Sandboxie security question

Hello everyone,

Assuming a normal computer use of word, excel, pdf, audio/video, internet do you think its safe
to save the email attachment in a folder and then open it from there or clicking the "open with"
option when asked to download for easier convenience?

In case of the former method, there'll be two sandboxes: 1)Firefox consisting of only firefox.exe
in Start/Run Access and Internet Access and 2)Office consisting of word, excel, pdf in Start/Run
Access and no Internet Access. This method will be cumbersome as each attachment will have
to be saved in a folder first and then opened up.

In case of the latter method, there'll be only one Sandbox: 1)Defaultbox consisting of firefox,
word,excel,pdf in Start/Run Access and only firefox in Internet Access. This method of opening
attachments is VERY convenient.

Do you think the latter method is weaker from security standpoint than the former method?
If yes then how?

Thanks in advance

 

Isolation of programs is better when you use more than one sandbox
but either method is safe. I think the difference from a security
standpoint is very little and because of the convenience, you should
go for method#2.
Finding a perfect balance between security and convenience is one
of the keys for enjoying using SBIE. For me, finding it was easy and
I think you found yours, for your browsing sandbox.

Bo

 

Thank you both for your replies Would like to know what others think as well.

 

+1 for Method 2

 

I have my sandbox using the latter method you outlined.
Even if you catch malware from pdfs or documents, it is still contained within the sandbox and if you have it only as a start/run thing rather than with internet access; the malware should become redundant.

 

Second method - hands down. I don't know why people create multitudes of sandboxes just to cover every conceivable scenario of their daily computer routines.

 

One quick response to this would be because we are interested in creating sandboxes that fit a particular need... and nothing else.
The need might be broad... I might want a browser sandbox that also allows my email client and pdf reader and media player to start and have internet access. No problem. But I might also want to work with a narrower range of applications, like just my pdf reader and not the others, so it makes sense to me to decrease the number of things allowed to start/run and access internet in that sandbox. No sense in giving permissions to email and media and browser if I'm just using pdf. The right sandbox for the desired task. That simple.

 

You mean, for example, if the pdf file is an exploit that uses the browser for malicious comms?... then I see your point.

In my situation, I've got Sandboxie running on a couple machines the kids and wife use, so there's no way there can be more than one sandbox for them to choose from, depending on a given situation, is going to work for them, so I keep it necessarily simple with one configured to limit 'net access, force start/run, and restrict the ones that can run sandboxed for certain applications.

 

The first few months that I used SBIE, I only had 2 sandboxes. As time
goes by, I create more and more. Now ,I use 14 and I am sure, soon it
will be 15. Maximizing isolation is the reason.

Bo

 

The biggest problem with Sandboxie isolation is user inconvenience.
For eg. My browser and pdf reader are in different Sanboxes. There's
a link in the pdf reader which I want to see. Now I cant click on that
link straightaway and open the browser coz of SB isolation. Hence I
need to copy the link, open the browser(which opens in another
Sandbox) and then paste it there.

Sure it gives me very good security coz if a pdf exploit gets executed
as well it gets contained in its sandbox and due to internet restrictions
cannot communicate outside. I only need to open my pdf reader
unsandboxed when I've to update it.

So weighing the pros and cons of both do you think method 1 is right
from security standpoint?

 

Method#2 is perfect for you, for your "browsing sandbox" but you should
also have a PDF reader sandbox, for PDF files that you have on the hard
drive. On my Foxit sandbox, only Foxit can run and nothing is allowed to
connect. Thats maximizing isolation.

I have 2 FF sandboxes, on one only FF starts/runs and connects and on
the other one, Foxit and Flash can also run but only FF connects. If I
need something else for Firefox, then I use a "All" sandbox, where all
is allowed.

Bo

 

This is odd to me. Why not just one sandbox that allows FF to run and connect, and allows Foxit and Flash to run but not connect? Isn't this perfectly secure because Foxit and Flash are both sandboxed while restricted from the Internet?

 

My guess would be that he wants to surf without having to worry about flash at all, and that the sandbox with flash allowed is used for specific sites. He probably finds it the easiest way to know what is going to happen within a given sandbox at a given website.

I use FlashBlock on Chromium to do this rather than create a secondary sandbox. I could see why he chooses to do this though. I agree that you could do just as you suggest, but the option of more fine grain control is very alluring for me, and for bo too it seems

Sul.

 

As you describe is how I have one of my FF sandboxes but allowing as
little as possible is something that I always do. Flash, I rarely use,
elsewhere other than Youtube. So if I go to Youtube, I just open the
Flash FF sandbox. I do it naturally, no thinking.
If I was getting SBIE messages all the time, doing it this way would
be inconvenient but I rarely ever see a SBIE message. That tells me
that I found a balance between convenience and security on all of
the sandboxes that I use.

For the machines that your family use, restricting the sandbox as I do
certainly wont work. You created a balanced sandbox for your family,
that's the perfect sandbox for them.

Bo

 

Okay I see what you're doing. Obviously I don't do too much in the way of creating additional, fine-tuned sandboxes geared toward specific uses, and as you suggested, it certainly would make things confusing for family members who aren't interested in this sort of thing

I tried that plug-in but I depend on flash so much I ditched it and just use Ad Block instead. Lots of options to suit the unique requirements of different folks