Sandboxie Configuration Recommendations

Yes, anything that is executed by a sandboxed program will always inherit the same sandboxed settings too.

 

No need to apologize . Some of the settings are hard to describe and I probably wasn't clear enough. And yes, you are correct about foxit inheriting the sandbox setting unless it runs into restrictions.

 

Yes, it can be very hard to describe in words, just like it can be very hard to make full use of the power Sandboxie provides. I think a lot of people don't quite fully understand how to harness this power haha! Thus, I suspect a lot of these people dismiss Sandboxie (without realising the extent of protection it provides) and miss out on using quite an incredible security application!

 

I'm aware of that because I only have 1 sandbox for Firefox, Foxit Reader, Winamp, ScreamerRadio and Java.exe. All have them setup with start/run access restrictions and I'm working on 'tightening up' the internet access settings for those programs. I guess I could separate ScreamerRadio but I wonder why would I need to?

Why would you combine your chat program with Firefox? And how do you read .pdfs, listen to media, etc. that your browser calls up? I'm confused... I guess you could download them to a 'forced folder' and then look at them with a forced sandboxed program. Sounds like a pain but it could work (I think) but I'm not sure as to if it would open in the needed restricted sandbox (foxit/adobe, winamp, etc.).

By the way, I'm not picking on you. Everybody has their preferences but I'm not sure any are more secure than others. FWIW I delete my sandbox manually because I basically do everything (updates) manually. Automatically deleting the contents is no safer than manually deleting. If anyone is afraid there is malware in the sandbox then right-click the tray icon and click Terminate All Programs. Plus we can look in Sandboxie Control to see if anything is running. I also use Eraser to delete my contents but that is due to a conflict I have with another proggy. If one needs to they can use Eraser or whatever to totally shred the sandbox contents.

Actually, I think most people find it hard to wrap their heads around what Sandboxie does. I think some may be put off because they think they need to configure it. In reality they are much safer running a default configured sandbox than with their old setups.

Sandboxie is much easier to use and the help/faq section is much improved from when I first started using it. When it comes to new users it's best to keep it simple so they know exactly what each setting does. That way when something doesn't work, they know what is causing the problem.

 

I combine my chat messenger program and firefox in the same sandbox because of the following scenario:
1. I only have my chat program running. Firefox is not running.
2. Chat buddy sends me a link to a site
2. I click on the link and firefox opens.

Because my chat program is in the same sandbox as firefox, firefox will open in that same sandbox too. Therefore for Firefox's consistency's sake, I let my chat program and Firefox share the same sandbox. If I used separate sandboxes instead, Firefox would not be consistent and potentially a lot of browser history/bookmarks etc would go missing. By the way, I don't use OpenFilePaths (I think this theoretically increases the chances of a browser exploit being successful) and don't delete firefox/chat program's sandbox contents (for usability and convenience's sake). This is very hard to describe fully, so I hope that made sense to you haha. Anyway, there's always a reason for everything mate. As I said, I've found my "100%" approach with Sandboxie without sacrificing much in the way of usability and convenience.

You are exactly right in saying "people find it hard to wrap their heads around what Sandboxie does." That's why user education (which leads to user knowledge) is actually the greatest security program of them all haha.

EDIT: It is very much worth-while spending time playing with Sandboxie and understand what it can really do for you. Some people simply call it a "virtualisation product", but as you know, that's just scratching the surface of what Sandboxie does - it does far, far more than that.
EDIT2: just to address your question: "...And how do you read .pdfs, listen to media, etc. that your browser calls up?"
Well, I've never come across any problems so far mate. I can read .pdfs fine within the Firefox browser and media streams fine. Maybe you're visiting different web-sites to me. Please feel free to PM me any sites so I can test whether they run fine. As I said, I've never had trouble with streaming youtube etc with my setup.

 

Hi,

I run my browsers (Opera and IE) and download manager (Free Download Manager) sandboxed. I use that default sandbox only for browsing, and these are the only programs that have Internet Access and Start/Run Access.

Shoud i also allow Java to have Internet Access and Start/Run Access? If yes, what´s the name of the file (or files) i should add? "Java", "Javaw", "Javaws", others? I simply dont know

 

Sandboxie will tell you that "process.exe" failed to run due to restrictions. If so, just add that "process.exe" to be allowed to run and/or access the internet. If you don't get any messages, then all is well.

 

Thanks!

 

Would you guys recommend sandboxing utorrent or limewire? i've a habit downloading large files >1gig.. is that compatible for sandboxie to recover? i'm scared that it might cause problems to my downloading

 

I can only speak for myself but I've run Frostwire exclusively sandboxed for a long time and never had any problems.

 

One thing I found and is not readily apparent (at least not to me ) and that is under: Sandbox settings-> Delete-> Command, if you choose Eraserl it will default to the Gutmann erasing level, which will erase with a time-consuming 35 passes! You may want to edit this entry by choosing a method using fewer passes, such as DoD_E which will erase using only 3 passes - maybe less secure but certainly a lot faster.

Some screenshots for illustration. The second screenshot shows the window when opening Eraserl.exe

 

Pete,

Doesn't windows media player need internet access in order to play video or streaming radio? (Or is there another way to set this up?)

Thanks in advance.

 

Thank you, Pete. I'll amend my configuration back to restricting wmp (and apple's quicktime player) from accessing the net.

 

This thread is really helpful.

 

Yes! It is!
This has been needed for awhile.

 

Ok, what I'm confused about is how you run .pdfs, .wav, .avi, etc. in your sandbox when only Firefox and your chat messenger have Start/Run access? Are you relying on plugins or add-ons?

If I don't allow FoxitReader and Winamp start/run access with my browser I can't view these files. An example of sites would be av-comparatives.org to read a .pdf and perhaps a site to view video clips or music. Basically I'm talking about files you download and then play or view. I'm not talking about youtube or a music store that preview tunes in the browser using java or flash.

 

lol, as with everything else that involves a computer, some peeps just like to play. Imagine, a program like SB being used out of the box, with apparent success in most every case, to those much more sophisticated configurations. It speaks well of SB. It both pleases the basic and advanced in terms of how much you can tweak it, and also achieves a level of protection for it's intended purpose at both ends of that spectrum.

I align more with Peter, where I use it but don't want to really know I'm using it.

This is what I do. Registered version please.

Create a group of programs with internet access, like this

Code:

ProcessGroup=<InternetAccess_BROWSERS>,opera.exe,k-meleon.exe,iexplore.exe,firefox.exe,winget.exe

Next, I create 3 boxes. Default, Downloads and Browsers. Idea, my net facing apps start (forced) into the browsers box. So I make it's settings

Code:

First, force a few programs

ForceProcess=iexplore.exe
ForceProcess=firefox.exe
ForceProcess=opera.exe

Next, ensure only programs in the Browsers process group are allowed ip access

ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*

I want to protect a few areas within the sandbox, so I will close some paths and reg keys

ClosedFilePath=C:\AUTOEXEC.BAT
ClosedFilePath=C:\boot.ini
ClosedFilePath=C:\ntldr
ClosedFilePath=C:\NTDETECT.COM
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\

I don't want to bookmark something and have to restore it to keep from losing it, so I open a hole to the REAL bookmarks files. This allows the sandbox browser to make a bookmark and it writes for REAL.

OpenFilePath=k-meleon.exe,c:\Program Files\k-meleon\profiles\*\*\bookmarks.html
OpenFilePath=opera.exe,C:\Program Files\Opera\profile\opera6.adr
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*

And finally, when I download something, I don't want to restore it. I want it to go directly to the REAL directory of my choise. Like this.

OpenFilePath=C:\Documents and Settings\Sully\My Documents\My Downloads

So, my browsers group is the only thing that can access the net from the sandbox, and I have a few holes to ease the restoring of files in the sandbox to the real OS.

I force 3 browsers, but my primary is Kmeleon. I have 2 shortcuts on my desktop. One starts it in the browsers sandbox, the other not. It is still forced if I use SB, so that protection is there, but not always do I want it.

Next we have to consider the downloads folder. What I do is force anything in that folder to start in the downloads sandbox. This sandbox has everything blocked from any net access. So if I start some .exe in that folder, it is contained.

Finally I have a default box left, where I may test something in if I desire.

I also couple this of course with a healthy dose of SRP to a restricted Basic User level. It traps either in SRP or SB. The nice part of this equation, is that if I start an app and SRP demotes it to a user, once it gets inside the sandbox, it no longer acts as a user, but as admin. Because the directory structure of sandbox is not actually c:\windows or c:\program files. So for me it strikes a nice balance of not having to think much about it as well as not having to maintain it for my ordinary uses.

Sul.

 

Yes, I can view av-comparatives.org to read a .pdf file no problem. That's because I do rely on a plugin. I don't see any problems at all with any site that I surf to. Also if you do run into problems, it's no big deal allowing eg. winamp.exe or wmplayer.exe to run in the sandbox.

I now see what you're saying though. You are talking about downloading actual eg. .mp3 files into the sandbox and then playing them with eg. Winamp in the sandbox. In that case, you will need to allow winamp.exe. Usually when I download files, I do it from a trusted site, thus I can recover these files to my real system with no hesitation. Besides, I have Avira AntiVir set on "Scan when writing" and also Comodo Firewall/Defense+ running to pick up any malicious processes.

I actually wrote a short article on the lightest way (and cheapest way) you can achieve near-100% security without sacrificing usability and convenience. It involved Sandboxie, Comodo Firewall/Defense+ and Avira. It obviously doesn't take into account human error: for example, I could download a malicious .exe file and save it on to my real system. From there, I'd execute it and allow to run everything my HIPS (Defense+) warns me about. But then again, there's no way you can protect from this type of human error!

If people want a copy of my short article, please feel free to PM me. I've avoided posting it publically, as I'm sure there will be lots of arguments etc. haha. Anyway, most of the article actually comprises of that previous post on how I configure my Sandboxie.

 

A very nice way of using Sandboxie! Combining it with SRP sounds like an excellent idea! I'm glad you've found your balance between usability and near 100% security (and all at a very low cost too haha).

 

Sully, it looks like you've got things locked down like Fort Knox Thanks for the post!

Did you do all that editing the configuration and is it possible to do all that from within the GUI? I'm a little afraid to go in and edit things manually because it caused me to screw things up pretty badly once, though I was able to bail myself out of it with the backup. Still, I'd prefer to do things from the GUI.

Thanks again!

 

I initially did it from the GUI, just using the default box. Then I would look at the config file and see what the GUI options related to in the config. The GUI works, but I like to also know behind the scenes. It is easier for me to understand things like the process group if I see how they 'term' them. But yes, you can do all that from the GUI I believe.

Don't worry about messing up. Just save your config file somewhere and then play. All you do then is replace your messed up config with the original and you are back in business.

I don't know if it is locked down as well as it could be, but the way I look at it is that the intent of a sandbox is to contrain things to a private area, and that private area can be raked smooth. So I don't get too worried about what happens inside the sandbox. Besides, using SRP on my browsers, even if it did escape the sandbox, it would still be restricted to a user.

Sul.