Sandbox type questions

Discussion in 'other firewalls' started by cancelx, Apr 1, 2010.

Thread Status:
Not open for further replies.
  1. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    i should have simply started my posts with this--

    GesWall, Sandboxie, VirtualBox etc...

    Questions:

    1. I understand the Firefox will run Inside the box, so to speak, but, can I use the rest of the computer as normal... that is can I work on a WORD article (editing and saving) and also have Firefox running and searching the internet?
    --if so, do i have to go and give permissions every time I edit my Word file, or save it?
    --or, is it simply like running two programs on any computer, just the net is sandboxed? THATS MY BIGGEST CONFUSION.

    2. Any of the programs, I understand if you download a program from within, you can save it to your desktop (or restore from within sandbox)... BUT. Does any of these programs have a SCANNER to actually check the program you are downloading?
    --most videos show people restoring or giving permission to save, and then running the program, but what says if there is a virus on the program you downloaded and/or restored?

    3. If I use an Antivirus with one of these programs, mostly to Scan Downloads I an allowing onto the desktop, will the AV scan WHILE downloading, just like when you aren't using a sandbox type protection?


    Ok, that should get my head around it, sorry for previous topics, should have had a grip on this first...................
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Speaking for Sandboxie

    1 Yes. Neat thing is if you download and open a word file with your sandboxed browser, you can open the document sandboxed, and check it out. If okay, then move it out of the sandbox

    2 Sandboxie doesn't have any av or as type of scannenrs.

    3. Not sure. I don't have any real time scanners on my system. Don't need them. I do run Online Armor ++ which has a scanner, and occasionally I will check something I've removed from the sandbox.

    Also if you've removed, say a jpg file from the sandbox, and aren't sure about it, you can open it in the sandbox if you chose to do so.

    This is just the tip of the iceberg in terms of what you can do with sandboxie.

    Pete
     
  3. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    Thanks Peter,

    Peter... regarding #1- I understand about downloads can be removed from sandbox, "but" are programs like Office etc... left out of it, and can you have Office running and editing/saving unbothered by sandbox, WHILE also having the internet running and browsing ?

    And about #3... you have Online Armor Firewall "with a scanner"? so, do you ever notice when downloading from net while within the sandbox, does the scanner ever scan the download first?

    MANY THANKS !

    I see where my security is going !
     
  4. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,234
    Location:
    Mass., USA
    Using SandboxIE, your AV should at the very least flag any malware it detects as it is being saved / written to HD. Subsequently "pulling it out" of the sandbox and putting it in quarantine.
    Easy enough to test. DL the eicar.com file while in your sandbox and observe what happens.
     
  5. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
    Hi cancelx. I've been using Sandboxie a couple of years now on my XP machine. Love the program.

    Regarding #1. Yes. If you have Microsoft Office (or any other program for that matter) installed on your real system, you can run that program unsandboxed while, at the same time, running a sandboxed browser. I often will do some banking online in a sandboxed version of IE or Firefox while, at the same time, having an unsandboxed version of Excel open to make related entries in my financial spreadsheets. Othertimes I may have my unsandboxed Windows Media Player running while browsing sandboxed.

    Regarding #2 and #3, as Peter2150 and Bob D point out, Sandboxie does not have any built-in in AV. However, if you have a resident AV installed on your system, it will scan the contents of your sandboxed files just like it scans all your other files and will alert you to any malware. On several occasions my AV (Nod32) has grabbed some bad stuff out of a sandbox as it was being downloaded in the sandbox and quarantined it (although that malware would have been flushed anyway when the contents of the sandbox are deleted).
     
  6. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    Thanks very much !

    Basically, I'm down to either GesWall or Sandboxie

    GW looks like it does more, and a little more set and leave it. But Sandboxie looks more tried and true.

    Do either of these Run From Ram, or put the browser into Ra to run isolated?

    I mean, I don't understand how you are SAFE even if you download nasties or visit the site.

    If these run on the hard drive, then even when you reboot... how are they securely getting removed?

    Know what I mean?
     
  7. ChineseChicken

    ChineseChicken Registered Member

    Joined:
    Mar 30, 2010
    Posts:
    8
    Hi cancelx

    I have been useing sandboxie for some time now i it dose take a bit of time to get to know but it worth it .. saved my neck more than once.

    securely getting removed once u set up sandboxie in Sandboxie Control u set it to delete when u exit the Web Browser anything in sandbox is gone .
    I don't understand how you are SAFE even if you download nasties
    Think of it like this If download a virus in a zip file most of the time the virus cant infect the computer till u open the zip file. if u download some nasties in a sandboxed Web Browser it give your av a chance to detect the nasties and deal with them. if it can remove the nasties exit Web Browser anything in sandbox is toast.........
     

    Attached Files:

  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Sandboxie is one of my all-time favorite programs. It is so easy really to understand, it is simply amazing how Tzuk does it.

    When you speak of a sandbox, you think of an area that is played in, building sand castles etc, that is contained so that the sand in the box does not "leak" into the yard. After you are done building your "castle", you rake it flat again to start over, or leave it (weather permitting ;) ) and continue building it later.

    Sandboxies version of this is to create a directory called c:\Sandbox. This is the walls of the sandbox. The driver (presumeably) understands that when anything in this directory is started, it belongs to a sandbox. As well, it monitors for forced applications that live elsewhere, that should be started in a sandbox.

    The nice part is that as you use your sandbox, things you save/download/modify/create are stored in the appropriate spot in c:\sandbox, mimicing the real directories. So for example if you open notepad in Sandboxie, and write some text, then go to save it, and you want to save it in a directory that does not exist, say as c:\test\test.txt. The directory will be created in the sandbox, and the file will be saved too, in the sandbox (c:\sandbox\box\etc\etc\test\test.txt).

    This is a real, physical file and location. A virus could be saved there. The AV will see this, because c:\sandbox is a real location, and the AV will be (usually) watching read/writes. It is not really in memory (the sandbox that is), it is just kept separated from the rest of the OS via the driver.

    If you were to use Windows Explorer to examine c:\sandbox, you will see everything there, in logical order. You can copy out of it. But if you execute something, SBIE is smart enough to know you are in a sandbox directory, and it should start it sandboxed. Many times I find that if I MOVE an item from a sandboxed directory, and then execute it, it starts in SBIE. It is a very smart tool. I usually COPY something if I want to execute it right away without SBIE taking control.

    When you "recover" something out of a sandbox, you are doing the very same thing. It copies or moves it from c:\sandbox to the appropriate directory.

    I use a lot of direct access for things like bookmarks etc, whereby SBIE does not put these into c:\sandbox, but to the real directory. Obviously you need to be judicious about what you allow direct access to.

    I also like to force things like browsers into a sandbox. I then limit what is allowed network access or even allowed to run in these boxes. I have one for each browser, each program I want to use. This ensures that when I start Opera, only Opera can run (no keylogger.exe for example) and also that if keylogger.exe were to start (doubtful) it has no network access.

    This is probably not foolproof, but pretty close for my needs.

    Oh, and the #1 feature I absolutely LOVE about SBIE. When you have rights restrictions in place, they normally don't apply to SBIE. The reason is simple. If I am a user, and my rights say that I cannot modify anything in c:\Program Files, it means I cannot install the brand new "Pong Extreme" game without admin rights. But, if I start the "Pong Extreme" installer in SBIE (presuming I have a sandbox setup correctly), I am not technically writing to c:\Program Files when installing the game, but truly to c:\Sandbox\box\etc\blah blah\Drive\Program Files. So, my User level restrictions do not apply. The option in SBIE to enforce user rights (I forget the title now) is used so that if your normal account outside SBIE is a User and you are restricted in c:\Program Files, that when you run sandboxed items, they act the same way in sense that you are User in sandboxie as well.

    I love this program. HTH.

    Sul.
     
  9. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Great post Sully.
    Sandboxie is without doubt one of the best pieces of code I've ever used.:thumb:
     
  10. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    Best Explanation yet !

    Thanks.

    Sadly, meanwhile I went GesWall instead.

    Simple to understand with Firefox, it simply wipes all on exit, but if you see my new post... I can't get aMSN isolated.

    I may consider trying Sandboxie (have to be the free one) if I can run aMSN from in there.

    ps- sandboxie, can you chose to start Firefox isolated or normal per use in the free version, like you can with GesWall ?

    Thanks
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    With the free version you have a desktop shortcut to start your default browser sandboxed,only in the paid version can you set multiple programs to always start sandboxed.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hey, nothing to regret. You likely gained valuable experience.

    In a normal default sandbox, if you start aMSN, and there are no restricitons otherwise, anything that aMSN calls to start will start in the sandbox as well.

    It is when you start customizing what is allowed or denied that you need to take into consideration what to add/remove in the sandbox rules.

    Sul.
     
  13. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I have a quick question for you sandboxie guru's. I tried running sandboxie but I noticed that when I ran firefox some of the bookmarks I had weren't showing up when run in the sandbox. I even had erased all the cache and started a new sandbox. Any Ideas?
     
  14. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    Sully

    you are talking about Sandboxie right?

    because there's nothing showing it isolated in geswall, no matter what i do. when you start a program with geswall it's not necessarily in isolation, unless it's an app in the list.... er..

    with sandboxie, doesn't it have to be told to run from the sandbox? do you actually install the programs you want to run in sandbox onto the /sandbox section?
     
  15. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    Does sandboxie have all the prevention shield stuff GesWall does?

    SB sounds like a more secure type of sandbox, but GesWall sound like built in shields more?

    I know Sandboxie actually makes a playground, so to speak, on the drive, then things run in there, but I'm not sure about GesWall. You can right click any programs and run isolated if you want. I don't know if it catches every aspect of the program or just the main app., and if it's in a designated "protected drive" kinda thing like Sandboxie

    (sorry for my overly technical terms, haa)
     
  16. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    Any item that you run as isolated, it's offspring are isolated too. For instances I had downloaded something online. It was an installer for a program (Opera I think). It asked me if I wanted to run it isolated. I did and it proceeded to install. Once it was done, opera.exe and a few other exe were all isolated w/ the geswall Big G. Even when I unzip or extract something geswall asks me if I want that isolated as well. Once you trust or run the program un-isolated, thats it. What I normally do is download it isolated and then run it through MBAM or Asquared. If I'm really paranoid I run it through Jotti.
     
  17. cancelx

    cancelx Registered Member

    Joined:
    Apr 1, 2010
    Posts:
    19
    @KJ

    That's great ! Thanks mate.

    I was surprised, I thought when i closed down an isolated session of Firefox, that history and bookmarks etc... would be gone on restart, but they are all there?

    I guess the point is it runs the program as normal, bookmarking etc... safely AWAY from the rest of the drive incase you do something wrong/ let in something bad, it can't do anything, you just delete from wherever Geswall caches everything?

    Pretty cool. Can't completely understand it, but it's cool !

    And it's lighter on resources and faster than my last setup !

    I even kept all my scanners/wares
    GesWall
    Avast
    Online Armor
    Superantispyware
    Spybot
    Malawarebyes
    Spywareblaster

    ok, i got a little paranoid.............
     
  18. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    Master Sully, can you help me setup my sandboxie?
    I find it confusing :(

    My cousins are using my computer and they can't see their downloads from a sandboxed browser.
    If the files are recovered, yes they can see it... but I'm afraid that the recovered files may be run un-sandboxed.

    I don't want to chat with sandboxie but I want it there. :D
    I don't mind reading and applying many configurations... please give me instructions :D
     
    Last edited: Apr 2, 2010
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, the sandboxie configuration has been hashed over many times. Here is a good thread on it
    https://www.wilderssecurity.com/showthread.php?t=240008&page=2
    and here is one part where I share some of my config (what I was using then)
    https://www.wilderssecurity.com/showpost.php?p=1478429&postcount=45

    But I will go over some of the basics that you should probably understand here as well.

    Let me state that you might want to go into the GUI portion and find the correlation between what it presented there, and how it is actually written in the config file. It is easier IMO to change the config file, but some might like the GUI better.

    Lets start with the settings that apply to Sandboxie in general and not any specific sandbox. Here is a snippet
    Code:
    [UserSettings_0574015E]
    
    SbieCtrl_UserName=Sul
    SbieCtrl_ShowWelcome=N
    SbieCtrl_NextUpdateCheck=1555555555
    SbieCtrl_UpdateCheckNotify=Y
    These are the basic options you give SBIE. Autoupdate or not, last position, desktop icons, etc. Just your typical stuff. If you don't see it in the GUI, look here as they are fairly self explanatory.

    Next you will have some global settings. As you probably understand, these values are referenced in any sandbox, or all of them. I use a lot of templates in mine, but most sandboxes will use only this one part
    Code:
    ProcessGroup=<InternetAccess_Opera>,foxit.exe,opera.exe
    This global value is of the TYPE ProcessGroup, with the NAME InternetAccess_Opera and the VALUE foxit.exe and opera.exe. So when we refer to that NAME, those executables will be the values to provide.

    Ok, now this part I probably should not show you, but I want you to get an idea of how you configure SBIE, and this sort of makes it modular. Like I said, I use a lot of templates, but usually a particular sandbox would have most of these grouped within the sandbox.

    First, I want to lock down some root files in XP. I don't want anything in the sanbox really touching them. I don't mind if it reads them, but only that, so I use what is called a ReadFilePath. Here I am just telling SBIE "these things are to be read only".
    Code:
    [Template_Local_Lock_Root_Files]
    
    Tmpl.Title=Lock_Root_Files
    Tmpl.Class=Local
    ReadFilePath=C:\AUTOEXEC.BAT
    ReadFilePath=C:\bootmgr
    ReadFilePath=C:\Config.sys
    ReadFilePath=C:\IO.sys
    ReadFilePath=C:\MSDOS.sys
    Next are the default locations that SBIE will monitor for what is called AutoRecovery. This simply means that whatever directory is listed here, SBIE will prompt you (typically) as soon as you save something there IN THE SANDBOX that it can RECOVER them for you to the REAL DIRECTORY right now. When you manually use the option to recover files, it is these locations that SBIE checks to determine if you have anything that can be recovered. If you save something to c:\foo while sandboxed, it saves it to c:\sandbox\box\blah blah blah\drive\foo. If you wanted SBIE to be able to AutoRecover, you would place a value below, to point to c:\foo, then SBIE would check it and say "you have things in foo that can be put to the REAL foo directory, and I can do that for you now"
    Code:
    [Template_Local_Recover_Folders]
    
    Tmpl.Title=Recover_Folders
    Tmpl.Class=Local
    AutoRecover=y
    RecoverFolder=%Personal%
    RecoverFolder=%Favorites%
    RecoverFolder=%Desktop%
    Now here is an example of a directory that I downloaded things to. I did not want to include it in the auto recovery. Without auto recovery, I would have to go explore the c:\sandbox directory and copy out what I wanted. That is a waste of time IMO. So, I download everything to one place (which is mydocs\my downloads). But, the trick is to give SBIE direct access to that directory, so that when it goes to save things there, it bypasses the c:\sandbox directory and puts things in the REAL LIVE directory. That is what OpenFilePath does. It tells SBIE that it can read and write DIRECTLY to that spot. Think of it as un-sandboxed.

    NOTE: I have another SBIE sandbox that forces anything in this downloads directory into SBIE. I don't want to download a nasty and then run it. I also use SRP to restrict that same directory. It is the one place I place downloads, and therefore I want to be careful until it is confirmed to be clean. If I am in doubt, I will submit the file(s) to an online scanner.
    Code:
    [Template_Local_Allow_Direct_Access]
    
    Tmpl.Title=Allow_Direct_Access
    Tmpl.Class=Local
    OpenFilePath=%Tmpl.UserDownloads%
    Now this template contains some Opera specific values. I have a template that lays out which files/directories Opera uses for bookmarks, so that this sandbox has direct access to them. I want my bookmarks I make in a sandbox to go to the real opera bookmarks so I don't lose them.

    The ClosedFilePath is saying anything NOT in that global value InternetAccess_Opera will be denied internet access. The value to notify me if something tries to go online but is denied by SBIE is enabled.
    Code:
    [Template_Local_Opera]
    
    Tmpl.Title=Opera
    Tmpl.Class=Local
    Template=Opera_Bookmarks_DirectAccess
    ClosedFilePath=!<InternetAccess_Opera>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_Opera>,\Device\Tcp
    ClosedFilePath=!<InternetAccess_Opera>,\Device\Ip
    ClosedFilePath=!<InternetAccess_Opera>,\Device\Afd*
    NotifyInternetAccessDenied=y
    Finally, I have the actual Opera sandbox parameters. Notice that I just refer to each template I will use with Opera. The templates are categorized to describe what to do. Allowed programs are in one template, locked files in another. On the bottom you see the ForceProcess value. This is what forces Opera into this sandbox, no matter where it lives.

    Code:
    [Opera_box]
    
    Enabled=yes
    ConfigLevel=6
    Template=Local_Recover_Folders
    Template=Local_Lock_Autorun_Registry
    Template=Local_Lock_Autorun_Directory
    Template=Local_Lock_Root_Files
    Template=Local_Allow_Direct_Access
    Template=LingerPrograms
    Template=AutoRecoverIgnore
    Template=Local_Opera
    ForceProcess=Opera.exe
    Like I said, I probably should not have shown you templates because you will not normally see a sandboxie.ini file like that. But I like it because I can sort out what each aspect of each sandbox will do. For example, rather than every sandbox include 16 values that restrict some registry values I want locked, I just create a template with those 16 values listed, and then in each sandbox I reference that template on only one line. It makes it easier for me to read and manage.

    The key here is to understand that SBIE will keep everthing in the c:\sandbox directory somewhere, unless you recover it or manually copy/move it. SBIE will let anything run and access the network, unless you tell it to restrict. SBIE can be told to have direct access to many items if you need it to.

    I would suggest the best way to train yourself with SBIE is to install and look at the default sandboxie.ini file. Open it and try to get a feeling for what is described. Then open the GUI for that sandbox and see how Tzuk has make those text values turn into a nice interface. Most of the values you see will be obvious, ForceProcess will have a logical place in the GUI.

    Once you start getting a feeling for how the .ini relates to the GUI, use the GUI to make your values. But only do a few. Then open the .ini file and see what was modified. SBIE is not incredibly complicated. Each of the templates above has a fairly well named title as to what it does. Find those parameters in your sandbox, and understand how you can limit access to specific programs. Understand how you can give more access to items.

    Develop your own plan. What locations do you need to have available to SBIE. Which locations do you feel need to be restricted. Are there some registry values that you need to let SBIE access, or maybe to deny. If you can struggle through the initial stages, it begins to make sense. While at first it looks like there are a lot of options, you will most likely only use a few:

    Deny execution
    Deny network access
    Make read only
    Allow direct access
    Additional AutoRecover areas

    I probably did not explain this simplistic enough. I apologize. Hopefully you can glean some insight from it.

    Sul.
     
  21. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    I noticed you are using Opera.. can you create me configurations for Chrome? I have bookmarks too.

    Umm.. how do I tell Sandboxie to run sandboxed all recoved files from this config.

    [Template_Local_Recover_Folders]

    Tmpl.Title=Recover_Folders
    Tmpl.Class=Local
    AutoRecover=y
    RecoverFolder=%Personal%
    RecoverFolder=%Favorites%
    RecoverFolder=%Desktop%



    sorry for asking to be spoonfed, but hopefully this would be the last time :p
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    No, it won't be the last time ;) and that is ok.

    Tell you what, I will make a default sandbox tonight that will encompass many different needs, as a sort of example. I will comment it. I should not have put up those templates because they are only going to confuse you. LOL, but I don't have a regular one anymore.

    Sul.
     
  23. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    Thanks Master Sul.

    Looks like I understand some of the configurations you've shared above.
    I used the gui to implement some of them.


    Is this for XP,VISTA or Win7?
    I cannot see them in Windows XP Pro SP3

    EDIT: oops I think its hidden :)
     
    Last edited: Apr 3, 2010
  24. Mr Wonderful

    Mr Wonderful Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    23
    Guys just make sure when setting up SandboxIE not to forget to check the box "drop my rights"!
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is good advice, but not always what you might want to do. The lack of the "drop my rights" feature when in LUA can make SBIE become more productive than with it on. It all depends on if you are locking the front gate completely, or just shutting the door ;)

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.