Proper way to use sandboxie? What is Sandboxie (+Restrictions)?

Discussion in 'sandboxing & virtualization' started by GrammatonCleric, Aug 20, 2011.

Thread Status:
Not open for further replies.
  1. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Define Restrictions please? Or a guide to properly configure sandboxie for risky browsing on Win7 64bit.
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sandboxie control >sandbox default=under sandbox settings,program start-forced folders and forced program example IE forced sandboxie or forced programs will be forced to start sandboxed but you must add them manually.Under restrictions internet access as an example by placing IE restricted it will be the only thing allowed to internet access while sandboxed. Start run by placing programs will be the only things that are allowed to run in sandboxie.Drop rights same as Dropmyrights for administraters and power users.under resource acces you can block file and registry access where the files or registy will not be accesible at all will running sandboxie.

    Others can chime in with more but there so much to it but with the settings I mention above = extremley tight security but just keep in mind it also come with a price of restricting the user as well. Testing and running software for example in the sandboxie is not happening under these settngs.For internet facing this is great but for running or testing is out.I Hope this helps some. cheers
     
    Last edited: Aug 20, 2011
  3. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    "under resource acces you can block file and registry access where the files or registy will not be accesible at all will running sandboxie."
    -----how do you do this?
    also if i block registry access..will my registry cleaner work?
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Maybe this will help.www.sandboxie.com/index.php?ResourceAccesssettingsUps sorry the link dont seem to open where I wanted but help topics,sandboxie control,sandboxie settings,scroll down to resources thanks.Um one thing I should have mentioned,that many of these feature are not available in the free edition.
     
    Last edited: Aug 20, 2011
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Risky browsing? The way I see it, all browsing is risky and that makes it
    a good reason to always run the browser under Sandboxies supervision.

    In a few words, restricting the sandbox, basically has to do with what
    you allow to run and connect in a sandbox and what those programs
    can do in the sandbox.
    Read this, it might help you.
    http://www.sandboxie.com/index.php?RestrictionsSettings

    I always allow as little as possible without losing usability. That what I
    try to achieve in all my sandboxes and get it done.

    Bo
     
  8. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    You have an application inside a sandbox, but the application is inside a sandbox replicating a non restrictive OS - it can allow allow malware to work as designed - if you don't put some stoppers on the sandbox behaviour. Your protection is rebooting and the malware affected changes are gone.

    Restrictions give you real-time protection.

    1) Under Resource Access/Registry Access/Read-Only Access I add C:\

    2) And Dropped Rights

    These two I use as a minimum in every sandbox. I also think adding automatic delete invocation to every sandbox is as important.

    I also add file restrictions on sandboxes, like blocking access to Documents/Photos/Music/Other drives ... but you have to be careful with these ... you can prevent the functionality of the sandboxed program.

    When you're adding to a sandbox file/internet/start up restrictions, you might have to do a bit of detective work, figuring out the bare minimum that an application needs to fully function. Paying attention to Sandboxie warnings is the key - which file attempted to run/access internet, etc - you can use this to get a functional restricted sandbox.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    This is the same process I take when restricting a sandbox.

    Bo
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Indeed, Bo! And I always think it is worth noting that SBIE's default condition (with nothing added in the restrictions) allows everything to have start/run and internet access. The moment a user adds even one item, it becomes the only process allowed... along with each subsequent addition, if any.
    :thumb:
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Right on bro. This is also the time to put some attention to SBIE messages
    that tells us what else we need to allow internet or start/run, in order to
    achieve a perfectly working restricted sandbox.

    Bo
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    verclsid.exe for XP users comes immediately to mind. :)
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The proper way to use it is of course the way the you need to use it. At its default level, it is proper for some, for others, not so much.

    When you think about restrictions, you need to think about how much restriction you really need. Many times you might only need to restrict a sandbox to only allowing one program to run in it. It would not matter if the file system or registry were read only or not, as you have a very specific purpose.

    This is how I approach it anyway. My favorite feature of SBIE is that I can create a separate sandbox for a specific program or a group of programs, and each sandbox can be configured differently.

    For example, you could have a sandbox for a browser which has a few different restrictions put in place (like those mentioned), which is very locked down. And then you might have another sandbox for a different program that you believe to be benign and only apply one or two restrictions.

    The only important part to remember is that, as already mentioned, a sandbox environment can get a malware just like the real environment can. While it contains this malware and can delete it easily, it can still run within the sandbox. This means something like a keylogger could exist within the sandbox environment, and could send data "home". That is why the restrictions are used, to make the sandbox environment more secure, even though the sandbox itself is secured in respects to the system.

    Sul.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi Sul
    Tell me if you agree with this...
    Keylogger.exe can start/run and access internet inside SBIE in a default sandbox.
    Keylogger.exe cannot start/run and access internet inside a sandbox that has restrictions applied, and none of them are named keylogger.exe.
    :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I would agree to that on these conditions.

    The sandbox allows ONLY firefox.exe to run.
    The keylogger is NOT named firefox.exe.

    It would be wise to use an FQP in the restrictions. That is "Fully Qualified Path". That means you use c:\program files\mozilla\firefox\firefox.exe rather than just firefox.exe. This way the only thing that can run is firefox.exe at that very specific location. And further, once you start firefox, you cannot create another file of that name in the same place while it is running.

    In those conditions, yes I would completely agree.

    Sul.

    EDIT: forgot to mention, you have to go about this manually to use an FQP. Not something a beginner can do most likely. That should be a feature request I suppose. I used to do that using templates.
     
  16. wat0114

    wat0114 Guest

    My restrictions allow, amongst several programs, Firefox.exe and Chrome.exe to run and access the Internet.

    Question: what happens if, for example, I'm running Firefox, and a keylogger I inadvertently allows named "Chrome.exe" attempts to run and access the Internet?

    *EDIT* looks like Sully has already answered this above :)
     
  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Isn't SBIE effectively using a FQP when a user browses to the program to be added to the restrictions (by using the Open/Select File feature in SBIE)?
    SBIE Open-Select File.jpg
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Oh, and I neglected to ask... are you stating the above because a keylogger with an identical name as any other permitted executable could run?
    (Hope I worded that right)
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Installing the wrong addon, a infected, malicious addon can get a
    keylogger in our browser and infect us even with the restrictions.

    @page, I believe that's what Sully meant.

    Bo
     
    Last edited: Aug 21, 2011
  20. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    Thanks keyboard,but if i do this,will my registry cleaner,uninstaller program [removing keys in regedit] work ok?
    -also i store my backup images in another partition,how can i block access to that partition and only allow my backup image program
     
  21. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hi, Sandboxie is a replicated registry itself, but functions for only whatever you're running sandboxed. Your real OS registry and Sandboxie are two seperate entities. The only times you might leave your system open to sandboxed application actions are when, for instance, you allow a browser bookmark adding rights ... or allowing Firefox real-time access to it's own phishing database. You then leave a small opening to your real registry which anything inside the sandbox could permanently manipulate. I take the risk - these are helpful and make Sandboxie functional to me. It's a slight gap in the armour, still.

    To add other drives go to Resource Access/File Access/Blocked Access click Add Program ... then click Open|Select File (as in Page42's pic above) and just link to each drive you want to block access to.

    BTW, Sandboxie has never flagged me to say something sandboxed has just tried to manipulate the real registry, it's just a peace of mind thing. Adding C:\ to blocked real-time registry access in theory shouldn't be needed. I know some people have added startup locations to this setting, as well. This is why automatic deleting sandboxes is a needed, IMO, it ensures anything dangerously lingering won't be booting back up in the sandbox.
     
  22. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    Thanks Keyborad,great explanation.
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, I don't think it is using a FQP. It puts this info in the .ini file, and you can see what it writes there, which is just a name, not a path. I don't think it creates a data file anywhere that would store the actual path to the item.

    In truth, I cannot say it is or is not an FQP. All I can go with is that my .ini file works if I make it manually, thus I take it for granted that what you see in the .ini is what you get. And since the GUI makes no path in the .ini, I think it is not fully qualified.

    I am most certain we will have some more info on this within the next day, as there are a few members here who love it enough to ask the developer himself ;)

    Sul.
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I understand what you're saying about the info stored in the .ini file, but it just doesn't seem right that there would not be a FQP. Without one, any identically named executable could be starting up, Sul, and that would include non-malicious files like older versions of a software that might still be on the HD (old media players, old pdf readers, etc). Since that is not happening, that tells me that there has to be some form of qualification. However, you are far more knowledgeable about Sandboxie than I am, Sul. I just follow you around and try to pick up bits and pieces of info here and there. I am really happy when you bring stuff like this to everyone's attention. ;)
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    There is no FQP that I can see you can make with the GUI.

    This applies to forced execution. This applies to restrictions. The test is simple, try it yourself.

    Make the rules/restrictions using the GUI:

    Force firefox to run in a sandbox. Now pick any other executable and rename it to firefox.exe. It will be forced, no matter where it lives.

    In a given sandbox, whether forcing or not, create a start/run restriction to only allow firefox.exe. Now rename another executable as firefox.exe, and run it. It is allowed. Other file names are not.

    You cannot just put an FQP into the .ini spots either. I cannot remember now whether I was working with program names or paths to different areas, but I did a bunch of work using templates in the .ini file a few years back. I know you can do a lot if you desire, but I don't recall now what my findings were.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.