Sandboxie Pro questions

I'm now using Sandboxie Pro but Digsby won't seem to work with it. I get an error that it can't access digsby-app.exe.log.

I've tried giving direct, read-only, and even full access to the entire C:\program files\ digsby folder but nothing.

I may also have other questions >_>

 

What? You're using the paid version? WTG!

Okay, your question... does this help?

Or this?

 

Haha, yes, paid.

Unfortunately that person is having a separate issue =\

EDIT: Ah, reading teh edit.

EDIT2: Just as a test I gave "full access" to the C drive. That solved it - but obviously it's not a great solution. I tried full access to the Digsby folders but it didn't work.

More experimenting to do.

EDIT3: Direct access to C\ works too. Not Read-Only. I guess that means it's writing something.

EDOT4: narrowing it down...

 

Solved I needed to add both the program files folder AND the virtualroot folder created by Comodo, which is also sandboxing digsby.

 

Why would you double sandbox Digsby? I don't get it?

 

I had it sandboxed already by Comodo. Now I have it sandboxed twice I guess o_o

I'm still deciding whether or not to remove Comodo or if I should simply use both at the same time.

I made another topic about this =p

https://www.wilderssecurity.com/showthread.php?t=306775

 

I personally think its unnecessary but its your choice.

 

It seems that if I run Java in a Sandboxed Chrome I need to allow Java to run in that sandbox and can't use a separate sandbox for it.

By sandboxing further with Comodo I keep Java isolated. Or at least that's how it seems.

 

Although an older thread, there are many informative posts in it on how to configure Sandboxie securely. Even if you just read the posts by ssj100 and an excellent one by Sully here who gives a nice example explaining the config file entries for his configuration, you will gain valuable insight on the product.

 

Thank you.

 

You're welcome and I hope it helps.

BTW, I don't use Sandboxie any more, as you know but I checked my saved config file and I don't have java in it anywhere, even though I have chrome.exe sandboxed via FQP (fully qualified path). Clearly I'm no expert on the product, so I can't offer any explanation as to why.

Code:

[Web_Browser_Sandbox]
ConfigLevel=7
AutoRecover=y
Template=Chrome_Preferences_DirectAccess
Template=Chrome_History_DirectAccess
Template=Chrome_Bookmarks_DirectAccess
Template=Chrome_Force
Template=IExplore_Favorites_RecoverFolder
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Force
Template=AutoRecoverIgnore
Template=Firefox_Phishing_DirectAccess
Template=LingerPrograms
Template=BlockPorts
RecoverFolder=L:\user_name\Downloads
RecoverFolder=C:\Users\user_name\Downloads
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=y
ForceFolder=C:\Users\user_name\AppData\Local\Google\Chrome\Application\chrome.exe
ForceFolder=C:\Program Files (x86)\Internet Explorer
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,chrome.exe,iexplore.exe,googleupdate.exe,GoogleCrashHandler.exe,SuRun.exe,rundll32.exe
ProcessGroup=<InternetAccess>,chrome.exe,iexplore.exe,GoogleUpdate.exe
NotifyStartRunAccessDenied=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ClosedIpcPath=!<StartRunAccess>,*

 

Did you ever run Java?

EDIT: I'm currently trying to sandbox other programs - specifically ones that ever need admin or ones that touch the internet.

 

You know, I can't remember if I did or not the few days I used SB with Chrome sandboxed?? For kicks I will fire up the vm and try it out.

 

Haha, alright. Let me know if you manage to separate the two. I don't think it's possible but I've managed to sandbox java alone with Comodo.

 

Confirmed, I had to allow java.exe both start/run access and Internet access, and jp2launcher.exe only start/run access.

*Edit" tried separating the two but it won't work just as you encountered. It seems java entries have to be included in the chrome sandbox.

 

Yeah, I figured. That's why I like using Comodo too.

 

If someone sends me a link in Digsby can I make it open in the Chroem sandbox?

 

One option you might choose to employ is to create a sandbox for a browser(s), and anticipate it will not be deleted very often. You can then install java or flash, or whatever, into that sandbox. Now you have easily kept java/flash usable but segregated. When/if you delete this box, you would have to install java/flash again, but that is not too extensive really.

I have been installing java on my system because I have been using some web interfaces to different products like routers and NAS, which require java for some specific features. However, only certain sandboxes (really that means certain browsers for me) are allowed to use it. Until there is a true breakout of sandboxie by something, I don't know that dual sandboxing is really going to benefit you.

Right now I have been using Integrity Levels on my browsers, along with sandboxie. As an admin with UAC off, it is problem free, and from everything I have ever tested it against, it poses no security risk as long as you understand what is going on within the sandbox (like keyloggers etc). My sandbox rules prevent this anyway, just noting that you still have to be aware of what happens within the sandbox if you use default settings.

There are so many ways to utilize 3rd party tools in conjunction with what is available in the OS. I try to get along without 3rd party tools, especially noisy ones that ask a lot of questions or need many answers or that are really resource intensive. Some like geswall or other tools, which do things differently than sandboxie. But for me, sandboxie, configured to my desired specifications, is currently offering everything I need in security with the only thing left for me to deal with being executing a downloaded file in the real system.

Hungry Man, you might take a look at Busters Sandbox Analyzer.

After you get your feet wet, you may well decide to keep sandboxie. I would recommend you dig a little deeper into the .ini file and syntax. You can do more in there than in the GUI, IMHO.

Sul.

 

I'll look into it Sully, thank you.

Definitely still configuring and tweaking. I'm sure I'll move onto more than just the GUI soon.

 

I know that you run tools to inform/protect your, most of which would monitor things globally. I did not want such things running, but did want to maintain system integrity, so I changed how I do things and compartmentalized how I use sandboxie. I use many sandboxes, each for a specific program and purpose. I really like knowing how things are going to interact, or rather not interact, both in sandboxes and in the real system.

I would encourage anyone playing with sandboxie paid to try different sandboxes for different purposes/programs, and see what they can come up with. Using one or many sandboxes is neither good nor bad, rather using what you need is best.

Sul.

 

I don't like the idea of switching sandboxies, that's the main issue. I'd much prefer a single dedicated sandbox for each program. I want to forget I have Sandboxie installed in a sense - or at least have the ability to.

 

That is pretty much how I feel. Using SBIE for just about everything, can
be done with very little thinking required. In a way, it becomes automatic.

Bo

 

Yeah, I want my sandboxes to be set up with ease of use in mind but as long as each one has its own configured settings I think the security benefits will be very great.

 

Just take your time. You don't need to create or configure all your sandboxes
in one day. Do it along the way.

Bo

 

Oh, for sure. I think I've got it set up as well as I need it to be.

Just still learning =p