Sandboxie: Forced Programs & Folders

Sandboxie 3.58
Windows XP Pro SP3 32 bit

3rd Party Software:

WMPlayer (Windows Media Player)
Foxit Reader

I have multiple sandboxes, two of which are FoxitReader & WMPlayer. I have Internet Access, Start/Run Access & DropRights enabled in both sandboxes. In the Foxit Reader Sandbox only Foxit Reader.exe is allowed Internet Access & Start/Run Access. In the WMPlayer sandbox only WMPlayer.exe is allowed Internet Access & Start/Run Access.

Questions:

1. If I run an untrusted 'non-exe' file (i.e., pdf, wmv, wma, mp3, etc.) and the program which, by default, opens that file is a "Forced Program", am I fully protected by that sandbox?

2. Would it be better (Safer) to have a dedicated folder for each untrusted file type and use a "Forced Folder" for each sandbox?

Thanks in Advance.

 

If you have a program such as foxit as the default reader, and it is in a sandbox, then any file that foxit opens becomes sandboxed. So from a "am I still protected" standpoint, yes, you are, and always will be.

Where you would not be is if you opened a .pdf file with a different reader, maybe like adobe reader, and that program was not sandboxed. Most of the time though you have a file type association for the default program, and you would be aware if adobe suddenly opened the file rather than foxit.

One nice aspect of SBIE that I appreciate is that once you force a program, any file, anywhere, that uses that program is run in a sandbox. You don't have to have explicit directories for specific activities. You can if you want, but don't need to generically. Doing what you suggest, creating a specific directory for certain file types, in my mind is helpful to you, so that you understand what runs from where, but if it is sandboxed, it should not matter which sandbox it runs in if settings are the same.

Sul.

 

Sorry, I don't mean to hijack this thread, but I have a question that is relevant to your statement, Sully;

is this why after I set up the sandbox for two browsers, Chrome & IE, that I have had several "1308" pop-ups for processes such as rundll32.exe, winword.exe, and notepad.exe that required Start/Run access? I have allowed them as well as a couple others, trusted, known processes of course.

 

I am uncertain about error 1308, but it sounds correct.

When you set up a sandbox that restricts executions, you see things of this nature IF they are child processes of the parent (the browser). If you were to sandbox kmeleon, you would see no other prompts by default. If you were to sandbox firefox, you would by default most likely see one of these (I cannot recall what it is, plugins container or something like that).

SBIE is telling you it blocked a different process that tried to start, and most likely it is because of a plugin or extension you use. If you have the adobe reader working within the browser, then you need to make an exception if you expect to view .pdf files in the browser. If you don't use that feature, you might still get the error come up because the browser is trying to open adobe reader to view the .pdf although it is not doing it from the browser but trying to start the adobe reader program separately.

When you create your sandbox with execution restrictions, it is perhaps a good idea to include not just the browser, but the other items you expect to run in the sandbox along with the browser. I have done this in the past, things like a .pdf reader would be allowed, and for a time I used a download manager with kmeleon that I allowed to run. This gets rid of such prompts, but you do have to trust or understand what you are allowing.

If you allow foxit reader, maybe you trust that. If you are paranoid about java or flash, maybe you don't allow that. It really depends a lot on individual circumstances, but what you say is correct I believe.

Sul.

 

Thanks Sully,

I think you are right, that these are processes somehow spawned by the main, forced sandboxed programs in question. Upon initial set up of the sandbox, I really had no idea what else would need to be allowed in the Start/Run access setting, but it's very easy to do, especially in this latest 3,58 version, where simply double-clicking the entry in the pop-up box places it in the Start/Run access config

Edit - what I have in this group:

ProcessGroup=<StartRunAccess>,chrome.exe,iexplore.exe,googleupdate.exe,GoogleCrashHandler.exe,SuRun.exe,rundll32.exe,notepad.exe,WINWORD.EXE,explorer.exe

 

Thank You.

Another Question:

I have saved the Sandboxie configuration file from one PC and want to load it into Sandboxie on another newly setup PC. Both PC's have Windows XP Pro SP3 and will have the same programs sandboxed. The only difference that I can think of are drive letters, but that will be simple to change in Sandboxie.

For the newly setup PC, how do you properly load the Sandboxie configuration file that was saved from another PC? Is it simply use the Sandboxie text editor, open the configuration file and click Save?

Thanks in Advance.

 

Why would you need to allow explorer.exe in the browser sandbox? Is it to save files? If it is, you don't need to add it.

Damn... I'm intrigued...

 

I rarely use the GUI to setup my sandboxes, only for quick test settings. I use the .ini all the time.

Make a copy of your .ini file. Open the copy in notepad. Modify any paths you might need or variables. Usernames and that sort of stuff. Then open SBIE, copy all your custom settings, or the whole thing. Save, and it should be the same as the original machine.

At least, that is how I have always done it.

Sul.

 

You know, I can't remember what triggered the 1308 pop-up for it, it certainly was not malicious, but it did so I saw no harm in adding it (it does not get Internet access) because it's the usual parent process to others, and of course I don't want things to break so my reasoning is that with it added it will facilitate future actions similar to what I did that needed it in the first place.

Now, since you, being a far more experienced SB user than I advises it's not needed, I will remove it post hate and if it triggers a pop-up again I will pay more attention to what caused it in the first place

 

I just don't ever recall Sandboxie complaining about explorer.exe... Could it have been a bug that existed at some point triggering it?

Other folks may as well say whether or not they ever needed to allow explorer.exe. I never had to, and never experienced issues. But, I like things quite silent, so I disable error messages in some sandboxes. But, if explorer.exe needed access, I believe something would have failed, at some point in time.

 

It's possible, I suppose. I wish I could remember what triggered it. It was yesterday, maybe something Surun-related; sometimes I elevate explorer via SuRun's right-click context menu and there could have been a sandboxed folder I did this on?? Hmmm, beats me, but I'll keep it in mind if it happens again and let you know.

 

I suppose the SuRun thing makes sense. Otherwise, I don't see how explorer.exe would need access in the sandbox.

 

@The Kid7,
On my Foxit sandbox, only Foxit is allowed start/run with no access
to the internet. I see you are allowing Foxit to have access to the
internet, maybe you like to change that. The only time that I allow
Foxit any access to the Internet is when it gets updated and thats
out of the sandbox. I really cant see any reason why to allow Foxit
to connect.

On my WMP sandbox, basically I do the same. Only WMP can run
and internet is not allowed.

On both of this sandboxes I disable SBIE messages as they are the
only programs that those boxes are created for.

I like SBIE messages and even though I disable them for those boxes,
its better to enable them for most sandboxes as they will tell you
when a program that's not allowed start/run/connect, wants to.

@wat0114
You got 1308 when notepad and/or winword wanted to start and run
but they could not because you had a restriction. Unless you are
opening word, notepad files often, when browsing, I would not allow
them to run on my browser sandbox. Same with explorer.

Bo

 

Thanks, bo elam!

I will remove winword and notepad as well, then.