How much safer is red box instead of orange box?

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by Glitzersternchen, Apr 10, 2023.

  1. Glitzersternchen

    Glitzersternchen Registered Member

    Joined:
    Sep 5, 2021
    Posts:
    46
    Location:
    Germany
    Since Edge and Firefox sometimes cause problems in the red box, I would like to know how much greater the safety gain through the red box instead of the orange box. When it comes to preventing malware from surfing or mailing into the sandbox or outside the sandbox, the orange box is sufficient, or it is safer to take the red box and then open some to path functions ?

    Greetings Sabine
    Win11, SB 1.84
     
  2. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    I think data protection should be enabled in a sandbox with no Internet/Start restriction set, otherwise any program running in the sandbox can easily access any user data in the system and send it to remote servers.
     
  3. Glitzersternchen

    Glitzersternchen Registered Member

    Joined:
    Sep 5, 2021
    Posts:
    46
    Location:
    Germany
    @busy, thank you very much for the clarification, so it is always better, if possible, to select the red box.
    I had also read, that downloaded malware in a Box tried to start batch files or scripts over the cmd.exe .
    Would the following string in a box help to prevent this?

    Closedfilepath = C:\Windows\System32\cmd.exe
     
  4. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    I've always wanted to get the red box (Hardened Sandbox with Data Protection) working but I always seem to mess everything up. Too bad there isn't a guide on how to set this up. So you're saying that if I choose the red box and set Start Restrictions to 'Allow all programs to start in the sandbox' also set Network Options-Process Restrictions to 'Allow Access' then everything will work and I'll have better security? If it's way more complicated than that, then I'll stick with the orange box. I try to keep with the settings within Sandboxie and stay away from changing/adding anything to the ini file. The programs I sandbox are Edge, Firefox and Thunderbird.
     
    Last edited: Apr 10, 2023
  5. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Yes a red box is preferable due to the mentioned data protection.

    You don't need to block cmd.exe any start batch files or scripts will be contained within the red sandbox anyways.
     
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    The simplest way to get a red/blue boxes working it to run the program one wants to use in a orange/yellow box first and then switch to red/blue for all subsequent runs, of cause if one uses auto delete then making a snapshot after the first run before enabling auto delete is in order.
     
  7. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    Are you saying to get my red and blue boxes to work in Edge I have to run a yellow box on Edge first and turn off auto delete before making a snapshot and use the snapshot to run Edge in blue or red?

    In Vivaldi I have autodelete turned on for all boxes and the blue and red boxes work perfectly.
     
  8. Glitzersternchen

    Glitzersternchen Registered Member

    Joined:
    Sep 5, 2021
    Posts:
    46
    Location:
    Germany
    @DjKilla: I think@busy meant, that if you have a box without restrictions, it is safer to use the red box.
    So not: if a red box is used, all restrictions should be approved.
     
  9. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    That's what I meant to say, thank you. :)

    @DjKilla

    1. For applications located outside of Program Files, you will need to create a resource access rule accordingly. [MANDATORY]

      If you install Firefox to "X:\MyProgram\Firefox\" then you need to allow that location.
      Code:
      NormalFilePath=X:\MyProgram\Firefox\
      
    2. If you want programs to access user data on the host, you will need to create a resource access rule accordingly. [OPTIONAL]

      If you want to access Firefox Profiles on the host then you need to allow those locations.
      Code:
      Simple:
      NormalFilePath=%AppData%\Mozilla\Firefox\
      
      OR
      
      OpenFilePath=%AppData%\Mozilla\Firefox\
      
      Detailed:
      NormalFilePath=|%AppData%\Mozilla\Firefox\profiles.ini
      NormalFilePath=%AppData%\Mozilla\Firefox\Profiles\MyProfile\
      
      OR
      
      NormalFilePath=%AppData%\Mozilla\Firefox\profiles.ini
      OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\MyProfile\
      
    3. If you want use desktop shortcuts (LNK files) on the host you will need to create a resource access rule accordingly. [USEABILITY]

      Code:
      Simple:
      NormalFilePath=|*.lnk
      
      Detailed:
      NormalFilePath=|%Public%\Desktop\*.lnk
      NormalFilePath=|%UserProfile%\Desktop\*.lnk
      
      ***
      ***
      ***

      NormalFilePath: This allows files to be read, but copies them to the sandbox when a change is made to them and continues to use the files from there unless the sandbox content is deleted. (Yellow/Standard box behavior)

      OpenFilePath: This lets sandboxed programs have direct access to update files and folders outside the sandbox. (Changes will be permanent even if the sandbox content is deleted.)
     
  10. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    for me a red box works for msedge withotu any special steps, but if oen has issues with missing paths allowing a firrst run with access and then clsoe it of is a viable approche
     
  11. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    I have had a small improvement:)

    I put NormalFilePath=%Local AppData%\Microsoft\Edge\* in Global Settings in the .ini.

    Also as I have Win 10 pro I used gpedit and did Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge and enabled the ''Prevent the First Run webpage from opening on Microsoft Edge''

    Red and Blue are opening on Edge 90% of the time now (although Blue seems to struggle to delete itself)
     
  12. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    @busy - Well so far so good! So I set the following in Resource Access-Files tab:

    Firefox:
    NormalFilePath=X:\Program Files\Mozilla Firefox\
    OpenFilePath=%AppData%\Roaming\Mozilla\ (Firefox path)

    Thunderbird:
    NormalFilePath=X:\Program Files\Mozilla Thunderbird\
    OpenFilePath=%AppData%\Roaming\Thunderbird\

    How would I add Microsoft Edge? I have a Bitwardin extension that's not showing up so there's a path to the profile that probably needs to be added. I'm guessing OpenFilePath=%AppData%\Local\Microsoft\Edge\ and maybe NormalFilePath=X:\Program Files (x86)\Microsoft\?

    This is on a Windows 10 system. Many thanks for the help! You explained exactly what I was looking for by posting the file paths to add to the Resource Access section. In the future, is there a way to easily find the paths a program will need to be added?

    @DavidXanatos - I do use Auto delete so thanks for letting me know how to set this up using SnapShot. I'm guessing after taking a SnapShot, I then set the Auto Delete to on and when I close out of the programs after use, the Auto Delete resets the Sandbox to the SnapShot?
     
  13. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    You don't need to create additional rules for programs located on "C:\Program Files\" and "C:\Program Files (x86)\", they are already open by default in data protected boxes.

    OpenFilePath=%AppData%\Local\Microsoft\Edge\

    Note: MS Edge sync feature does not work when sandboxed.

    Currently it has to be added manually, maybe adding a new application will be easier if DavidXanatos expands the section on adding programs with the wizard in the future.
     
  14. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    63
    Location:
    United Kingdom
    Can anyone tell me what the pipe means when used with the 'NormalFilePath=' configuration as I haven't seen that before.
     
  15. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    Pipe: If the setting value begins with a pipe character, no wildcards are added as a suffix. Also, if there is a wildcard already in the pattern, it is not added as a suffix.

    No pipe:

    Code:
    "%AppData%\Mozilla\Firefox\profiles.ini"
    will be
    "%AppData%\Mozilla\Firefox\profiles.ini*"
    and will match
    profiles.ini
    profiles.ini.tmp
    profiles.ini.tmp.etc
    \profiles.ini\profiles.ini.tmp.etc
    Pipe:

    Code:
    "|%AppData%\Mozilla\Firefox\profiles.ini"
    will stay the same
    "%AppData%\Mozilla\Firefox\profiles.ini"
    and will only match
    profiles.ini
     
  16. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    63
    Location:
    United Kingdom
    I did not know that!
    Is this included in documentation somewhere?

    Thanks
     
  17. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    Source code:

    Code:
    https://github.com/sandboxie-plus/Sandboxie/blob/401d5d892b298a02b97a7150c7fa0d5385355d4c/Sandboxie/core/drv/process.h#L275-L276
    
    https://github.com/sandboxie-plus/Sandboxie/blob/401d5d892b298a02b97a7150c7fa0d5385355d4c/Sandboxie/core/drv/process_util.c#L648-L649
    
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Good question I haven't noticed it, but it is as busy wrote.
    That said the sandman UI will display the effective pattern in the access list, so it will display it with the appended * when appropriate and it will hide the pipe char from he display, of cause when you double click the entry it will show the actual value from the ini.
     
  19. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    63
    Location:
    United Kingdom
    That's quite a useful find although I'm getting unexpected results.

    Here's a simple example to replicate the behaviour I'm seeing:
    • Create a 'Hardened Sandbox with Data Protection' accepting the defaults.
    • If I open notepad in the sandbox, then choose 'File > Open' in the resulting window I see the error message "C:\Users\XXXX\Desktop is unavailable...." because it doesn't have access to the Desktop folder. I assume it uses this location by default as it doesn't have access to registry keys that contain the last used folder?
    • So if I add:
      • NormalFilePath=|%USERPROFILE%\Desktop
      • then open Notepad in the sandbox again and 'File > Open' I see the contents of my actual Desktop in the initial browse window, but if I browse to 'C:\Users\XXX\Desktop' I see nothing (as I should).
    • If I close notepad then repeat the process again the inital Desktop display is now different, I assume because a skeleton profile has been created in the sandbox.
    Is there a reason I'm initially able to see the contents of my real Desktop?
     
    Last edited: May 4, 2023
  20. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    NormalFilePath means it should be readable
    why you see nothing when browsing to 'C:\Users\XXX\Desktop' is the actual question as desktop being an NormalFilePath should allow for listing
     
  21. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    63
    Location:
    United Kingdom
    Oh, I was hoping it was a feature of using the PIPE (no wildcards are added as a suffix).

    With the extra slash on the end (|%USERPROFILE%\Desktop\) I can see everything in the root of the directory but can't actually read anything (including descending into directories).

    Without the final slash I can browse to the folder but can't see anything in it, which is actually really nice as it offers greater data protection. If I wanted to I could then add 'WriteFilePath=%USERPROFILE%\Desktop\' so it can write to the Desktop, is there another way of achieving all that?
     
  22. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    Warning: If you have personal information in the sandbox, don't forget to take a backup first!

    1. Take a snapshot using Sandboxie Snapshots Manager. (Right click on the box)
    2. Enter the snapshot-x folder created inside the sandbox. (using unsandboxed file manager)
    3. Create the folders (or files) you want.
    4. You can delete other files or folders in snapshot-x other than the ones you created yourself.
     
  23. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    63
    Location:
    United Kingdom
    I'd prefer to have all the requirements fulfilled by the sandbox configuration really, rather than require additional processing steps. Maybe we could have a configuration option for that, alternatively, is there any way to use the 'On Box Init' triggers to create the necessary folders in the sandbox e.g. 'C:\Users\XXXX\Desktop'?
     
  24. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    Have you tried using NormalFilePath and WriteFilePath together?

    Code:
    NormalFilePath=C:\Users\XXXX\Desktop\
    WriteFilePath=C:\Users\XXXX\Desktop\
     
  25. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    How are you able to get Vivaldi to run in red/blue boxes without giving access to the entire profile? Doing that kind of defeats the purpose of using sandboxie.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.