Sandboxie and Java

I also allow direct access to my downloads folder. I just don't force the folder into a sandbox.

Or, are you referring to the fact you also allow direct access to the downloads folder in the media player sandbox?

 

I've just tried opening direct access to my forced media player and pdf reader to the forced downloads directory and the folder still takes precedence when opening pdf and media files.

Anyway sorry for dalliance way OT. It works well regardless as it is. Just would have been nice if it worked as Sully's.

Cheers

 

Thanks for testing it. Indeed, I wonder how that happens to Sully's setup as well...

 

No probs. Maybe we'll find out!

One of the many advantages of this great little app is that the configuration variations are almost limitless. I'm fairly conservative in my tweaking in comparison to guys like Sully so there are likely to be many differences in how we set-up. Mine is working well for me though whether files open in the folder or application boxes as long as they are sandboxed I know I'm never more than a click or two away from dumping any stray nasties I might come across and they are tightly restricted for the short time they will survive.

Cheers

 

Forcing my downloads folder to always open sandboxed is one of my favorite
uses for Sandboxie. The last 5 lines from your post describe exactly, how
I feel about using one folder for all my downloads.
Since I can remember, I always used one folder for downloads, Sandboxie
just made everything safer.

Bo

 

OK, I can now get this to happen by forcing the folder in the same box as the application. I had been forcing the folder in a seperate box only. If I also add it to the application specific boxes I can get the application based box, and resultant rules, to trigger from the forced folder.

Only issue is if I force the folder in multiple application boxes it seems to use the first one it comes to in the ini file, so for example tries to open a pdf file in the media box because it forced there first. So in actual fact it is still the folder rule taking precedence but........

Anyway, it at least shows me how it would seem that an application specific box could launch from a forced folder in another box. That will do for me, back to forced folder in its own box only!

Cheers

 

Yes sandboxie is extremly flexible

My suggestion for browsing with java :
Use portable internet browser or make one you're self using cameyo.
Make sure flash and java is included in the portable browser.
Run it on separate sandbox, with this set up, u can delete sandbox without any need to reinstall anything

Use that separate sandbox only if u need them

The goals are :
1. Avoid installing java to real os
2. Ability to delete sandbox to add a safety measure

 

I don't think that forcing a downloads folder to all those sandboxes would be the approach, though.

Not the one Sully took either, I believe. He forces his downloads folder to its own sandbox only, I think. Which makes me wonder how the heck he managed to do what he mentioned.

 

But, it would require anyone needing Java to have to rebuild a new portable browser everytime a new Flash version comes out, or when a new Java version comes out... or when a new browser version comes out... I wonder which way would be faster.

 

Sully's ways is much faster in that perspective.

But like sully said, we don't need newest java/flash, since sandboxie will maintain it clean and safe, specially if you delete sandbox on every exit.

The point is to use that special sandbox only if you need them, and use it wisely

 

I guess the reasons would be more of a question like: Sandboxie allows me to do it... so... should I do it?

"Joke" aside, it all comes down to whether or not you consider that you'd have, say, some folder, which you may consider to contain info you wouldn't like programs running in the sandboxes to read it.

In my own setup, I do find a space for this approach. I don't widely use it, but I just restrict a bit.

I don't know, imagine you have documents in your Documents folder, and you wouldn't like for your web browser to read that folder. Why not forbit the browser's sandbox processes from reading it, for example?

 

Good explanation.
The possibilities become endless, do they not, m00nbl00d?

 

This is an interesting discussion, and I feel a little puzzled here. If we do give java internet privileges, and everything is run in the java virtual machine, we still leave the hole for programs to read out our data.

I have no concerns about a java app breaking out of Sandboxie... but reading data has been a hole I've tried to plug. I have stopped new executables from running in my Sandbox with applocker rules... but something like java needs to be allowed to run, and java code is run from within the confines of the java.exe, javaw.exe and javaws.exe.

I'm thinking that with Java you'd have to make a sandbox where it simply could not read out of your user profile..

 

Quite right.

Sul.

 

I agree and I'm equally sure it would not have been Sully's approach. It's clunky and inelegant but as far as my limited knowledge takes me I'm afraid. I've tried a few other things but folder precedence always wins out but as I say I always thought that was the case so have set-up accordingly and therefore loose nothing from being unable to get it to work.

Cheers

 

By the way, I don't think Sandboxie allows us to(/does it by default) forbid one sandbox from reading another sandbox?

I actually think someone suggested this before at Sandboxie's forum. I just didn't find the specific thread as of yet.

 

Sorry Sully, I did not see that post of yours.. In my defense, its been a long thread..

 

I've come across an interesting Sandboxie thread over Sandboxie forum -http://www.sandboxie.com/phpbb/viewtopic.php?t=6672

I also came across an interesting behavior with Adobe Reader X.

First of all, my downloads folder is not forced to run in any sandbox.

That being said, I did force Adobe Reader X to run into its own sandbox. I monitored it with Process Explorer. Adobe Reader AcroRd32.exe medium and low integrity level processes do not open within Sandboxie processes SandboxieRpcSs.exe and SandboxieDcomLaunch.exe. They open as outsiders.

Sandboxie does show Adobe Reader X as being sandboxed, though. My suspicions started when Sandboxie would not automatically clean Adobe Reader X sandbox, when closing the PDF file.

Not only that happens, both Adobe Reader X medium and low integrity level process are initiated with a medium integrity level. That is, there's no sandbox (Protected Mode/low integrity level).

So, those forcing Adobe Reader X inside Sandboxie would be at great risk, because not only isn't being Sandboxed, it is now running outside the Protected Mode.

The alternative is to run a sandboxed Windows Explorer and open the PDF files from there. Which not only runs them sandboxed, as Adobe Reader X sandbox (Protected Mode) remains intact... apparently.

Or... if you don't want to have the hassle of doing that, just use Adobe Reader X alone.

Always finding new things...

 

-edit-

I tried it again, and now Protected Mode remains intact. It seems it won't always happen. Nonetheless, it may happen at some point. The issue seems Windows itself and not Sandboxie.

-edit-

This time, Adobe Reader X processes do open within Sandboxie processes, but AcroRd32.exe only has a medium integrity level and no low integrity level. In other words, there's no Protected Mode. Apparently, anyway. Going to Process Explorer Security tab for that medium process reveals it's a low integrity level.

Same situation as in Google Chrome.

 

I would trust Sandboxie's sandbox over adobe reader's. It has already shown to be vulnerable (before the latest patch).

 

hpmnick, can I get a source for recent vulnerabilities? I don't doubt you, I just am curious since I know their sandboxing was a really big step forward.

 

there were a bunch for each iteration of reader X, but a quick google search first turned up this one..
http://www.adobe.com/support/security/bulletins/apsb11-16.html

Even with its protected mode, I'd say that Adobe software is prone to security vulnerabilities, so I wouldn't put too much faith in Adobe's security alone. Their effort to make the software more secure is great, but I merely think the nature of Sandboxie's protection will always be far superior. It works at a completely different level, and would probably require a sandboxie specific exploit to perform a true bypass.

 

Interesting. I was mostly just curious because I'd read about the sandboxing a while ago -- a lot of different companies (Google and Microsoft for example) chipped into their security to try to beef it up.

 

I don't use Adobe Reader but if I was, without hesitation, I would choose to
use SBIE to sandbox anything that uses that program. Sandboxie is a proven
program and Adobes sandbox is too new to be reliable.

Bo

 

I agree bo elam. I don't use it because I have no need but if I did I'd definitely use Comodo to sandbox it further.

edit: And naturally it would get EMET.