Sandboxie Basics - the sandboxed file system

Discussion in 'sandboxing & virtualization' started by Sully, Sep 26, 2012.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Sandboxie need not be complicated to understand. In fact, it really only requires a fundamental understanding of objects and containers, the technical names for files (objects) and folders/directories (containers).

    The sandboxie application resides in c:\program files\sandboxie, just as any other application normally does when it is installed (not mention x64, just speaking generically). This is the program itself.

    Sandboxie is a type of light virtualization. Its purpose is to keep what happens in the sandbox from affecting the real system. To do this, it creates a special directory -
    Code:
    c:\Sandbox
    Within this special directory are sub-directories, one for each sandbox you have created. If for example you create a sandbox for browsing, called Browsers, then you would see this -
    Code:
    c:\Sandbox\Browsers
    At first, this sub-directory may not hold much. But once you start an application in that sandbox, files and folders may be created. The key here is to understand "may be created".

    When you start an application in a sandbox, the application is, by default, allowed to READ any file it needs to run. These may be dependency files, like a dynamic link library (dll) or a config file or even a registry key(s). If the application only reads these files, but does not attempt to MODIFY or WRITE anything, then there is nothing to protect.

    However, if the app does attempt to MODIFY or WRITE, anything at all, a COPY is created of what WOULD HAVE CHANGED. This copy is created in the corresponding sandbox directory. For example, if you opened notepad.exe, and then tried to modify c:\boot.cfg, notepad is allowed to READ and OPEN the real c:\boot.cfg file. BUT, once it goes to MODIFY that file, a COPY is made.

    Understanding the structure of the c:\Sandbox directory now becomes helpful. Suppose we have a sandbox named TEST which we used to modify boot.cfg in. We would expect to see -
    Code:
    c:\Sandbox\TEST
    Once we attempt to MODIFY the boot.cfg file, Sandboxie sort of "recreates" the directory and file structure, within the sandbox, to mimic the real system location(s). It does this by chopping the file system into 2 parts - Drive and User. It would look like this -
    Code:
    c:\Sandbox\TEST\Drive
    c:\Sandbox\TEST\User
    Now there is some logic to follow within the sandbox. If the boot.cfg file was located in the c: drive, then the COPY that Sandboxie made (which was modified from the original) would be located like this -
    Code:
    c:\Sandbox\TEST\Drive\C\boot.cfg
    If the boot.cfg file was on a different drive, maybe a different hdd, like the e: drive, it would appear like this -
    Code:
    c:\Sandbox\TEST\Drive\E\boot.cfg
    If the boot.cfg was on the desktop, it would appear like this -
    Code:
    c:\Sandbox\TEST\User\Current\Desktop\boot.cfg
    One can then go "searching" for thier files, within the c:\Sandbox directory, if they know where the original file was to begin with. If a directory/file was never MODIFIED within the sandbox, then it won't appear there.

    So one can see that Sandboxie allows sandboxed apps to access the real system, but when things happen that could potentially modify the real system, they are instead contained within the c:\Sandbox directory.

    It is common to "lose" things when using Sandboxie. They aren't really lost so much as they are not in a place that Sandboxie monitors.

    For simplicity, Sandboxie assumes most people will save things to their "User Profile" area. This would be the desktop or the tradtional "My Documents" area. Vista and win7 now use a bit different structure, but the idea is the same.

    What Sandboxie does is to monitor these areas. If it finds a file was CREATED or MODIFIED, in the sandbox, in any of these areas, it offers a convenient way to RECOVER these files. When you recover a file, a hole is poked in the sandbox, which allows these CREATED or MODIFIED files to be written/changed to the REAL LIVE LOCATIONS. One can imagine that if they downloaded or modified a document, they probably want to keep the changes, FOR REAL, so Sandboxie attempts to help you recover them from the segregated sandbox to the live system.

    Behind the scenes, nothing has changed. Any files or folders that are CREATED or MODIFIED by a sandboxed app get written to c:\Sandbox somewhere. A nifty helper tool like recovery makes it easier for the user is all.

    While recovering files and folders from monitored areas like the User Profile is easy, many times people "lose" things that are not in those areas. Again, nothing has changed, Sandboxie dutifully CREATES or make a COPY of things in the appropriate c:\Sandbox directory. But, if the item(s) are not in the User Profile area, Sandboxie offers no easy help.

    Here you have some options. If you know where the file/folder is that you want to keep (that is, put on the real system) you can open windows explorer, navigate to the correct c:\Sandbox sub-directory, and copy/cut and then paste it to where you really want it to be. Another option is to go into the Sandbox Settings and add a monitored directory.

    As an example, suppose that you create the directory
    Code:
    c:\my_videos
    and you house all the home movies from your family there that you download from the internet. You don't suspect these videos are malicious, because your brother/sister uploads them for you to see, not some internet cracker.

    But, you are using Sandboxie, and you always run your browser in a sandbox. When you download these videos, Sandboxie dutifully keeps CREATED or MODIFIED items out of the real system and in the sandbox. But, since this is a custom directory, Sandboxie does not monitor it. You could use windows explorer and navigate to
    Code:
    c:\sandbox\browser\drive\c\my_videos
    and copy/paste them to the real c:\my_videos location.

    Or, you could add c:\my_videos to the "Quick Recovery" area of the sandbox settings. Now whenever a CREATED or MODIFIED file is found in the sandbox, in that directory, Sandboxie will prompt you to recover it, making it more convenient.

    Many people worry about thier bookmarks and things when they are using thier browser sandboxed. They don't want "unwanted" things to come into thier real system from thier browser, but they do want to make bookmarks/favorites that will stay. In the sandbox settings area there are some "application settings" that will allow this to happen. It is called giving "direct access". In effect, you are "opening a hole" in the security of Sandboxie that allows "direct access" to the bookmarks file. When the sandboxed browser creates a bookmark, it is NOT created in the c:\Sandbox directory, but rather DIRECTLY to the real live location. There is nothing to recover because it never happened in the c:\Sandbox directory in the first place.

    Direct Access is an advanced setting of Sandboxie. You can create direct access to just about anywhere or anything. However, it does negate any protection that Sandboxie provides.

    As well, you can Restrict Access. I mentioned early on that when a sandboxed app starts, Sandboxie allows it to READ or ACCESS about anything, but anything MODIFIED will stay in the sandbox. You can restrict a sandbox from accessing things as well. In our example of a sandboxed notepad.exe accessing c:\boot.cfg, one could restrict that file from being accessed at all. Now the sandboxed notepad.exe cannot open that file at all.

    By now your eyes are crossing from this wall of text. Don't worry though, if you did not understand where your files went, or you want to make Sandboxie easier to use, these basic outlines hold much power. If you can understand these principles, you are well on your way to using Sandboxie to its fullest potential.

    Sul.
     
  2. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Well written Sul. Cheers..
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Hi Sully :cool:, top to bottom, very nice.

    Bo
     
  4. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    What a great explanation - that's going to help a lot of people!
     
  5. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Great job sully :) It is very helpful for my understanding...
     
  6. The GLoW

    The GLoW Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    22
    Location:
    USA
    How timely! After much research and trepidation, I am finally installing SBIE for the first time on my pc's today. Your explanations will surely help guide me in the process. Appreciating your efforts, Sully!
     
  7. huntnyc

    huntnyc Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    976
    Location:
    Brooklyn, USA
    Wonderfully organized and written and as always accurate and understandable even to those of us who simply use our computers without having much technical background. Thank you Sully.

    Gary
     
  8. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Just re-installed Sandboxie. It's not offering quick Recovery on download completion. I have to go into SB & manually release the file.

    1. Remind what to tick plz to initiate quick Recovery.
    2. Where do I put my old ini file & will that automatically restore all my old settings.

    How quick one forgets.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    1) Sandbox settings>Recovery>Quick recovery>add folders where you want quick recovery.

    2) You can replace the ini file located in Windows.

    Bo
     
  10. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Well done, Sul! :thumb:
     
  11. tomazyk

    tomazyk Guest

    Very well written, Sully :thumb:

    This should be sticky or recommended thread for all new users seeking help with Sandboxie.
     
  12. clubhouse

    clubhouse Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    180
    Excellent 'how to' for sandboxIE, thank you, helped clear up a few things I didn't fully understand.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Would there be interest in other "Sandboxie Basics" threads? There are still a number of other topics that seem to be misunderstood and might benefit from a "laymans" description.

    Sul.
     
  14. tomazyk

    tomazyk Guest

    Yes definitely! I would certainly read it and see if I learn something new.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Not sure it would qualify as "Sandboxie Basics" but maybe a laymans thread that covers additional hardening and security settings for Sandboxie.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I created this thread in hopes of there being one place to answer this common question.

    It seems quite a few found it helpful. Hardening and other more advanced topics could be done, but are much more specific in nature.

    Its a good idea and one I have contemplated before. I will think about how I could write such an article in a general sense, if that is possible.

    Sul.
     
  17. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,215
    Sully thank you! Your contributions are always excellent reading. And yes, if you wish to continue on this path, there are so many users of Sandboxie, beginners and not that will make it definitely worthwhile.
     
  18. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    After briefly playing with SBE in the past I'm on verge of changing my whole security approach.
    This post along with https://www.wilderssecurity.com/showthread.php?t=333443 have played no small part.
    Just wanted to say thanks :thumb: for a couple of great postings... MORE !!! :)
    Also think this should be sticky, most of the reasons why someone may visit a SBE sub-forum are within these two posts IMO an ideal first point of call
    Thanks again
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Nice post Sully, you've explained things so well :) You've also played no small part in rekindling my interest in Sandboxie, so I've re-installed it and will use it primarily for testing purposes.
     
  20. skokospa

    skokospa Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    177
    Location:
    Srbija
    great explanation .... can go to the help file Sandboxie.

    graces Sully
     
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    As always a superbly written piece there Sully,most useful for those new to sandboxing.:thumb: :thumb:
     
  22. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    Thanks for the great post Sully! I'm thinking of giving SBIE another try.
     
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,206
    Hopefully you will inform us here on Wilder Security about your test results with tightly configured Sandboxie?
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    To set Firefox bookmarks to be saved while running sandboxed, you need to allow direct access to bookmarks: Sandbox settings>Applications>Web browser>Firefox, and tick "Allow Direct access to Firefox bookmarks and history database".

    Bo
     
  25. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Excellent thread. Don't know how I missed it earlier.

    Best regards my dear friend Sully,

    Mohamed
     
Loading...
Thread Status:
Not open for further replies.