Help me get the most out of Sandboxie

Discussion in 'sandboxing & virtualization' started by n8chavez, Dec 22, 2016.

  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    As the title says, I'm looking to get the most out of Sandboxie. I'm pairing it with a light HIPS; Spywareshelter firewall. I understand the intent of SBIE is to create isolation between those apps sandboxed and the real disk, and that the best approach is to create sandboxes where internet-enabled applications are virtualized. So far I have SBIE boxes for Cyberfox, Skype, Miranda IM, and Outlook. I have seen it suggested that download directories also need isolation. I'm not sure how that can be done and yet still have that directory function. What else do you suggest I look into in order to strengthen my SBIE settings?
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    To sandbox your Downloads folder you force the folder via Forced folders.

    Sandbox settings>Program start>Forced folders, Click Add folder, navigate to the folder, select it.

    The way it works when you force a folder: Files that are located inside the folder will run sandboxed automatically when executed. So, downloads like a PDF or a movie or an Office file will run sandboxed when they run out of that folder.

    The directory is not changed by Sandboxie in any way. You want to use this feature (Forced folders) for forcing download folders, folders where you keep personal files or get from someone else. It can also be used for forcing your USB drives. And you dont want to use it for forcing system folders or Windows explorer.

    Congratulations (for wanting to get the most out of Sandboxie), n8chavez :cool:. I call it get all the juice out of Sandboxie. I ll be back later and write some more.

    Bo
     
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Thanks Bo Elam! It was actually your posts at the SBIE forum that piqued my interest in sandboxing more than just internet-access apps. I will try what you suggest.

    I intend to create boxes for any app I use daily that might be explotable. So far, from reading other threads, I have come up with Foxit PhantomPDF, MSoffice, 7zip, POPeeper, Viscosity, Sketchup, and ProgeCAD. None of these apps are listed in the "apps" SBIE section. If anyone has any suitable configs I'd appreciate looking at the code.

    Thanks,

    n8
     
    Last edited: Dec 23, 2016
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Regarding settings, when I create new sandboxes and I am setting them up, I try to achieve a good balance between security and usability. But usability comes first. So, I restrict them as much as I can without giving up usability. The result is a sandbox that is comfortable to use and very secure.

    When you create a new sandbox, by default settings, all programs in the sandbox are allowed to start and run and have access to the internet. What I do in each sandbox is allow only the programs that I know I might use when I am using the Leader program of a sandbox. For example, in an email client sandbox, if I only read and send mails and do not open any attachments while using the mail client, I could restrict the programs that are allowed to run and have access to the internet to only the exes of the email client.

    But (for convenience and usability) if I like to run attachments like PDF or Word files while using the client as well as opening web links that might come in some mails with Firefox, then I ll also allow the exes for Firefox, Word and the PDF reader to run. And give internet access to Firefox. :)

    Bo
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Thats the idea, n8chavez.

    Pretty much the only time I find myself not using Sandboxie when the computer is running, is when I am updating something or the computer is idle.

    Bo
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I personally only run a couple of apps sandboxed, I think it's overkill to run every exploitable app inside the sandbox, a tool like MBAE is more suitable for that. I would suggest protecting your most important data from read and/or write access.
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Since I am also running a light HIPS, I don't want to add too many security apps. I also have licenses for Shadow Defender and Hitmanpro.Alert. What combination would you use Bo Elam and/or Rasheed187? The way I think of it, SBIE is not just about virtualization but also limiting apps' network and process access. (Double-layering this aspect of SBIE with SpyShelter firewall adds double protection.) Both can be achieved with SBIE. Is virtualization was paramount I'd use Shadow Defender, but it cannot limit network access. Thoughts? I am looking at this wrong?
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Good idea. The lesser the amount of security programs you run along Sandboxie, the better. Thats because you ll eliminate conflicts, you get fewer messages, sandboxed programs open up faster, sandboxes delete quicker, in short, better security and smoother operation of Sandboxie when you limit the amount of security programs that Sandboxie has to work along with.
    Myself, I use nothing along Sandboxie. But I think a good companion for Sandboxie is a simple antivirus. The lesser amount of addons that come with the AV, the better. This type of addons can cause problems.

    If the HIPS you are using now work nice with SBIE and you like it, I say "keep it". If you want to add something else, I recommend Windows defender/MSE or something simple like it. MSE has not conflicted with SBIE since MSE1.

    You mentioned SpyShelter . As far as I know, its getting along well with Sandboxie. Its been like that for at least a couple of years.

    Bo
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, this is always a good idea. At the moment I have also combined SSFW with Sandboxie. In addition, I run EXE Radar to block exploits/malware from running inside the sandbox. It's possible to block network access and process execution with SBIE, but SS and ERP already take care of that, no need to make it more complex.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    @n8,

    this post seems to recommend an overall solid sandboxie setup. Step 5, however, may not be necessary. The thread containing it is here, containing plenty of good recommendations throughout it. I do want to add @bo elam's suggestions are on an "expert" level to be sure :thumb:
     
  11. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    362
    I came across this on a real good site about hardening Windows 10 and set mine up this way;

    http://www.hardenwindows10forsecurity.com/

     
    Last edited: Jan 19, 2017
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks.
    @bo elam Would you recommend all of these settings too, or would some create usability issues?
    I have the first setting in place, but am wondering about the others.
     
    Last edited: Jan 20, 2017
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Deleting the sandbox is an important feature. Most of my sandboxes are set to delete on closing of sandboxed programs. The ones that are not is because of something special (like when installing a program in a sandbox and keeping the sandboxed installation for a few hours or days). I normally dont keep sandboxes were I run browsers, I usually delete contents of this sandboxes inmediatedly after closing the browsers. It is safer.

    There are users that like saving browsing sandboxes and use them time and time again. Thats OK to do but users who do this shouldn't use this sandboxes with old contents for sensitive browsing. We dont want to mix sessions of regular browsing with sensitive browsing. With Sandboxie, when doing sensitive browsing, you want to do it in a fresh browsing session in a sandbox that had no contents, do your banking, mail, and when you finish, you close the browser and delete the sandbox. And then you can go back to regular browsing. What I wrote sort of goes along with what he said and I am quoting below.
    He mentions Program stop>Leader program. The time to use this setting is when programs remain lingering in the sandbox after closing the main program that you run. This can happens to some users sometimes in some systems. So, for example, in your Firefox sandbox the Leader program is Firefox, if after you close Firefox you notice that the sandbox doesn't delete and its because programs are lingering still running, then to try solving this you make Firefox the Leader program, which means, when Firefox closes and its terminated, all other programs get terminated automatically and the sandbox gets deleted. Its rare to have to use this setting. I dont use it in any sandbox in W7 but did use it in 1 sandbox in my XP.

    He also mentions the restrictions, Drop rights. What I personally try to do is achieve the perfect balance between security and usability when I setup a sandbox. I try to set tem up as restricted as possible but without giving up any usability. The result is that all my sandboxes are secure and comfortable to use. Work on that but don't get frustrated when you find some sandboxes being easier to restrict than others. For example, setting up Firefox in a highly restricted sandbox is easy, that's usually the case but it might be the opposite when you try to do the same for Chrome.

    Bo
     
  14. Dii

    Dii Registered Member

    Joined:
    Jun 22, 2021
    Posts:
    15
    Location:
    USA
    How do you download a executable file in the sandbox, make a folder there and install it. set the sandboxed folder to remain even if i close Sandboxie and when I want to run it again I only open Sandboxie and go to the folder where I installed it?
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thank You @bo elam. I'm fresh back on the trail of using Sandboxie again myself and I want to keep things simple as possible.
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Dii. Do it this way:

    There are different ways you can go to install a program in a sandbox, and keep it for as long as you want. Here is one way, its not exactly the way you describe what you want but is close. Your first step is to create a new sandbox, you can name it as you wish, so you could use the name of the program you are gonna install sandboxed for the name.To create the new sandbox, go here (look below), as you go creating the sandbox, you ll be given the chance to name it. Dont copy settings from existing sandboxes.You should dedicate this sandbox solely for the program you ll install in it

    Sandboxie control>Sandbox>Create new sandbox

    Now that you have the new sandbox, leave settings on default. Do this for two reasons. one, installing programs sandboxed works better in a sandbox with default settings. If you restrict the sandbox, the program wont install. And two, on default settings, sandbox contents are not set to be deleted on closing of the sandboxed program.

    After getting your dedicated sandbox ready, download the installer to the desktop, right click it, and choose the option, Run sandboxed. Let the installation go thru. Be aware that some programs don't install sandboxed.

    Programs that are installed sandboxed can be opened different ways. I ll give you one way here. You can create a shortcut for it. Go here:

    Sandbox settings>Configure>Windows shell integration, click Add shortcut icons. In the Menu that opens up, choose the sandbox where you installed the program, that opens up the Sandboxie start menu, look for the executable or shortcut for the sandboxed program in the menus, and click it. After the click, you ll have your sandboxed shortcut in the desktop.

    Or, go to the sandbox folder, look for the executable for the program that you just installed in the installation folder, create a shortcut. And move the shortcut to the desktop or wherever. You can also right click the executable and pin it to the Start menu, and then run the sandboxed program from there.

    Bo
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Oh yes, the keep it simple principle applies to Sandboxie.

    Bo
     
  18. Dii

    Dii Registered Member

    Joined:
    Jun 22, 2021
    Posts:
    15
    Location:
    USA
    Thanks Bo.
    1.Can I set up the new sandbox to have network and internet access disabled?
    2.How do I create a folder that has files stored at all times in a sandboxed folder, even when Sandboxie is closed? Then to access the files I can do it only by opening Sandboxie.
    3.Do you use the lastest version of Sandboxie that has appeared since it was open sourced meaning Sandboxie-Plus-x64-v0.8.2.exe ?
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    1. You can restrict sandboxed programs from connecting to the internet here:

    Sandbox settings>Restrictions>Internet access, Click Block all programs

    If an installer don't have to connect to the internet for the installation to be successful, you can set up the restriction before doing the install. Or, you can set it up after installing the program in a sandbox.

    2. Sandboxie has something that's close to what you describe on 2, its called Forced folders. When you set this up in a folder, files that are inside the folder will run sandboxed automatically when executed. You can set a folder as Forced here:

    Sandbox settings>Program start>Forced folders, Click Add folder

    This feature works perfectly for your downloads folder, your USB drives, or for folders as the one in your description. After the forced folder is set up, you navigate to the folder, click on a file and the file runs sandboxed.

    For forcing folders it is also recommended to use a separate sandbox for the folder. So, go here to create the new sandbox, you can name it Downloads or as you wish:

    Sandboxie control>Sandbox>Create new sandbox

    Force the folder in Sandbox settings for this sandbox.

    Bo
     
  20. Dii

    Dii Registered Member

    Joined:
    Jun 22, 2021
    Posts:
    15
    Location:
    USA
    "2. Sandboxie has something that's close to what you describe on 2, its called Forced folders"
    But are those forced folders for sure sandboxed even while sandboxie is closed?Is there any guarantee?
    You did not answer my 3rd question.
    Thanks so much for taking the time to actually post settings pathways in your posts.
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Dii, Forced folders is not perfect thats why in my opinion to get the most out of Sandboxie, you combine using Forced programs with Forced folders. By doing so, you ll get most files and programs that run in the computer to run sandboxed automatically when they are executed. The only question being in which sandbox they will run. And this will depend on the location of the files.

    I dont know if you know but Metro apps, Store Apps, this type of applications are not compatible with SBIE. You can not run them under Sandboxie. So, if an app is your default program for a type of files (like videos or pictures for example), then this type of file would not run sandboxed out of a Forced folder. And you can not set them up as forced programs either. Fortunately, for someone like myself who doesn't use the store at all, you solve this easily as all you have to do is switch to a program that can be set up as a Forced program. You can do this with most programs.

    Also, out of a forced folder, Windows program that are tightly related to Windows would not run sandboxed via Forced folder. This specific programs are WMP and WPV. In the past, years ago, there were a couple of other programs that would not run sandboxed via a Forced folder. One was 7Zip, but that was fixed a long time ago. As of right now, I don't know of any program (other than WMP and WPV) that would not run sandboxed automatically out of a Forced folder. In the case of WMP, if you use it as your default program, it can be set as a Forced program. So, remember, combine both features, and you will not have to think much about getting files and programs running sandboxed automatically. When I click on a file, the file runs sandboxed, the only question is, in which sandbox is gonna run, and that depends where the file is located. You can set yourself up to this way also.

    Once you know about what I just talked about and know how to deal with it, you do it. I recommend you do some testings. Put a video, a jpg, a PDF file, a RAR file, an installer, etc in a Forced folder and see the behavior, see if this files run sandboxed in the sandbox you set up for the Forced folder, or if they run in the sandbox you set up for a Forced program, or if the run out of the sandbox (other than the exceptions I mentioned, anything else should run sandboxed).

    Regarding question 3. I am using 5.33.6. Please don't ask why as talking about it can turn a nice conversation like this one into an ugly debate

    Bo
     
    Last edited: Jun 24, 2021
  22. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Regarding certain applications not running from a forced folder, you can try to use
    ForceRestart=program.exe to mitigate this issue available since sbie version 5.50.0
     
  23. Dii

    Dii Registered Member

    Joined:
    Jun 22, 2021
    Posts:
    15
    Location:
    USA
    Hi David, can you give please any confirmation that those forced folders for sure are sandboxed even while sandboxie is closed? Is there any guarantee?
     
  24. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Forced folders and programs are as forced when the sandboxie driver is loaded,
    if you are not using the portable mode this should normally always be the case.
     
  25. Dii

    Dii Registered Member

    Joined:
    Jun 22, 2021
    Posts:
    15
    Location:
    USA
    I don't really understand what you mean. I just want to know if those files contained in forced folders can not access the rest of the Windows OS or the internet after i completely close Sandboxie. The only way I want to have access to those files is by opening Sandboxie again.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.