Sandboxie Configurations Learning Thread

Discussion in 'sandboxing & virtualization' started by jrmhng, Jun 16, 2008.

Thread Status:
Not open for further replies.
  1. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    just like Wilders.
     
  2. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    Since SBIE seems to be the main resident security application used by many of us, it is important to have it be as secure as possible. That being said, would any more knowledgeable than me please take a look at my config and let me know hoe tight and secure it is? If you notice anythign that could be improved please say so.

     
    Last edited: Jul 20, 2008
  3. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    This is from Blocked File Access (ClosedFilePath) window:
    "If a file or folder matches any other File Access setting, but also matches any Blocked Access setting, the Blocked Access setting will take precedence."

    Doesn't this complicate things a little?

    ClosedFilePath=C:\Program Files\*
    would block access to all programs in this path.

    But if I want to open a path only for e.g. Firefox, I can't use
    OpenFilePath=C:\Program Files\Mozilla Firefox\*
    because the previous ClosedFilePath settings overrules this one.

    So to allow access to Firefox folder, I have to deny every single folder in Program Files o_O

    Or is this just a lack of understanding :doubt:

    Cheers
     
  4. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    No your reasoning is oke,but in OP's place i would follow the setup config. explained many times here,centered around the restricted rules by Wraithdu.
     
  5. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Oh, I see, it's a searching thread, not a learning thread. :rolleyes:

    However, does this mean if I have this two lines:
    ProcessGroup=<restricted>,Start.exe,...
    and
    ClosedFilePath=!<restricted>,*
    there is no need to add any other ClosedFilePath locations?
    Because no program which is not in the ProcessGroup 'restricted' is allowed to access files from 'the real system'.

    Cheers
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    For Wraithdu's rules, which section does the ClosedFilePath relate to in the sandbox settings? File, Registry, what? Forgive my idiocy but between the forums here and at SandboxIE, all these configuration suggestions are spread out all over Gods creation, and just when you think you've gotten something down, a couple pages later in a thread or in a completely different thread that may be a few pages back, somebody corrects the suggestion with something else. It's a pain in the ass to put it bluntly.

    All I want to do is set up 5 sandboxes.

    (Default box). IE7 that is able to update bookmarks and open PDF files instead of having to save them, and also to play embedded videos/music (I use WMP solely). I do not want anything else to have internet or any other access to data, or be able to run in this box unless it is needed to perform the functions I wish of this box.


    2. Firefox that is able to update bookmarks and extensions, and open PDF files instead of having to save them, and also to play embedded videos/music (I use WMP solely). I do not want anything else to have internet or any other access to data, or be able to run in this box unless it is needed to perform the functions I wish of this box.

    3. UTorrent that does nothing but run and upload/download to and from my specified download folder. No other internet access, no access to any other data/files.

    4. Media that does nothing but play files already downloaded, specifically using WMP 11. Nothing else runs in it, nothing gets internet/data access (possible exception being giving WMP internet access so it can retrieve information about files playing. But if that's too risky, then no internet access).

    5. Test box strictly for testing installs of smaller programs/games, accessing only what it needs.

    If anyone will kindly just give an example setup to achieve this I would greatly appreciate it. I just need a good balance of functionality with security since this will likely be my only real-time security app coupled with Returnil Free. (slight possibility of adding Threatfire, but these 3 will be it).
     
  7. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    Long time since there has been a discussion about sandboxie, This is my config;
    Default box, Firefox, thunderbird, IE (I only use IE for updates).
    Can anyone see where I can tighten the grip?

     
  8. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    The Firefox box is short on the Internet Access Settings and has quite a few unneeded lines.

    [FIREFOX]

    Enabled=y
    ConfigLevel=4
    AutoRecover=y
    AutoRecoverIgnore=.jc!
    AutoRecoverIgnore=.part
    AutoDelete=y
    NeverDelete=n
    ForceProcess=firefox.exe
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\RawIp6
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Udp6
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Tcp6
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Ip6
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Udp
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Tcp
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Ip
    ClosedFilePath=!<InternetAccess_FIREFOX>,\Device\Afd*
    ClosedIpcPath=!<restricted2>,*
    ClosedFilePath=%Personal%\
    RecoverFolder=%Desktop%
    OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*
    OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*

    Not Needed or canceled out by other settings:

    ClosedFilePath=!<restricted2>,*
    RecoverFolder=%Personal%
    OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\places*
    OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\bookmark*
    LingerProcess=trustedinstaller.exe
    LingerProcess=wuauclt.exe
    LingerProcess=devldr32.exe
    LingerProcess=syncor.exe
    LingerProcess=jusched.exe
    LingerProcess=acrord32.exe
    OpenKeyPath=iexplore.exe,HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms
    OpenProtectedStorage=y
     
  9. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    [ThunderBird]

    Enabled=y
    ConfigLevel=4
    AutoRecover=y
    AutoRecoverIgnore=.jc!
    AutoRecoverIgnore=.part
    RecoverFolder=%Personal%
    RecoverFolder=%Desktop%
    LingerProcess=trustedinstaller.exe
    LingerProcess=wuauclt.exe
    LingerProcess=devldr32.exe
    LingerProcess=syncor.exe
    LingerProcess=jusched.exe
    LingerProcess=acrord32.exe
    OpenFilePath=%AppData%\Thunderbird\*
    OpenFilePath=thunderbird.exe,%Local AppData%\Thunderbird
    OpenFilePath=thunderbird.exe,%AppData%\Thunderbird
    OpenKeyPath=thunderbird.exe,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla Thunderbird
    OpenKeyPath=thunderbird.exe,HKEY_LOCAL_MACHINE\Software\Mozilla Thunderbird
    OpenKeyPath=thunderbird.exe,HKEY_CURRENT_USER\Software\Mozilla Thunderbird
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\RawIp6
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Udp6
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Tcp6
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Ip6
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Udp
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Tcp
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Ip
    ClosedFilePath=!<InternetAccess_ThunderBird>,\Device\Afd*
    BoxNameTitle=y

    Not needed:

    RecoverFolder=%Favorites%
    OpenFilePath=seamonkey.exe,%Local AppData%\Mozilla\Profiles\*\Mail*
    OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\Mail*
    OpenKeyPath=seamonkey.exe,HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\SeaMonkey*
    OpenKeyPath=seamonkey.exe,HKEY_LOCAL_MACHINE\Software\Mozilla\SeaMonkey*
    OpenKeyPath=seamonkey.exe,HKEY_CURRENT_USER\Software\Mozilla*\SeaMonkey*
     
  10. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    [IEXPLORER]

    Enabled=y
    ConfigLevel=4
    AutoRecover=y
    AutoRecoverIgnore=.jc!
    AutoRecoverIgnore=.part
    AutoDelete=y
    NeverDelete=n
    ForceProcess=iexplore.exe
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\RawIp6
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Udp6
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Tcp6
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Ip6
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Udp
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Tcp
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Ip
    ClosedFilePath=!<InternetAccess_IEXPLORER>,\Device\Afd*
    ClosedIpcPath=!<restricted1>,*
    ClosedFilePath=%Personal%
    RecoverFolder=%Favorites%
    RecoverFolder=%Desktop%
    OpenProtectedStorage=y
    OpenKeyPath=iexplore.exe,HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms

    Not Needed:

    ClosedFilePath=!<restricted1>,*
    RecoverFolder=%Personal%
    LingerProcess=trustedinstaller.exe
    LingerProcess=wuauclt.exe
    LingerProcess=devldr32.exe
    LingerProcess=syncor.exe
    LingerProcess=jusched.exe
    LingerProcess=acrord32.exe
     
  11. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    DefaultBox lists fact.exe as the only program that can access the internet, yet there are settings in the box for Firefox, IE, and Thunderbird. So I cant see what you want there, so I didn't edit it.

    This line in Global is not used anywhere so you can delete it, unless you have a reason for it.
    ProcessGroup=<restricted3>,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

    Thunderbird box has no ForceProcess but that may be the way you want it - up to you.
     
  12. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    Thank you mitch,
     
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Please forgive my ignorance for asking this question. If I open FireFox sandboxied ,surf the net, then delete the contents of the sandbox ,is my system protected? With the as downloaded config.
     
  14. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    what ever you delete from the sandbox is secure delete,no history,cookies or coffee:D
     
  15. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes. Default settings are very secure. As long as you don't recover anything malicious, you are protected. But you could save some time configuring SBIE to automatically delete the sandbox.
     
  16. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    I have it set to empty when FF is closed. Thank you all for the replies.
     
  17. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    With Sandboxie really the problem is not confinement of the Sandbox but more how you save and what you save.Also IMO editing the config ini file is tricky,You have to know very well what SBIE intentions are before closing or opening any path.
     
  18. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    But couldn't some keyloggers steal your data before you close your browser?

    Thanks
     
  19. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    in theory, yes... sandboxes don't necessarily stop bad things from running within the sandbox, they stop it from being able to affect the system outside the sandbox... if a compromise happens within the sandbox and you enter sensitive data into an app running in that sandbox then that sensitive data can still be stolen... that's one of the reasons why sandboxing alone isn't complete protection...
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Show me a website that automatically installs and executes a key logger?
     
  21. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    224
    Doesn't it help mitigate the keylogger issue by using Sandboxie's GUI to designate your browser as being the only sandboxed program that can access the internet?
    http://www.sandboxie.com/index.php?ResourceAccess#internet
     
  22. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    why is it that every time i say something is possible in theory people ask for links to examples? and why do people think it's ok to hand out links to live malware to strangers?

    let's take another approach - we know there is such a thing as drive-by downloads, and we know from that that it is possible for a web page to cause the download and execution of arbitrary code on a suitably vulnerable system... since keyloggers are just code there's no reason they can't be downloaded and executed by visiting a web page...

    it helps mitigate it to some degree (maybe even a large degree) if you have sandboxie setup that way, but consider this - there is such a thing as a keylogger implemented in javascript that runs inside your browser... sandboxie's execution/connection whitelisting capability won't do anything to help you there...

    and besides which, there's also things like phishing pages and social engineering to get your sensitive data which sandboxing, again, does not help you with... sandboxes contain intrusions, they don't (and in some cases can't) necessarily do much about extrusions...
     
  23. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Exactly. However, with SandboxIE you can, or rather, you should empty the sandbox in between sensible/normal browsing.
    Or use different sandboxes for different purposes.

    I believe Peter does this as a method, and i think it's the best way to use it.
     
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    mira pedro si escierto,but what about if you are the type of person that likes to save alot of stuff?ofcourse it will be save in your regular os,then what?
    probably is better run sandboxie with a good antivirus,maybe.que piensas?
     
  25. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,255
    Location:
    Pennsylvania.
    If its a java based keylogger won't noscript protect against ito_O
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.