Sandboxie Configurations Learning Thread

Discussion in 'sandboxing & virtualization' started by jrmhng, Jun 16, 2008.

Thread Status:
Not open for further replies.
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Hi All,

    I'd like to start a thread on configuring Sandboxie. It seems like such a flexible program but the official documentation is hard for me to understand. Maybe we can build this up enough that we can create a quality guide.

    I think there are two types of approaches, functional and solutions based. By functional, I mean would users who are already Sandboxie power users go through some of the more powerful and flexible functions ClosedFilePath, explaining the syntax, options and possible uses. By solutions based, I mean ways of putting together a set of functions with a end in mind.

    As I'm not a Sandboxie power user myself, I don't have interesting here to share. However I do have a few requests. Would someone be able to explain the following functions:

    ClosedFilePath
    ClosedIpcPath

    Also I'm looking for the following solutions:

    A sandbox that only allows the web browser to run and acces the internet.
    A sandbox to test viruses. So this sandbox should only allow 1 executable to run, no direct access to any local resources, no access to the internet.

    Cheers,
    Jeremy
     
    Last edited: Jun 16, 2008
  2. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    433
    Location:
    The Hill Country of Texas
    I'll be following this thread with interest!
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Regarding CloseFilePath.

    It closes the access to the file referenced. The name says it.
    How is this used in SBIE?
    If you block access to a specific folder, let's say "my documents", there will be this entry at the ini:

    CloseFilePath=%Personal%

    This means that the path to %personal% (my documents), is closed.

    Another use to this, is using this lines:

    ProcessGroup=<restricted1>,iexplore.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
    ClosedFilePath=!<restricted1>,*

    Please note the use of "!=". In most programming languages, "!=" means "not equal". So, basically this says that the path for any file outside the "restricted1" group declared before is closed. (I do not know what the * is for)

    I do not know what exactly ClosedIpcPath does. For avoiding execution, it's enough with ClosedFilePath. I do believe that ColsedIpcPath adds itself to the ini when you add ClosedFilePath, since I just saw it in my ini file and I'm 90% certain that I only added CloseFilePath.
    Can anyone confirm this please?


    I'll be posting my ini file and explain the way I use each sandbox in a future post.



    EDIT: I just realized that I talked about "!=", but in reality the setting is "=!<restricted1>", so the ! is before <restricted1>, not before "=". The idea is the same...
    ! is the logic operator for "NOT". so in this case it would be "close file path for all that is equal to not process group restricted1". It's a slight difference.
     
    Last edited: Jun 16, 2008
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for the "!=" explanation :).

    The * is a wildcard. http://www.sandboxie.com/index.php?OpenFilePath
    Edit: also regarding the "!". See here for a decent explanation. http://www.sandboxie.com/index.php?ProgramNamePrefix
     
    Last edited: Jun 16, 2008
  5. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I know it's a wildcard.
    What I don't know, is why a wilcard is needed, when IMO the "!=<restricted>" should be enough, as it covers ALL files outside the group.
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I get it now. * in this context means all file paths on your computer.

    So the direct translation for

    is

    in natural English it is

    EDIT: I might also add that this means deny all disk access i.e. deny READ and WRITE access
     
    Last edited: Jun 16, 2008
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    But isn't the wildcard redundant?

    EDIT: Never mind, I just got it. "for every program outside the process group, the access to any file path is closed."
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Here I post my sandboxie ini and the way I use SBIE. I hope this helps. Also if someone with more knowledge than I (a lot of wilders members :)) finds some redundant entries, please let me know. For example, I believe the "lingering process" entries are not needed, since no other processes can run in some sandboxes.

    SBIE is now my only security app, so I want to have it tuned to perfection, and cover all vectors.

    I have several sandboxes, which have self-explainatory names (but some are in spanish, so I'll translate)


    [DefaultBox] Sandbox:

    Used for:
    -testing unknown programs
    -for opening every document that comes from the web (docs, ppts, mp3s, etc) when a virustotal scan can't be done ATM (after VT scan, file is considered safe and moved to data partition).
    -Also this sandbox holds anything that runs from usb sticks (partitions F: and G:.. I don't think I'll ever plug more than 2 at the same time)

    Nothing in this sandbox can conect to the internet.
    Nothing can access my data partition (%personal%)
    This sandbox is eraser with a 3-passes algorithm.

    Lots of un-needed entries. Will have to clean the ini.


    [IEXPLORER] Sandbox:

    Only IE can run on it. Only IE can connect to the to the internet. Redundant-if it can't run it can't connect.
    Nothing can access data partition.
    Not erased, only deleted. See below.


    [FIREFOX] Sandbox:

    Only Firefox and and PDF-Viewer can run (I do need to look for a lot of pdf's, and I prefer open them instead of downloading them).
    Only Firefox can connect.
    Access to some personal data is granted (Pictures so I can upload or directly download to folder, My university folder, etc)
    Access to sensitive data resticted (passwords, financial info, messenger logs, etc).
    Not erased, it only deletes the contents in order to save laptop battery life, since it's the most used sandbox (a lot of firefox opening and closing)


    [ArchivosRecibidos] Sandbox -- received files --:

    This sandbox forces anything that runs from the folders "My recieved files" (msn messenger) and "Completed torrent downloads" to run sandboxed.
    Access to data is denied.
    Nothing can connect to the internet.
    Erased with 3-passes.


    [Winamp] Sandbox -- in reality it's my media player sandbox--:

    Forces Winamp and Media Player Classic to run sandboxed. Used to avoid accidental damage by fake mp3's.
    WMP is not included as I hardly ever use it, but will be included next time I reboot without Returnil enabled.
    Nothing can connect to the internet.
    Only Winamp, MediaPlayerClassic and the exe needed for k-lite codec pack can run.
    Access granted for music, movies and completed torrents folder.


    And that's it. Any suggestions to avoid redundancies and close open gaps are welcomed (and needed :D).
    ATM the weak links are: Outlook and MSN messenger. I couldn't make them work in SBIE.
    I workaround this by:
    a) the received files force sandbox.
    b) all mail is converted to plain text.


     
  9. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Jeremy, I've been a user of Sandboxie for only about a month or so now. Love what I have seen thus far, so although I'm currently using the free version, I plan on buying the registered version. I'm not a computer power-user, so whether I make custom ClosedFilePath entries remains to be seen. But, for those reading this post who are less technically savvy, what I have been able to do using the more "standard" features of Sandboxie are (a) make Internet Explorer the only program that can access the internet when sandboxed, (b) make Sandboxie notify me if I carelessly open an unsandboxed version of IE, (c) block access to certain files/folders while sandboxed (Example, I block access to My documents in the event I pick up a keylogger while sandboxed. The keylogger will, of course, be removed when I delete the contents of that sandbox.), (d) create sandboxed web link icons directly on my desktop so I can click on them and go directly to those websites...sandboxed of course, and (e) automatically delete contents of the sandbox.

    Regarding (a) and (b), you can find information here: http://www.sandboxie.com/index.php?ProgramSettings
    Regarding (c), you can find information here:
    http://www.sandboxie.com/index.php?ResourceAccess (scroll down to File Access > Blocked Access)
    Regarding (d), if you want the web site to open in the default sandbox, then Right click on desktop>new> shortcut>enter "C:\Program Files\Sandboxie\Start.exe" (the url goes here without the parenethesis)
    If you want the web site to open in a custom sandbox that you've already created, then follow the same steps, but add "/box: name of the custom sandbox" (without the quotation marks) immediately after "C:\Program Files\Sandboxie\Start.exe"
    Regarding (e), you can find information here: http://www.sandboxie.com/index.php?GettingStartedPartFive

    I found a web site with some guidance to follow about this. I've got it bookmarked on another computer and will try to post a follow-up later today.
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Would the below settings achieve most of what you want to do?

    Under - [GlobalSettings]
    ProcessGroup=<InternetAccess_DefaultBox>,iexplore.exe,firefox.exe
    ProcessGroup=<restricted>,iexplore.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe,firefox.exe,PDFXCview.exe,
    DivXsm.exe,mplayerc.exe,winamp.exe

    Under - [DefaultBox]
    ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Ip*
    ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Tcp*
    ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Afd*
    ClosedIpcPath=!<restricted>,*

    I think the above settings will allow IE and FF to run and connect to the net and the restricted setting allows all apps in that line to run sandboxed but not connect out unless they are in the Internet access line.
     
    Last edited by a moderator: Jun 16, 2008
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes could be.
    But keep in mind that there are different folder access privileges for each sandbox.
    But it's a great suggestion, I'll try working on it to simplify things.

    Tanks a lot!
     
  12. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    It's quite hard to build more effective rules than those are. Of course if you don't need something then don't allow it.
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Maybe it's possible to have one sandbox with different restricted groups.
    This way I can set different folder access rights to each group in the sandbox.
    Will try it out later.
     
  14. TVH

    TVH Registered Member

    Joined:
    Aug 9, 2007
    Posts:
    227
    My current sandboxIE settings are very similar to those Franklin posted and you really cannot get tighter rules that.

    I currently have 2 sandboxes: 1 for online banking/shopping etc in which only IE7 can run and has internet access and all other file/folder access is also blocked. The defaultbox is configured to give only IE7 internet access and only certain apps have permission to run sandboxed (ie. Foxit PDF reader, WMP etc). This defaultbox is used in general browsing and only certain folders have access rights.
     
  15. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    What does the .ini file look like?
     
    Last edited by a moderator: Jun 16, 2008
  16. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks for all the replies guy. I've got a couple of questions on some of the functions.

    What is the difference between ClosedFilePath and ClosedIpcPath?

    Also, in what order does sandboxie read the ini file? I'm trying to draw an analogy to linux firewall config files where if you want to set up a web server for example you would do something like
    Block all in
    allow 80 in

    So then you can set your sandbox to allow nothing by default and allow selectively.

    Also what does the \Device\ paths represent?
     
  17. osip

    osip Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    610
    Well, can anybody tell how to configure AIroboform with a default sandbox where firefox and other browsers are in forced programs...I tried everything and the only working precedure I found is to right click and run sandboxed from startmenu roboformtaskicon.exe...Must be a way to have it automized...
    -----------
    added: seems as I solved it...had to download roboform-firefox 3.0.xpi. After this OK....
     
    Last edited: Jun 18, 2008
  18. PlanB

    PlanB Registered Member

    Joined:
    May 3, 2008
    Posts:
    4
    Hurst,

    for Outlook I use the following:

    ForceProcess=outlook.exe
    OpenFilePath=outlook.exe,%Local Settings%\Application Data\Microsoft\Outlook\
    OpenFilePath=outlook.exe,%AppData%\Microsoft\Outlook\
    OpenProtectedStorage=y


    Works fine for me.

    However, I have not figured out how to run an anti virus outlook plugin - If anyone has, let me know...
     
  19. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    What if we changed it to

    ClosedFilePath=*,*
    ClosedIpcPath=*,*
    ForceProcess=outlook.exe
    OpenFilePath=outlook.exe,%Local Settings%\Application Data\Microsoft\Outlook\
    OpenFilePath=outlook.exe,%AppData%\Microsoft\Outlook\
    OpenProtectedStorage=y

    Will that lock the sandbox down to only allow outlook to function?
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Under - [GlobalSettings]
    ProcessGroup=<restricted>,outlook.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

    Under - [DefaultBox]
    ClosedIpcPath=!<restricted>,*

    Those lines should allow Outlook as the only app able to run in the sandbox.
     
  21. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    The problem is that outlook sometimes likes to call winword.exe or msn messenger.
     
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    With Outlook Express you can stop msn messenger being auto started through Tools - Options - Genera tab and unticking Auto login to messenger.

    Might be the same for Outlook?

    Don't know about winword.
     
  23. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Hey guys,

    I'm still in the dark on the difference between closedipcpath and closedfilepath.What is the difference?

    Also what is the \device\ items used with closedfilepath?

    Also has anyone found a way to get outlook to work in a way that it just writes to the pst files automatically but is otherwise fully isolated?

    If we can get enough information together, we can create a guide out of this, which what I aim to do.

    Thanks for all the help.
     
  24. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    SBIE forums is a better place to solve your question,many knowledgeable people over there. ;)
     
  25. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    How active is the forums?
     
Loading...
Thread Status:
Not open for further replies.