Sandboxie configuration for an old adult. Suggestions pls...

Hello,

I am going to install win7 to a laptop of my neighbor, who is not much in computers. He just uses Word, sends email and navigates in internet.

I want to use only sandboxie as a method of protection and remove any programs that might need updates (in order to remove interaction between computer and this guy; it means peace of mind for me).

The only problem I see, is that he might download files and probably he might want to install a software in the future. I was thinking to sandbox the browser, flash plugin and set up a download folder (sandboxed). All the sandboxies content will be erased after each session.

My problem is : how do I configure the downloaded folder in such way that he can still find the downloaded files and install one of them later while remaining safe from malware at the same time? I don't want the option recover from Sandboxie appear too everytime he downloads something. Any ideas guys?

Thank you in advance

 

You can set up the download folder in a special directory, preferably not a standard one that malware may be set to write to (My Docs etc), and make a short cut to it on the desktop so he can find it. As long as you force that download folder/directory to run anything launched from it sandboxed then any malicious programme is easily terminated and its payload dumped by simply closing the sandbox. Remember forcing the contents of a sandboxed folder to run sandboxed will not delete the original files in that folder just the changes spawned from launching them so malware executables may remain but you are protected in addition legitimate files can be downloaded and retained.

As long as you are forcing the download folder to run sandboxed you can even allow direct access to it preventing the quick recovery pop-ups as SBIE will allow the file out of the sandbox to write directly to the real system. I would prevent internet access in that scenario using SBIE restrictions.

You might also think of using a Software Restriction Policy (SRP) to set the download folder as 'limited' (reduced rights) or 'deny' (files using already installed applications such as Office/PDF/Media Player etc can run but new executables cannot run) rather than sandboxing it but I'm unsure of what version of Windows 7 you are on or really even how SRP works on 7 tbh.

Your issue is whether this guy can recognise good from bad in what is in that download folder. If he wants to install something onto the real system in either of those scenarios he is going to have to let it out to prevent auto sandboxing or to escape the SRP. If he can't reasonably be expected to tell if the file he lets out is good or bad then some form of blacklister (AV/AS) is going to be required unfortunately. Would he use on-demand scanners or upload tools for Virus-Total or Jotti as an alternative?

Hope that helps or someone has a cleaner solution for you.

Cheers

 

Immediate recovery is the default option that prompts every time something
gets downloaded, you can change it to quick recovery in order to be able to
recover files at the end of the browsing session or when you want to do so.
Alternatively you can set downloads to bypass Sandboxie recovery function
by setting direct access as chris pointed out.


Bo

 

@Chris and bo

Thank you very much for the valuable tips...I will be working in this scenario and see what can work at best.