviously prevents that. I'm just saying its a surefire way to make sure a drive by never executes, and you don't have to worry about other restrictions.

With my way, you really need one applocker rules: Allow everything except the sandbox folder... I throw in a Deny on the Sandbox folder for good measure... but that is because I have more rules, and I want to ensure a Deny. I find it to be a very simple way of achieving the goal of stopping any new software from running..

 

Yes, I'm talking about start/run restrictions. It doesn't matter how it handles it (extensions).

With start/run access restrictions you can either allow certain programs to run or allow them all.

If you allow a bogus file (whatever .exe, .tmp, .dll, etc) to be the only "program" to initiate in the sandbox, then everything else will fail to run inside.

So, going back to the example I gave.

Imagine you'd like to prevent Internet Explorer from running, say whenever some other app may open it. You don't want to use SRP/AppLocker/other method, only Sandboxie.

You can force Internet Explorer to run inside a sandbox of its own, by forcing iexplore.exe, and then in the start/run access only allow a bogus name to run inside the sandbox, hastalavistababythesequele.exe.

Internet Explorer would now fail to run inside Sandboxie, because you're not allowing iexplore.exe to run in it, only hastalavistababythesequele.exe.

 

I had looked on the forums about this... and lets say you allow *.exe . This should disable any exectuables in the sandbox, but allow executables outside the sandbox to run. Well supposedly, you could still run a .com file or any scripting extension, even from the Sandbox...

Even if this weren't true, every time a known good process splintered off some other process you may want (adobe reader, bit torrent, etc) you'd have to keep adding those executables. Its sort of labor intensive to do this..

 

this doesn't take any longer than surfing to the program folder and selecting the exe.
and once it's done you don't have to do it again.

beside the browser, only a PDF printer and reader are allowed to run in my sandbox.

 

No word documents, excel sheets, torrents, picture viewers, java, pdf viewer, media player, etc?

 

the only ones i need are the PDF viewer and PDF printer.

i'm the only one using this machine so i don't need to be overly paranoid with this stuff.
as for java, i simply refuse to install any app that needs it.

but adding individual app is, like i said, quick and a 'one time deal'.

 

What the bloody hell are the two of you talking about?

I'm talking about forcing something to run in a restricted sandbox, and then block all execution.

Now, Sandboxie doesn't allow us to do that in a direct way, but we can force something to run in a sandbox. Then, in the start/run access we can allow a bogus executable to run inside the sandbox, hence making execution impossible, unless some file happens to have the exact name of the executable/file we allowed in start/run access.

So, in the example I gave, we want to sandbox the Sandbox folder at C:\Sandbox (default location).

So, we force this folder into a sandbox, and then in the start/run access we only allow a bogus executable/file to run in it. In my example I gave the hastalavistababythesequele.exe. Unless something in C:\Sandbox happens to have that name, nothing will execute inside the sandbox, despite the fact the folder is being forced.

 

lol !
now that you mention it i'm not so sure.

 

there are too many moons. I have trouble telling who I received a reply from.

 

how does one setup a download folder like this?

is that in the Blocked Access settings?
----------------------------------------

lol, i'll let the other moon continue.

 

Normal downloads directory in win7 is c:\users\<user name>\downloads

In browser, set to not ask where to save every time, and to save to this downloads directory. Now anything that downloads goes there.

Have your sandbox for your browser, which forces the browser into it. Set box so that only browser is allowed to execute (ie. chrome.exe) and that only that executable is allowed network access.

Now create another box (mine is called downloads). Within this box, force the directory downloads into it. As options, you can set rules so that there is no outbound network access at all (that is what I do). You could allow any executable, or limit them only to what is in the downloads directory.

I also use direct access to this downloads folder in my sandboxes, so if any sandbox modified the contents of downloads directory, the change is seen by everyone, no recover needed. So with direct access, Chromium saves a file to downloads directory, then within chromium I execute the download (whether opening .rar file, opening .pdf or actual binary .exe), and because it is forced into the downloads sandbox, that is where it opens.

It works for me, and I think that should be the basics to make it work.

Sul.

 

Sully, but the question still remains: How the heck do you get something from one forced folder (Downlods folder) to execute in its own sandbox, if initiated by another sandboxed application (web browser)?

By design that doesn't happen. By design, if the user initiates something from within the web browser, then whatever the user opens within the web browser gets opened inside the web browser's sandbox and not in the Downloads sandbox.

Unless there's some obscure way of achieving what you say happens in your setup, and something that not even Sandboxie's author is aware of, how the heck does it happen that way? lol

 

I guess I am not sure. It has done this for a long time, and I assumed because of how I force things with multiple sandboxes, each with a little different config, that it was correct. If I remember right, it did it when I used Kmeleon on XP as well, but that has been some time now so I cannot be sure. Maybe it is due to the OS settings I use? Probably not, it is most likely because I like to implement a lot of restrictions and accesses per sandbox. Just lucky I guess?

I have been playing with the idea of revamping my configuation anyway. Maybe I will start from scratch again and see what happens. I modified my .ini file quite heavily with a bunch of custom templates and path variables, maybe the reason is in there... I feel the need to revisit that anyway. Oh, and I have never updated my version either. I like the old way just fine, so I still use version 3.442, my personal favorite for speediness.

Sul.

 

tnx for the help Sully!

i'll give it a try and see how it goes.