Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

  1. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Forcing programs is auto sandbox. Sandboxie is not a system wide sandbox but an application sandbox.

    Bo
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    Yes, but I often have to give Sandboxie direct/full access to certain folders for convenience. If noobs or less experienced users download malware to these folder locations, it's game over. I could make them download stuff inside the sandbox, but that will not help to protect against ransomware running inside the sandbox.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,410
    Location:
    USA
    Why would it not? Shouldn't anything it touches also be copied into the sandbox?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,311
    Problem is a lot of things downloaded can't be installed in a Sandbox, so the program has to be taken out of the sandbox to install. Yes anything that runs in the sandbox is protected.
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Direct access is fine, malware cant take advantage of it but if you allow Full access (like Rasheed), you are opening a big hole in Sandboxie that can be taken advantage by programs you download, install, drive bys, anything running in the sandbox would have access to. So, if you are browsing using a sandbox that has Full access to some folders, you are opening a Grand Canyon type of hole, malware can get in.

    Bo
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,410
    Location:
    USA
    Ok, thanks for the clarification. I was confused by this:
    "I could make them download stuff inside the sandbox, but that will not help to protect against ransomware running inside the sandbox."
    as it said "stuff inside the sandbox".
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    From what I understood, if ransomware runs in the sandbox itself, then all files in the sandbox are encrypted. But it won't be able to touch files outside the sandbox.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    The problem can happen when you allow Full access, read the description for Full access.

    You said you allow Full access for convenience. You shouldn't. Perhaps is OK using the setting for testing a well know program but using the setting left and right is an absolutely bad idea.

    Sin título.jpg


    Bo
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    This is absolutely necessary because if you don't, it will confuse noobs. So the solution is to auto-sandbox all that is downloaded into certain folders on the real machine. If noobs want to install some app non-sandboxed, they should perhaps have an option to run software outside the sandbox via context-menu.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,410
    Location:
    USA
    That was the point I was trying to get at but was unclear on whether or not full access to unsandboxed folders was allowed. I do not allow it access to anything that is not in the defaults.
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Direct file access is safe: When you allow Direct access, only programs that are installed in your real system can have this access. Malware that gets in the sandbox, cant take advantage. Programs you install in the sandbox, cant take advantage.

    The problem can happen if you allow Full access.

    Bo
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    If you are using Forced Folders for your Downloads directory and want to launch a program unsandboxed, you can press "Ctrl+Shift" while you click on "Run Sandboxed". Now the program is running unsandboxed.
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,731
    Location:
    .
    When EXE Radar Pro had an Online Help File. Full Access was, as I recall, instructed. I've always had Full Access *\mailslot\NVTInj\* in my sandboxes.
     
    Last edited: Dec 9, 2017
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    I think I'm starting to get confused. Basically, I give full access to some folder on the desktop. This means that noobs can save all files to this folder. If they execute ransomware, it can encrypt the whole system, no matter if you use direct or full access, correct?

    Of course, like Mood said, you can use the "forced folder" feature. This means that ransomware can't encrypt files outside the sandbox, but all files inside are encrypted. Also, if the noob-user saves it to another non-forced folder, it can still encrypt the whole system. The solution would be to auto-sandbox all executables except for certain folders. Does this make sense?
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Have you tried giving Direct file access to the folder in the desktop instead of Full access? Rasheed, you should be able to do so. You dont need to allow Full access to bypass sandboxing for downloading by a browser.
    I am no malware expert or even a 1000 miles close, Rasheed. But I am not sure Forced folders is gonna help if your files get encrypted.by way of you allowing sandboxed programs Full access to a folder. Remember, Forced folders kicks in when you run a file placed in a Forced folder. So, if the ransomware can encrypt files in that folder without having to get out of the browser sandbox, just by having access, it can encrypt. But if the ransomware has to drop a file in the folder, and run from there to encrypt files in the system, then Forced folders would protect.

    Bo
     
    Last edited: Dec 9, 2017
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,883
    Location:
    The Netherlands
    The question is if it even matters in the scenario that I described. If malware is downloaded into the folder and runs, it can encrypt files no matter if it has only direct access, is this correct? If not, then direct access should indeed do the trick.

    Actually, I have always chosen direct access and NOT full access, luckily. So what would this mean, would ransomware not be able to encrypt files both in the sandbox and real system? EDIT: I just saw you already answered it.

    Perhaps it's also an idea to run a tool like 360 Document Protector inside the sandboxed folder, to make sure that even if ransomware manages to encrypt files, you still have an back-up. But I'm not sure how trustworthy this tool exactly is.

    https://blog.360totalsecurity.com/en/360-document-protector/
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    If you use Direct access, the ransomware can not have access to your Download folder.

    If the ransomware runs in your browser sandbox, it can encrypt within the sandbox but all is gone when you delete the sandbox.

    If you download the malware, and it runs out of a Forced folder, the infection is sandboxed, brother. It can not hurt you.

    Bo
     
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,206
    Location:
    USA
    Quick question...Is it more secure to add the entire folder of a program rather than just the .exe for example TeamViewer.exe? I've always wondered this but never thought to ask.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    The right way to force programs is to add the exe.

    Bo
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    Forced Programs:
    If you add TeamViewer.exe, no matter where the file is, it will be run sandboxed.
    Forced Folders:
    Any program in this folder will be run sandboxed.

    Directory names can change sometimes (after installing of a new version), and if you forgot to add the new folder to Forced Programs, it will be run unsandboxed.
    With adding of TeamViewer.exe to Forced Programs you can make sure that it will be run sandboxed.
     
  21. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,206
    Location:
    USA
    Thanks guys I was just curious :)
     
  22. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    Can someone please confirm the process of automatically opening applications sandboxed from the docker? I'm using the Default Box as ObjectDock itself is an excluded program. What I did was add the apps' exe.s to Forced Folders but sandboxing upon initial run of, say, Firefox is inconsistent. Thanks!

    Screenshot (22).png
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Hi plat1088, I am unfamiliar with docker or how it works but to force programs, you should use Forced programs. Forced folders is supposed to be for folders like your Downloads folders, USB drives, folders were you save files, and you want those files to run sandboxed automatically when they get executed.

    So, try adding the apps' exes as forced programs. I would also create a new sandbox for this programs, for the new sandbox, dont copy settings from existing sandboxes.

    Bo
     
  24. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    Ah, OK. Looking at Sbie's configuration notes, it says that Forced Folders take precedence over Forced Programs, that's why I configured it that way. Yes, I had created a new sandbox for Firefox and it was recognized already, but it seems I'll need to set up another one for some others in the docker. I'm pretty confident you set this straight, so thank you in advance @bo elam. :)-
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,519
    Location:
    Nicaragua
    Thats even better. The more you isolate programs from each other by using separate sandboxes for different programs, the better you are (more secure, less chances of compatibility issues).

    Bo