Sandboxie: Forced Programs & Folders

Discussion in 'sandboxing & virtualization' started by TheKid7, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Sandboxie 3.58
    Windows XP Pro SP3 32 bit

    3rd Party Software:

    WMPlayer (Windows Media Player)
    Foxit Reader

    I have multiple sandboxes, two of which are FoxitReader & WMPlayer. I have Internet Access, Start/Run Access & DropRights enabled in both sandboxes. In the Foxit Reader Sandbox only Foxit Reader.exe is allowed Internet Access & Start/Run Access. In the WMPlayer sandbox only WMPlayer.exe is allowed Internet Access & Start/Run Access.

    Questions:

    1. If I run an untrusted 'non-exe' file (i.e., pdf, wmv, wma, mp3, etc.) and the program which, by default, opens that file is a "Forced Program", am I fully protected by that sandbox?

    2. Would it be better (Safer) to have a dedicated folder for each untrusted file type and use a "Forced Folder" for each sandbox?

    Thanks in Advance.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you have a program such as foxit as the default reader, and it is in a sandbox, then any file that foxit opens becomes sandboxed. So from a "am I still protected" standpoint, yes, you are, and always will be.

    Where you would not be is if you opened a .pdf file with a different reader, maybe like adobe reader, and that program was not sandboxed. Most of the time though you have a file type association for the default program, and you would be aware if adobe suddenly opened the file rather than foxit.

    One nice aspect of SBIE that I appreciate is that once you force a program, any file, anywhere, that uses that program is run in a sandbox. You don't have to have explicit directories for specific activities. You can if you want, but don't need to generically. Doing what you suggest, creating a specific directory for certain file types, in my mind is helpful to you, so that you understand what runs from where, but if it is sandboxed, it should not matter which sandbox it runs in if settings are the same.

    Sul.
     
  3. wat0114

    wat0114 Guest

    Sorry, I don't mean to hijack this thread, but I have a question that is relevant to your statement, Sully;

    is this why after I set up the sandbox for two browsers, Chrome & IE, that I have had several "1308" pop-ups for processes such as rundll32.exe, winword.exe, and notepad.exe that required Start/Run access? I have allowed them as well as a couple others, trusted, known processes of course.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am uncertain about error 1308, but it sounds correct.

    When you set up a sandbox that restricts executions, you see things of this nature IF they are child processes of the parent (the browser). If you were to sandbox kmeleon, you would see no other prompts by default. If you were to sandbox firefox, you would by default most likely see one of these (I cannot recall what it is, plugins container or something like that).

    SBIE is telling you it blocked a different process that tried to start, and most likely it is because of a plugin or extension you use. If you have the adobe reader working within the browser, then you need to make an exception if you expect to view .pdf files in the browser. If you don't use that feature, you might still get the error come up because the browser is trying to open adobe reader to view the .pdf although it is not doing it from the browser but trying to start the adobe reader program separately.

    When you create your sandbox with execution restrictions, it is perhaps a good idea to include not just the browser, but the other items you expect to run in the sandbox along with the browser. I have done this in the past, things like a .pdf reader would be allowed, and for a time I used a download manager with kmeleon that I allowed to run. This gets rid of such prompts, but you do have to trust or understand what you are allowing.

    If you allow foxit reader, maybe you trust that. If you are paranoid about java or flash, maybe you don't allow that. It really depends a lot on individual circumstances, but what you say is correct I believe.

    Sul.
     
  5. wat0114

    wat0114 Guest

    Thanks Sully,

    I think you are right, that these are processes somehow spawned by the main, forced sandboxed programs in question. Upon initial set up of the sandbox, I really had no idea what else would need to be allowed in the Start/Run access setting, but it's very easy to do, especially in this latest 3,58 version, where simply double-clicking the entry in the pop-up box places it in the Start/Run access config :)

    Edit - what I have in this group:

    ProcessGroup=<StartRunAccess>,chrome.exe,iexplore.exe,googleupdate.exe,GoogleCrashHandler.exe,SuRun.exe,rundll32.exe,notepad.exe,WINWORD.EXE,explorer.exe
     
    Last edited by a moderator: Aug 29, 2011
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Thank You.

    Another Question:

    I have saved the Sandboxie configuration file from one PC and want to load it into Sandboxie on another newly setup PC. Both PC's have Windows XP Pro SP3 and will have the same programs sandboxed. The only difference that I can think of are drive letters, but that will be simple to change in Sandboxie.

    For the newly setup PC, how do you properly load the Sandboxie configuration file that was saved from another PC? Is it simply use the Sandboxie text editor, open the configuration file and click Save?

    Thanks in Advance.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why would you need to allow explorer.exe in the browser sandbox? :doubt: Is it to save files? If it is, you don't need to add it.

    Damn... I'm intrigued... :D
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I rarely use the GUI to setup my sandboxes, only for quick test settings. I use the .ini all the time.

    Make a copy of your .ini file. Open the copy in notepad. Modify any paths you might need or variables. Usernames and that sort of stuff. Then open SBIE, copy all your custom settings, or the whole thing. Save, and it should be the same as the original machine.

    At least, that is how I have always done it.

    Sul.
     
  9. wat0114

    wat0114 Guest

    You know, I can't remember what triggered the 1308 pop-up for it, it certainly was not malicious, but it did so I saw no harm in adding it (it does not get Internet access) because it's the usual parent process to others, and of course I don't want things to break so my reasoning is that with it added it will facilitate future actions similar to what I did that needed it in the first place.

    Now, since you, being a far more experienced SB user than I advises it's not needed, I will remove it post hate :D and if it triggers a pop-up again I will pay more attention to what caused it in the first place :)
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I just don't ever recall Sandboxie complaining about explorer.exe... :doubt: Could it have been a bug that existed at some point triggering it?

    Other folks may as well say whether or not they ever needed to allow explorer.exe. I never had to, and never experienced issues. But, I like things quite silent, so I disable error messages in some sandboxes. But, if explorer.exe needed access, I believe something would have failed, at some point in time.
     
  11. wat0114

    wat0114 Guest

    It's possible, I suppose. I wish I could remember what triggered it. It was yesterday, maybe something Surun-related; sometimes I elevate explorer via SuRun's right-click context menu and there could have been a sandboxed folder I did this on?? Hmmm, beats me, but I'll keep it in mind if it happens again and let you know.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I suppose the SuRun thing makes sense. Otherwise, I don't see how explorer.exe would need access in the sandbox.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    @The Kid7,
    On my Foxit sandbox, only Foxit is allowed start/run with no access
    to the internet. I see you are allowing Foxit to have access to the
    internet, maybe you like to change that. The only time that I allow
    Foxit any access to the Internet is when it gets updated and thats
    out of the sandbox. I really cant see any reason why to allow Foxit
    to connect.

    On my WMP sandbox, basically I do the same. Only WMP can run
    and internet is not allowed.

    On both of this sandboxes I disable SBIE messages as they are the
    only programs that those boxes are created for.

    I like SBIE messages and even though I disable them for those boxes,
    its better to enable them for most sandboxes as they will tell you
    when a program that's not allowed start/run/connect, wants to.

    @wat0114
    You got 1308 when notepad and/or winword wanted to start and run
    but they could not because you had a restriction. Unless you are
    opening word, notepad files often, when browsing, I would not allow
    them to run on my browser sandbox. Same with explorer.

    Bo
     
  14. wat0114

    wat0114 Guest

    Thanks, bo elam!

    I will remove winword and notepad as well, then.
     
Loading...
Thread Status:
Not open for further replies.