Sandboxie-Recommended Settings

Discussion in 'sandboxing & virtualization' started by TheKid7, Jun 8, 2008.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I have been trying the latest version of Sandboxie for about one week now (unregistered). The only setting that I have changed is to delete the contents of the default browser sandbox on program closure. What I plan to do is to use Sandboxie for general web surfing. If I need to download something from a reputable website I will use an unsandboxed browser. What other Sandboxie recommended settings changes should be made for "user friendly" safe web surfing?

    Thank you.
     
  2. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Give Internet Access only to your default browser. This can be found in Sandbox Settings -> Resource Access -> Internet Access.

    If you download a trojan in the sandbox and it tries to connect, Sandbox will not allow it.. I guess.

    Of course a firewall would probably stop it, but since the setting is there, go for it.
     
  3. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I guess there is a need for more restrictions in case of possible browser hijack.
     
    Last edited: Jun 9, 2008
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Why do that. You can remove files from the Sandbox if you download and want to keep them. But if the "trusted' site is compromised you are still protected.
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    To protect against keyloggers (courtesy of Blackcat)...

    What you can do is use ProcessGroups in conjunction with special closedpaths, and it will block anything other then the files you've specified from running sandboxed.

    For example, assume that you are using firefox as your browser. The lines to add are these:

    1- In Sandbox Control, click...

    Configure > Edit Configuration

    2- Under Global settings, add:

    ProcessGroup=<restricted>,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe, firefox.exe

    3- Then under DefaultBox (or any of your other boxes) add:

    ClosedFilePath=!<restricted>,*
    ClosedIpcPath=!<restricted>,*

    That will block everything other then the processes in the "restricted" processgroup from running. Thus, if the browser downloaded a keylogger to the sandbox and tried to execute it, it would just fail since the process is not listed in the processgroup above.

    BUT make sure that you add your own processes to the processgroup listed above -- as I did with firefox.exe in the above example.
     
  6. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    You don't need both of those.
     
  7. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Its a kind of redundancy to add both,Wraihtdu who came up with these lines,initially added only ClosedFilePath=!<restricted>,*. which should be enough.
    Also look at the long thread over at Sandboxie forums.
     
  8. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Yeah I know that. That's why I made that post. I'm using ClosedIpcPath=!<restricted>,* :D
     
  9. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    In addition to the above, I also use Sandbox Settings > Resource Access > File Access > Blocked Access to keep any sandboxed malware (e.g. keyloggers) from accessing my personal files.
     
  10. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Bell where do I add this in the notepad settingso_O Do I add it anywhere or in a certain spoto_O
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Here are my settings, which enable firefox.exe to run in the sandbox, as well as sandboxie itself, and NOTHING else.

    For purposes of illustration, I have used a larger print for the added settings, so as to distinguish them from the other settings.

     
  12. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    I'm still new at this. Isn't another way of protecting against keyloggers by (1) opening Sandboxie Control, (2) click View and then Programs, (3) select the applicable sandbox (if more than one appears), (4) right-click the program...e.g. Internet Explorer or Firefox, (5) select Program Settings, and (6) click "This program is the only program in this sandbox that can access the internet"?
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes that's a way, but with this settings you also make sure that the keylogger (or any other executable) can't even run in the sandbox.
    Better than having a keylogger being unable to send data, is don't even allow it to run.
     
  14. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Mr Belgamin explained just that why this setting is vulnerable. ;)
     
  15. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Thanks for the clarification. I'm still learning.

    So if I make a sandbox to use when I conduct online banking and want to make it more robust than the default sandbox, it sounds like the way to go is to add the settings indicated in bellgamin's post. If I screw something up with the settings during that process, am I correct in assuming I can simply delete that sandbox altogether, the messed up settings associated with that sandbox will be deleted as well, and I can try again?
     
  16. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    If there's no defaultbox anymore so their config is gone,but global settings stay but have no effect on other boxes because there are no added closed paths in the config. file
     
  17. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Huupi, bear with me. Not too sure I completely understand your response.

    Let's say I have two sandboxes...one is my default box and the other is my online banking sandbox. Let's also assume I'm happy with the default box settings and haven't changed them, but I have added bellgamin's anti-keylogger settings to the online banking sandbox. Finally, let's assume I've screwed something up in the process of adding bellgamin's settings to the online banking sandbox (because I'm not a programmer or that computer-savvy). Are you saying it's no big deal because deleting altogether the online banking sandbox will also remove those messed up settings...and the default sandbox and its settings remain untouched?
     
  18. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Yes,all other boxes remain untouched,only in the config .ini file you will see that online sandbox settings are gone if you delete this sandbox.
     
  19. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Appreciate it. Thank you.
     
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I got this to run good in Firefox and Opera, but not in IE. I assume it works in IE and is good to have there too right? If so, anyone got this to work and wouldn't mind sharing their config?

    dja2k
     
  21. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    If you talk about those "hard" settings then IE required that SandboxieCrypto.exe is also added to ProcessGroup.
     
  22. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    What about adding these lines to the ini? What do these do? o_O


    ClosedFilePath=!<restricted>,\Device\RawIp
    ClosedFilePath=!<restricted>,\Device\Ip*
    ClosedFilePath=!<restricted>,\Device\Tcp*
    ClosedFilePath=!<restricted>,\Device\Afd*
     
  23. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    They forbid that anything outside the "restricted" group connect to the internet.
     
  24. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Aren't these redundant while using the other two ClosedFilePath=!<restricted>,* and ClosedIpcPath=!<restricted>,*?

    dja2k
     
  25. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I think they are redundant.

    Personally, in my sandbox for firefox, I have the "execution prevention" enabled so that only firefox and pdf x-change viewer can run, because I do open and download a lot of pdf's for university. But only firefox can conect to the internet.

    If you wan't to allow internet access to the same group that is allowed to run, it's redundant.... if it can't run, it can't connect :)
     
Loading...
Thread Status:
Not open for further replies.