What is your Sandboxie setup?

Discussion in 'sandboxing & virtualization' started by Konata Izumi, Oct 19, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unfortunately, such won't help against rogue browser extensions/add-ons. Some days ago, it was reported that a Google Chrome extension, that had been removed from Google Chrome Web Store since then and then reintroduced after it was cleaned by the author, was deliberately spying on users activities.

    You may restrict whatever you want in your sandboxes (the same applies for everything else, such as firewalls, etc), but if you make use of extensions, and specially in Google Chrome, then you face the danger of letting others spying on you, until somebody notices it and reports it. By then, it's already too late.

    Firefox users are OK in that regard, provided they download extensions only from Mozilla's website, considering they have a decent vetting process. Unlike Google, which has none.

    I suppose Internet Explorer's add-ons are on the same situation as Google Chrome's extensions?

    Extensions will always have network access, because they run within the browser's process.

    Unlike what user Page42 mentioned, regarding Microsoft's article, you don't necessarily need to see those events for your browsing to be hijacked.
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I think using Firefox with only well known extensions (like NoScript/Adblock)and using the restrictions pointed out by Page will keep the browser from being hijacked. I never seen anything like it since I installed SBIE.

    Bo
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    And to be fair, if you are really concerned about your security, you won't use any extension or add-on at all unless they can be TRULY verified safe.

    I question why I would want to use something, like extensions, if it means I must add extra security layers to do so.

    If I am going to do things like banking online, I am going to have a dedicated browser and sandbox for it, and it will be default browser, no flash, no adobe, no extra anything.

    Sul.
     
  4. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    exactly what I do........
     
  5. wat0114

    wat0114 Guest

    Right, and there may be the possibility of controlling them...
     

    Attached Files:

  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The sad thing is Sully, not everyone is like you or me; now are they? Nope. The higher percentage of users will be using one instance of the browser only. Most won't even know that with Google Chrome you can even have more than one profile, with extensions disabled, for example.

    So, we can discuss that we could do this or that, but that still wouldn't change the real life situation. And, the real life situation is that unless you got yourself skills to study the extensions code (in the case of Google there's no vetting process), you're hoping that the developer is a honest person.

    Also, when people use extensions, they use them for what they promise to do for them; they aren't concerned about security, specially because they aren't even aware they should be concerned about it. That's the major issue, and to believe something like Sandboxie/AppLocker/etc would help them with that, would be a major stupidity. Sorry if I sound rude by saying stupidity, but that's the way I see it.

    I could also say that I handle bank affairs in person and not by Internet. Nothing beats that. But, does this solve the real issue? Nope.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, I do agree with all of that, as you probably know.

    However, I assume that while here, in this forum SPECIFICALLY, we answer questions and give our opinions/advice based on the presumption that those looking/asking are already either beyond basic infos or are looking to learn. If this were a forum about how to weave baskets underwater, then my reply, as you suggest, would have little merit at all. But, since this is a security forum, devoted to such topics, I can only assume that I am speaking to people who want to know or do know and need new ideas.

    If a visitor is reading, who doesn't know, well, they are visiting Wilders. If they don't know yet, they soon will, that this is not exactly the most noob-friendly place in terms of what we discuss, but also hopefully they see it is very noob-friendly towards noobs -- that most of here genuinally want to help them.

    So, yes, I agree, in the real world where users don't understand these aspects, they would be lost. But, as to the topic of this thread, and the original questions, which are very much more advanced, they apply.

    And for what it is worth, I don't think your use of stupidity is in any way out of context, but rather is fully in context. I am stupid when it comes to many things, and I don't take offense to the truth. Besides, if someone calls me stupid about something I most certainly am not, I can either ignore them or shut them up by showing facts... so, yes, using a solution you don't understand, to stop problems you don't understand, and blindly trusting is... stupidity.

    Sul.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I liked that part about not wanting to be too confrontational on your 4th post in the forum. Better to get confrontational after 10 or more posts, right? :D
    Just joking, of course.

    Regarding it being too late to close one's sandboxes, maybe not.
    If I have enough SBIE restrictions in place, and I am letting KeePass auto-enter my passwords, and KeyScrambler is encrypting keystrokes and protecting the browser, and I have AV/AM in real-time along with reputation filtering and a HIPS firewall, PLUS I start online shopping/banking sessions in sandboxes that are opened new for each session and have forced delete upon closing the sandbox... plus probably a few more things I've forgotten to mention (like anti-phishing/anti-malware DNS services and the added peace of mind of full system backups always waiting on an external drive)... I'm thinking that the likelihood of it being "too late" for a browser hijacker is not real high. Closing browser sandboxes is just a habit I have gotten into increasingly in the time I've been using SBIE. I don't think in terms of it being too late, I think of it in terms of being a smart thing to do at the proper time. But I try not to become complacent, and always welcome inquiries such as yours, for that is how I learn about vulnerabilities. :)
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I agree with that, but what you previously said...

    ... simply isn't very realistic. And, why not? Heck, myself I don't know crap of JavaScript language; no bloody way I'll be able to make a distinction between a rogue and good Google Chrome extension, for example.

    I won't be learning JavaScript, as I got no need to learn it, nor intentions of learning it. So, in Google Chrome's example, I would need Google to have a proper vetting process in place to protect me against rogue extensions.

    And, most people, even those coming at Wilders Security Forum, won't be using probably more than 2 browser profiles. (I use way more than that, and that shows the separation I made in what comes to information access.)

    So, what matters if they use one profile to access their bank account, using a browser profile without Java, Flash, etc., if they may access also other important information using the other browser profile, where they will be accessing/exchanging that information?

    I don't know if they do it or not, but I wonder how many of Wilders Security Forums use extensions such as AdBlock Plus to block ads also in Gmail, etc? It would actually be interesting to know the real % of WSF users who do use such extensions... or extensions similar to NoScript, that exist for Google Chrome.

    Or, how many use TrafficLight from BitDefender all times, during their general browser usage, and do it just because it comes from BitDefender? They don't know whether it's safe or not; they just assume because it belongs to BitDefender it's safe to use. (Note to all: I'm not saying it's an evil extension! lol)

    I ask you: Do they know if those Google Chrome extensions they use were TRULY verified safe, as you put it?

    I don't know if they were or are*. I'm not interested in learning JavaScript to find it out either. Therefore, I don't use them. But, that's my approach.

    All I'm saying is, you can restrict whatever you want in your firewall, AppLocker, Sandboxie, SRP, etc, that nothing of that will matter if you cannot be sure they were TRULY verified safe. And, as you know, extensions run in the browser and the firewall/Sandboxie/other cannot restrict the Internet access.

    If these people are running extensions, I'd imagine it's because they want to use them and gives them some usability they cannot get only by using a naked browser.

    As an example, a the bank of relative has flash content on their website, therefore Flash cannot be disabled. So, as I mentioned what works for one won't work for the other.

    -edit-

    I'd also imagine most of the folks who come here at Wilders and who use Firefox and its extensions, also need Mozilla to have a proper vetting process in place. Which Mozilla does have.

    -edit 2-

    * I do know that they weren't verified by Google. To the best of my knowledge, Google still has no vetting process in place.
     
    Last edited: Jan 1, 2012
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Also keep in mind that extensions can call plugins, which can hide their code.
     
  11. wat0114

    wat0114 Guest

    You and so many others have enough ability and common sense to determine rather expeditiously whether something is safe or not :)

    How do you mean?
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps you have taken my statement in the wrong light ;)

    I agree, whole-heartedly with you. I have no idea how you go about verifying if an extension/add-on can be trusted. Therefore, unless one has a way of doing so, don't use them. If you could find a way to verify the integrity of one, only then should you include it in your browser for sensitive activities.

    Frankly, I don't really care about extensions that much, never have. Maybe that is why I don't like firefox, as the only thing they ever seemed to have that was of any value in my mind was thier extensions. I have never trusted them. But that doesn't mean I don't use them. In fact I use a couple on my chrome install, but then again, I don't use that for anything remotely sensitive.

    Sul.
     
  13. BrandiCandi

    BrandiCandi Guest

    Well, forget about being confrontational, I think what I did was completely derail this Sandboxie setup thread and turned it into a browser security discussion. LOL I swear I'm not a troll. :p My point was simply that Sandboxie is really cool, it's extremely useful in Windows. But it's not an all-in-one solution to all things secure. You can run the tightest Sandboxie configuration known to man, but you also need to consider that you have no control over the security of any third party website. Not every web developer out there values writing secure code in the first place. I'm sure most of the folks in this thread know all this, but I still like to see it written down for all to see.
    Exactly the reason I prefer firefox. Say what you will about open source, but it's pretty hard to slip something nasty past all those geeks looking at the code ;)

    And yes, stupidity = not understanding what you've got running but expecting it to be secure.
     
  14. wat0114

    wat0114 Guest

    Of course you're not a troll and I doubt anyone sees you as one :)

    my question to you and others, especially m00nbl00d, Sully, and HM, is since it seems, to me anyway, you've suggested you can't 100% verify extensions, then why would you use them? Is it because you have enough faith in everything else Sandboxie and whatever other security restrictions you've put in place to make up for possible rogue extensions, or do you just relent because, after all, it's an extension you can't do without? I'm curiouos.

    My approach must seem to some as somewhat careless and reckless, but I contend I must be doing something right, because I've never been burned by this approach.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is commonplace around here. Subtopics within a topic.

    I can't speak for others, but I don't use one application or method for everything. I have examined my habits and try to put them into categories, each category having certain aspects that differ. Its not complicated really, just have to think it through a little bit...

    For every day browsing, checking forums, going to trusted sites like majorgeeks or msdn, I use a browser/sandbox combo with extensions.

    For browsing when looking to download a new app, or searching for a software solution, to places I have never been, for files to download, I use a different sandbox but same browser, which may use extensions or not.

    For browsing of the more sensitive nature, banking, online transactions, etc, I use a different sandbox/browser combo, without any extensions, indeed with as little as possible aside from the browser itself. If one site needs flash to operate, I may have one sandbox devoted to that site so I can control it better.

    I have no faith what-so-ever in any plugin/extension/add-on. None. But just because I have no faith in them doesn't mean I can't use them. It just means, to me, that I need to know what I do that would possibly be affected by a rogue extension. Then I simply compartmentalize things so that for different purposes I have different tools.

    It is Sandboxie that makes this possible. Without Sandboxie, and the options it uses and its strengths, I would have a much different way of doing things. I strive to understand the strengths and weaknesses of what I do, and adjust what I do accordingly rather than try to find some one-size-fits-all solution.

    Sul.
     
  16. wat0114

    wat0114 Guest

    Hi Sully,

    thank you for your feedback :)

    Why not o_O If I felt this way, I would never allow them to run in my setup, even if I knew I could contain them.

    This makes no sense to me; if you have no faith in them, why allow them in the first place, even if you know how to respond to problems with them?

    You don't have any inherent weaknesses in this capacity, but of course you are too humble to admit this ;) Realistically, you don't have to depend on Sandboxie to cover any so called "weaknesses" in your security arsenal, and I'm sure your confidence in your own abilities isn't dependent on Sandboxie or other software to cover these alleged weaknesses you speak of :) Sandboxie is terrific in a capacity where one wants a "set-and-forget" security measure on a machine that is used by those who don't have the knowlege, ability or desire to secure themselves against rogue Internet-borne threats, but it is certainly not an essential arsenal for those who harbor the knowlege and ability to secure themselves against them.
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps lumping them all together is not fair to many plugins etc that are in fact good to use. However, since many years ago, I was fixing many issues with BHOs or search bars etc, things that got "into" the browser, whether malicously or whether allowed by the user. I made it a point to stay free of them. I did not have issues like so many did (those I fixed for people). For simplicity sake, I lump them all together. I don't do adobe plugins, used to stay clear of java and flash too. That of course is becoming very hard to do these days.

    With the advent of Sandboxie though, it allows me to compartmentalize things. Now I can use flash and certain plugins/extensions that I would not have used before, because of what SBIE does and how I use it.

    I can honestly say, that before Chrome, I have only used 1 extension, and that was wget with Kmeleon. I tried a few other plugins that were download managers though. Anyway, with Chrome I use a few of them. Without Sandboxie I probably would not. But I trust SBIE enough to take care of things, and I trust how I do things to keep it that way.

    I simply don't have issues. Rarely anyway. Is it because I distrust a lot of things? Yes and no. It is due to many things, but certainly my "guilty until proven innocent" outlook towards software hasn't hindered me in any way ;)

    Sul.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. lol You have to forgive me if it seemed I was with my head in the moon. These last days haven't been great to me... party-wise. ;) :D
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, today I came across a Sandboxie behavior, which I'm not sure if that's simply a limitation it has or what.

    I downloaded an application that allows to create jumplists in Windows 7 taskbar. That application's name is Jumplist Launcher. Official site: en. www. ali.dj/jumplist-launcher (Remove the spaces).

    I ran it with standard user rights inside Sandboxie, and then I pinned Jumplist Launcher to the taskbar (all in the sandbox session). The shortcut got pinned to it.

    Then, I closed the sandbox and cleaned it, but the shortcut got to the real system in %UserProfile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

    I figured it was some junk that got left and that once logging off or rebooting, it would be deleted, until I went to the user profile folder and saw the shortcut there. I thought the shortcut was pointing to Jumplist Launcher executable that was running in the sandbox, and pointing to a directory C:\Sandboxie\sandboxname\blah_blah\executable.exe, and considering the sandbox was cleaned, if clicking the shortcut in the taskbar nothing would happen, but it loaded the executable that I had placed in the desktop, which I previously had allowed to run in the sandbox, otherwise AppLocker would block it.

    Anyway, should Sandboxie be allowing shortcuts added to the taskbar, which are saved in %UserProfile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar, not to be sandboxed?
     
  20. Chron Kyrios

    Chron Kyrios Registered Member

    Joined:
    Jan 27, 2012
    Posts:
    5
    Location:
    USA
    Hi.
    I am fairly new at using Sandboxie. I have used the basic functions of it over a year ago, and I really liked what I saw. I haven't used it much since then, but I recently purchased a copy and intend to make heavy use of it in my new Windows 7 installation. I am technically inclined, so I don't have a problem learning the command syntax and settings, but what I intend to do may take quite a bit of work. Let me describe my plan, and see if any of you have, or know of a configuration template I can copy to get a jump-start on my implementation. I liked Sully's configuration, but was saddened to see it had not been set up for x64. Re: https://www.wilderssecurity.com/showpost.php?p=1969028&postcount=25

    I plan to install as many things inside their own seperate sandboxes as possible. I understand that most or all of my security software can not, or should not be installed this way. But, nearly everything else is a candidate. Correct me if I am wrong on any of this, but if I understand how Sandboxie works, then this will have multple benefits...

    One. It will keep the registry fresh and new as nearly nothing installed after the security software will actually be put into the registry. Windows will see very few program entries in the registry at boot time. This should decrease boot speed.

    Two. I believe I will be able to make a copy of the entire installation simply by duplicating the sandbox File Structure. (Can I Do This?) That way I can have one copy of a program as it is freshly installed and configured, one for temporary sessions which will wipe the data each time, and one for ongoing use which saves settings and recovers files.

    Three. If I decide to install a program on another machine, this should allow me to copy the entire sandbox over and have it think it's been installed on that machine as well. (Can I do this?) Essentially this approach would turn any program into a portable version without having to accept the sacrifices often found in portable versions.

    Four. This will keep my actual "Program Files" folders clean. I have long been a fan of separating my programs, from what Windows puts on the machine. But, I am also interested in Security, and I read recently that keeping programs in the Program Files folders adds a layer of protection. This way, I can have my own personal Program Files folders which will remain separated from the actual Program Files folders yet still secure.

    Five. I plan on making extensive use of Buster Sandbox Analyzer during the installations of most of my programs. I have not used it yet, but it looks like the program is an on-demand registry and file snapshot utility that works on a per-sandbox basis. This of course allows me to analyze program installations on a deeper level so I can see just how well or sloppy the programs are written. This goes for reviewing new programs as well as re-evaluating the programs I curently use. Another benefit of this is being able to help clean up other people's computers if they have installed something they shouldn't have and the uninstall fails. (I know of a particular defragger which injects over 2000 registry entries. Really?!) I would simply install the offending program on my own machine, and use Buster to generate a list of file and registry entires to eliminate.

    BUNCHA QUESTIONS

    Am I wrong in any of my assumptions above?

    Do you guys have a rule-set available specific to my goals which I can use as a jumping-off point for my endeavors?

    Am I going to have troubles when it comes to process names being identical? How would I handle ForceProcess?

    Another question, Is there a list of programs somewhere that simply do not work well when installed inside a sandbox? Or, is it as simple as InstallsDriver=Can'tInstallInsideSandbox ?

    My plan actually makes 4 locations for Program Files. Two in Programs, and Programs(x86) and, and two more like them in the Sandbox(es). What key areas would I have to cover to update yours to fit my plan?

    Is this all a pipe dream?
     
    Last edited: Jan 28, 2012
  21. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    @ Chron Kyrios

    No you are not wrong in assuming Sandboxie will keep your registry/and drive free from clutter and junk.

    And quite honestly, Sandboxie is the most functional applicaton for Windows I have EVER used. Big statement, eh. But true.

    You can throw anything at Sandboxie and it will work. And if it doesn't, you just need some investigative skills and time to crack the problem.
     
  22. Chron Kyrios

    Chron Kyrios Registered Member

    Joined:
    Jan 27, 2012
    Posts:
    5
    Location:
    USA
    Thank You, Keyboard Commando, that helps.

    I also read the thread at https://www.wilderssecurity.com/showthread.php?t=253382 regarding Templates, nice work Sully. It looks like that would make things really easy, but, I am still a little unsure about the proper procedure to install inside a sandbox and then run the sandbox-installed program in different sandboxes.

    Is it as simple as installing the program and then copying the sandbox a few times so I can change the settings in each one? I assume I am going to have to launch my sandboxes manually with shortcuts, rather than using force program because I can't specify path names for different exe's. I guess my main question at this point is: what is a good set of rules for a box that is only going to be used to install a program inside the sandbox, prior to use? At least that way, I can get my programs installed and work on settings for the other stuff as i go.

    I Still haven't actually started playing with it... I am still trying to make sure I understand it before diving in. Maybe some of the questions would answer themselves with some hands-on experience.
     
    Last edited: Jan 28, 2012
  23. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    Have dropped rights enabled. ONLY use it for browsing certain >_> sites and have eraser erase the sandbox.
     
  24. Prole

    Prole Registered Member

    Joined:
    Feb 2, 2011
    Posts:
    47
    Location:
    New England, USA
    You could just go on over to the forum at the Sandboxie site - the developer doesn't seem to mind dealing with these kind of questions.
     
  25. Chron Kyrios

    Chron Kyrios Registered Member

    Joined:
    Jan 27, 2012
    Posts:
    5
    Location:
    USA
    This is certainly true. tzuk always on it in the forums!

    The reason I came here first was because of the large number of posts regarding .ini settings.

    I just found out that there are a lot of .ini related posts on that site that I have not read. (I had to use Google site search) So, I may solve a number of my problems there.

    I figured out that I don't want to use DropMyRights when installing things, lol.

    So, now my requests above are modified to: If you have any handy answers or think this would be an interesting challenge, then by all means, throw in your two cents. If not, I'll keep you posted!

    :thumb: :thumb: :thumb:
    ++Chron Kyrios
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.