Inserting an USB stick sandboxed?

Help!

I want to insert an USB stick and immediately and automatically sandbox all the contents of it
But I do not know how to

Thanks in advance for any help
Camelia

Sandboxie PLUS 1.6.2
Firefox v108.0.1
Windows 10 22H2 (OS Build 19045.2364)

 

I believe this is it, someone else can confirm or correct. This is what I had when using Sandboxie.

Code:

[USB]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FF00,ttl
BoxNameTitle=n
AutoDelete=y
NeverDelete=n
ForceFolder=D:\
DropAdminRights=y

 

I like to add a couple more to the Sandboxie.ini file, like this (not C:\ because I have Windows installed on the C drive), you can put this under the sandbox name of your choice (eg. [DefaultBox]):

Code:

ForceFolder=A:\
ForceFolder=B:\
ForceFolder=D:\
ForceFolder=E:\
ForceFolder=F:\
ForceFolder=G:\
ForceFolder=H:\
ForceFolder=I:\

This way my optical drive and external HDDs and USBs are all forced to run sandboxed.

 

Thank you, but no idea where to add those lines maybe SBIE.ini?

Camelia

 

You can set up forcing your USB Drive 2 different ways:

1. Go to Forced folders in Sandbox settings of your USB Sandbox and click Add folder. Select the USB Drive from the Window that opens up to add it to Forced folders.

Important: For the drive to appear in the Window were you select it, you have to have a USB stick plugged to the computer.



2. Another way for you to force your USB drive is to write the setting under USB settings in the configuration file. All you need to know is the Drive letter the USB drive uses. In my case is E. So, I would write... ForceFolder=E:\ ...... under my USB settings and I am done.

If you do it correctly it would look like this, look at the bottom:

[USB]
Enabled=y
ConfigLevel=9
BlockNetworkFiles=y
Template=AutoRecoverIgnore
Template=LingerPrograms
Template=BlockPorts
Template=FileCopy
Template=SkipHook
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off,6
BoxNameTitle=n
ClosedFilePath=InternetAccessDevices
ClosedFilePath=C:\Users\Bo\BoDocumentos\
ClosedFilePath=%Desktop%\F\
ClosedFilePath=%Desktop%\Otros.txt
AutoDelete=y
NeverDelete=n
NotifyInternetAccessDenied=y
ForceFolder=E:\

Doing it one way or the other, that is how it would look in the Configuration file.

Bo

 

You can't necessarily guarantee the drive letter of a USB drive, so the above does not give an automatic solution.

 

You can always go to Option 2 and write the setting for every letter. IMO, having to do this is no big deal. But yes, if you are lazy then you will not do it and blame SBIE or something else.

Bo

 

That then sandboxes any external drive which may not be what is wanted. I can't think of a decent solution.

 

Then make a drive letter fixed with a help of a service.

 

Another solution which is even more secure than forcing the drive is to reach the USB Drive by navigating to it using a sandboxed File Explorer. Is not automatic as it can not be setup to be done automatically but is many times more safer than forcing the folder.

Bo

 

Is it OK?


Why the SBIE icon has something red in USB?


This is my SBIE .ini

Code:

[USB]

Enabled=y
ConfigLevel=9
AutoRecover=y
BlockNetworkFiles=y
Template=BlockPorts
Template=FileCopy
Template=SkipHook
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off,6
BoxNameTitle=n
ClosedFilePath=InternetAccessDevices
ClosedFilePath=C:\Users\c4m3lia\Documents\
ClosedFilePath=%Desktop%\F\
NeverDelete=n
NotifyInternetAccessDenied=y
ForceFolder=A:\
ForceFolder=B:\
ForceFolder=D:\
ForceFolder=E:\
ForceFolder=F:\
ForceFolder=G:\
ForceFolder=H:\
ForceFolder=I:\
DropAdminRights=y

Thanks
Camelia

 

I don't know about the red mark on the USB sandbox icon, it must be a Sandboxie Plus feature (I'm using Sandboxie Classic).

You enetered the drives the way I have them set to be forced in the Sandboxie.ini file. You can now test it to see for yourself if it works, by inserting a USB flash drive or external HDD or an optical medium or a floppy disk - I haven't seen those in a while.

When you insert a drive and try to open a file on it, the USB sandbox will indicate that there's something running sandboxed in the USB sandbox. This means that it works as it should and you're protected from malware on the external media (also malware that auto-runs upon drive insertion, without you manually running/opening a file).

I use my external drives to copy data on and off from them (to and from my internal HDD - C:\). If I ever need to open/run something NOT-SANDBOXED on the external drive, I use the right click and "Run outside of the sandbox".

I sometimes connect 2 external HDDs and 1 USB flash drive at the same time + a DVD-ROM and all 4 are covered by the forced letters in the ini file. So yes, I think you are good! But if you want, you can add even more drives, up until ForceFolder=Z:\.

 

I like the idea of having some protection against USB sticks, I have added in build 0.8.0 even a feature to improve on this:
- added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
this way when you attach a USB stick and change its content the changes will only show when you plug in the exact same usb stick again and will not be wrongfully shown on an other USB stick.
Technically this applies to all volumes so don't set this option on a not empty sandbox to avoid things getting screwed up.
And I have since then on my ToDo list:
- Force all removable drives

The main reason I haven't added his yet is that I'm not sure how to ideally handle it.
The strait forward approach would be to check the drive properties and apply force folders for all partitions on a removable disk, but this would fail for external HDD's or in fact sticks which identify themselves as HDD's. Which is not good as those pose the same risks as sticks.
The elaborate approach would be to discriminate the drives based on how they are connected, so detect if a volume is located on a device connected to the PC's USB bus, but this is quite a lot of additional complexity for a medium advantage over just adding D: to Z: to the force folder list manually.
A cheating approach would be to enumerate all partitions on SandMan start up and when just force all volumes that appear once SandMan is running, but this would fail for ram disks encrypted volumes and any other sort of volumes the user may attach later.

So there really is only good solution, which is not simple, are there enough users interested in this feature?
If so that I could add it the elaborate way.

The other things to think about which would need to be added is:
1. In which sandbox to run the sticks, it should be a global option where you can enable disable it and pick a box for all sticks.
2. This option would need a exclusion list based on the volume serial number such as to allow trusted sticks to not be sandboxed.
3. We would also need an option to make attached sticks an Open Path automatically such that the programs running on the stick can modify it but nothing else.
4. Perhaps we should also have a feature to allow to force individual sticks, by volume serial number, into specified sandboxes.


What do you think?

 

@DavidXanatos
While deciding to implement (or not) a comprehensive way,
could you please help with the following:
I would like to create a "local template" [ForceUSB] for e.g. drives A,B, D-Q, R-Z.
What is the code for this and where to place it in the sandboxie.ini file?

You may even want to implement something similar in the box-creation wizard
in 1.7.x where you can ask for "excluded drive letters" instead (e.g. C,D,R).

 

@camelia 's example is good you need
ForceFolder=A:\
ForceFolder=B:\
ForceFolder=D:\
....
ForceFolder=Q:\
ForceFolder=R:\
....
ForceFolder=Z:\

in the sandbox you want to use to put the drives in

 

I was thinking more along the lines of

Code:

[Template_Local_ForceUSB]
Tmpl.Title=ForceUSB
Tmpl.Class=Local
ForceFolder=A:\
ForceFolder=B:\
ForceFolder=D:\
....
ForceFolder=Y:\
ForceFolder=Z:\

Is this possible? If so, where to place this code in sandboxie.ini?
There are sections labeled [Global Settings],[UserSettings_XXXXXXXX],[DefaultBox] etc
Is there a separate label or section like "[Templates]" ??

And what is the syntax to call it in global settings or in a box:
"Template=ForceUSB" or "Template_Local=ForceUSB" ??

 

Where in the USB lines I have been set to auto-delete?

I am interested

I can not find "Run outside of the sandbox" in SBIE+

 

that is a good question on my system the USB box shows without the recycle icon, perhaps you have enabled auto delete in the global section?
or the icon wasn't updated in which case disconnecting and re connecting to the driver should fix the glitch.



run outside sandbox is in the run dialog

 

I can not find the option above (run outside sandbox in the run dialog)
If I click 'Run' these are the options I have:

The USB box does not show the recycle icon now


Thanks
Camelia

 

It's on the Windows right-click menu. (Right click on a file/folder > Run Sandboxed > Run Outside the Sandbox)

 

Thank you
Camelia

 

the requested feature will be in one of the upcomming builds its in internal testing now:
https://www.wilderssecurity.com/threads/sandboxie-roadmap.445545/page-6#post-3136931