sandboxie question

@ albsat

Take note of bo elam (post 50) - he is one of the Forum`s SBxie experts.
In harmony with a few others here, the advice he gives is far better than you would ever get from the SBxie Forum. I know, I have been there.

John

 

Sandboxie is very configurable, but, Sandboxie doesnt have to be very configurable, to be secure.

 

SBIE on default settings is very strong, none of my friends that
are using SBIE get infected anymore even though all of them are
using SBIE with default settings. None have a hardened sandbox.
They don't even know that the sandbox can be hardened but
hardening/configuring the sandbox makes it a lot harder to get
infected. I run as a administrator and just by ticking the drop my
rights setting, on my case, my security is hugely increased and
that's only one change.
A hardened sandbox allows us to run with a signature like yours
and still be safe.

Bo

 

If I may ask, what do you feel the "drop rights" setting gives you in way of extra security within the sandboxed environment?

Further, if one were to "harden" the sandbox, lets say at a "medium aggression level", what then would drop rights give you?

I understand exactly what it does, and how it does it, and why it is there. I am wondering though, in your opinion, what do you feel it does for you?

Sul.

 

I believe that enabling Drop my rights, makes it harder for malware
in the sandbox to run, otherwise it would do its thing within the
sandbox.

I guess what you are saying is that restricting the sandbox is not
needed if drop my rights is enabled. Probably you are right, I don't
know, but having the restrictions on top of Drop my rights might
make it a little harder for malware to escape the sandbox. It could
make the difference, if not, then why are they available?

Bo

 

Oh yes, I don't dispute any of those facts. I am most certainly not hinting that one should or should not use that feature. I was just curious of why YOU would use it, as you understand it pretty well.

While I do restrict my sandbox with a "few" customizations, I don't personally do much in a sandbox that I have to lost or get stolen. If I want to do things of a secure nature, I use a sandbox and a browser that are both devoted to that one purpose, and then delete the contents of the sandbox. I can understand if one uses a sandbox everyday, doing normal activities, but was curious if that is what you do, or you just use the drop rights in general because you can

Sul.

 

Only the author understands why he made it that way, what purpose he had in mind at design time. But we can give our own "usage opinions", can't we

As we know, the purpose of DropRights is to strip the admin portions out of an admin token, leaving only users credentials. This only effects the processes within the sandbox of course. The idea is that if you restrict what happens inside the sandbox as if you were a user, so certain areas within the sandbox are read only or off limits, and also if a malware process were started, only the areas normally available to a user would be accessible inside the sandbox environment. It is mimicking a user environment.

While this is all good, if one looks at the simple option to DropRights within the sandbox, they might think that is enough, to have the sandbox environment behaving exactly as a real LUA environment would. But the extra features, the other config options, why would they need to exist?

I like Sandboxie quite a bit (as you might know ), and I love the fact that it is so configurable. If one uses Drop Rights, there are still, within the sandbox environment, areas that might be 'vulnerable', even to a user. For example, the auto-start registry locations and even the 'startup' directory. While DropRights would stop HKLM reg modifications, the autostart locations in HKCU would still be available for modifiations because a user has rights there. Yes, this is a virtual registry hive within the sandbox, but if you can, through the extra settings in sandboxie, easily apply a read only or deny things like HKCU autostart locations, as well as about anything else you like. All of this without modifying the rights and permissions like you would do in the real OS. I love that part, just love it. So easy.

If one stands back, from a good distance, and really examines Sandboxie, and how it really works at different levels and from different angles, it is quite an amazing product. So powerful, yet also so easy to use by so many. It is icing on the cake IMHO that it allows some serious tweaking to allow even hardcore geeks like many of us here to really take advantage of it to the fullest.

Sul.

 

Thanks Bo for the confirmation. This is exactly what I have been doing. I use the sandboxie free for firefox and win. explorer. I know that sandboxie free has some limitation.

Final doubts. Sandboxie free do not allow multiple sandboxies. I was thinking if this limitation could be "bypassed" by using different settings for the default sandbox by using command lines. For example you could start Internet explorer sandboxed for online banking and have the setting delete content in this sandboxed. After closing it you could start Firefox sandoxed for browsing with the option do not delete content. I can set Sandboxie to not delete the content by default.

For example for Internet explorer:

"C:\Program Files\Sandboxie\Start.exe" iexplorer.exe delete_sandbox_phase1

then for firefox just starting by using this command:

"C:\Program Files\Sandboxie\Start.exe" firefox.exe

My question is:After closing the Firefox, is the Sandbox folder still isolated while there is no sandboxed program running?

 

Without un-checking "drop my rights" in a x64 enviroment, the Sandboxie doesn't work. However, one can say to stick only to x32 enviroment, but it is saying that don't adopt to future.

The x128 enviroments, shouldn't be far from now. It is around the corner.

Best regards,

KOR!

 

Indeed, SB is a 'Set & Forget' Security solution aimed at users who lack knowledge and expertise.
As far as the ones who like experimentation/configuration, SB offers countless options.

 

I don`t know what all that means, but SBxie is the best security device you can get. With SBxie you are as secure as you can possibly be. All the other security programs are insignificant. Even so-called independent assessors hate SBxie because it is practically infallible and upsets their little security assessment games in measuring security program deficiencies. They just cannot bust it.

 

i dont know about your financial situation but if you have some spare cash the lifetime license is one hell of a bargain and a very good way to support the developper.

 

You are right. This should be the correct approach. I am strongly thinking about it. However 29 euros is really expensive where I live. That is why I am trying to squeeze the maximum from the free version.

 

you could always try to contact Tzuk and ask for a discount, explaining your situation.
you never know...

 

I've said this before so please forgive me for repeating: If someone held a gun to my head and said "You have to remove all of your security programs from your pc except for just one that you will be allow to keep", the one that I would keep would be SandboxIE. I would feel truly naked surfing without it.

Acadia

 

you're right m8!
look at my sig, Sandboxie is the only real time app i use.

i don't feel like i really need anything else.
i scan download with an AV and run a full system scan once every month or 2.

 

I will check out your suggestion for Read only in the registry locations you
mention. I know I read about that a couple of times but never applied it.
Sully, I know that if you think that is important, it is important.
Thanks

Bo

 

Hmm interesting, I tried to apply all the main branches of the registry under read-only once, but nothing would even run in the sandbox at all.

This brings me to another question: Does applying read-only to C:\ take care of the registry indirectly since it is a type of file?

This could probably be tested by making some custom type of registry file and placing it outside the sandbox. Then you could proceed to click it from inside a read-only sandboxed windows explorer and observe if any changes are done.

I would be very interested to know the result. Could anyone lease test?

 

Good question, does making c: read only effect the modification of the registry. I would think so, but who can say without testing. As you have noted, makng the main reg branches read only causes nothing to run, so it is going to be a question of just how does SBIE deal with this.

@ bo elam

I do have my auto-start registry keys set to read only in all my more tightly configured sandboxes (along with other certain files/directories, etc). I took them directly from what KAFU does. A fellow who used to roam this neck of the woods named Hurst had some really neat configs a few years ago that I found here and other places. He is the one who inspired me to move beyond default use and really think about what might be done.

Now I am not saying it is "important" to do these type of things. I am only raising the question. I hope that (as always) others might share thier thoughts/views and that can lead to new directions in my own thoughts. It is fascinating at what you can do with this tool, and the longer I use it, and the more posts are made here and other places, the more ideas can come forth.

Sul.

 

That's the Psychological aspect (or side-effect...) of SB.
Once get used to SB, you feel Naked (i.e. Threaten) when running Browsers Without it.

 

Please can someone confirm me if the Sandbox folder in C:/ is still isolated while there is no sandboxed program running (sandboxie free version)?

 

Your C:/Sandbox does not get isolated. When you have something
running inside one of your sandboxes, whats inside that sandbox
is isolated but not the C:/Sandbox folder.

Bo

 

Thanks Bo elam. Now it is clear to me.