Sandboxie Question

Discussion in 'sandboxing & virtualization' started by n8chavez, Mar 16, 2008.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Is it possible to set up a sandbox so that only a certain list of apps can access the internet? I know it is possible to make things so that only one app can access the internet but that would make it impossible to use any other app that was spawned off that process; I'm trhinking specifically of Amazon's mp3 downloader which gets it's instructions from Opera.
     
  2. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND

    With newest version you can add more than one program with GUI (just repeat add by name/file) but here it is code if you like to paste it to ini file.


    [GlobalSettings]

    ProcessGroup=<internet>,firefox.exe,opera.exe etc.

    Then add this to sandboxie rules:

    ClosedFilePath=!<internet>,\Device\RawIp
    ClosedFilePath=!<internet>,\Device\Ip*
    ClosedFilePath=!<internet>,\Device\Tcp*
    ClosedFilePath=!<internet>,\Device\Afd*

    You can build as many ProcessGroups you like and use any name.
     
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Thanks very much! That was just what I needed. BTW, I guess I should have looked at the sandboxie forum first, where I would have found this thread.
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Here's another one that I posted at the Sandboxie forums which has yet to recieve a response.

     
  5. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yes, it's surely handy this feature. I've now got a sandbox specifically for Outlook Express where only OE and IE have internet access. This way I can click a link in an OE e-mail and it opens up IE and goes to the relevant page. Previously with the option to have one application(in this case OE) as the only application with permission to access the net all I got was the good old "The page cannot be displayed". I was having to copy the link from OE and paste it into my sandboxed browser.

    muf
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    So what exactly is the purpose of adding the asterisks after those lines?

    Please specify.

    Thanks
     
  7. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    [DefaultBox]
    OpenFilePath=C:\Downloads\
    OpenFilePath=*.eml
    OpenFilePath=iexplore.exe,%Favorites%
    OpenFilePath=msimn.exe,*.eml

    When reviewing these examples, keep in mind that Sandboxie places a wildcard star at the end of the value, unless a star already appears anywhere in the value. So for example, C:\Downloads\ becomes C:\Downloads\*, while *.eml remains unchanged.

    Wildcard stars are used to specify patterns with variable, unknown parts. For example, a.eml matches only that one file, whereas *.eml matches a.eml, test.eml, important message.eml and so on. But note that neither form matches a.txt.

    The first example setting specifies that any files (or folders) created in the folder C:\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string.

    The second example shows how wildcards can be used to exempt *.eml files from sandboxing, regardless of where they are created. .eml files are typically created by Outlook and Outlook Express, when a message is explicitly saved to disk.

    The third example setting specifies that the Favorites folder of the active user account should be exempted. This means that new Favorite shortcuts will added outside the sandbox. In this example, a ProgramNamePrefix is used, so the setting only applies to the Internet Explorer program, iexplore.exe

    The fourth example combines the previous two examples, by showing a path containing a wildcard, applied only to a specific program.

    Note: For security reasons, this setting does not apply when the program executable file resides within the sandbox. This means that (potentially malicious) software downloaded into your computer and executed, cannot take advantage of this setting.

    EDIT: More information http://sandboxie.com/phpbb/viewtopic.php?t=2756&highlight=device
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Thanks MikeNAS

    It's a fact that thanks to some of your own findings and sharing them in discussion i been able to finally wrap my head around SandboxIE settings much more effectively.

    The registry additions have been a great boost!
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Hey Easter,i thought you were raised within good old DOS !?! :eek:
     
  10. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    You're welcome!
     
Loading...
Thread Status:
Not open for further replies.