Sandboxie security question

Discussion in 'sandboxing & virtualization' started by exus69, Aug 11, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello everyone,

    Assuming a normal computer use of word, excel, pdf, audio/video, internet do you think its safe
    to save the email attachment in a folder and then open it from there or clicking the "open with"
    option when asked to download for easier convenience?

    In case of the former method, there'll be two sandboxes: 1)Firefox consisting of only firefox.exe
    in Start/Run Access and Internet Access and 2)Office consisting of word, excel, pdf in Start/Run
    Access and no Internet Access. This method will be cumbersome as each attachment will have
    to be saved in a folder first and then opened up.

    In case of the latter method, there'll be only one Sandbox: 1)Defaultbox consisting of firefox,
    word,excel,pdf in Start/Run Access and only firefox in Internet Access. This method of opening
    attachments is VERY convenient.

    Do you think the latter method is weaker from security standpoint than the former method?
    If yes then how?

    Thanks in advance:)
     
  2. siberianwolf

    siberianwolf Registered Member

    Joined:
    Feb 15, 2009
    Posts:
    516
    i don't think there's any practical difference between the two.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Isolation of programs is better when you use more than one sandbox
    but either method is safe. I think the difference from a security
    standpoint is very little and because of the convenience, you should
    go for method#2.
    Finding a perfect balance between security and convenience is one
    of the keys for enjoying using SBIE. For me, finding it was easy and
    I think you found yours, for your browsing sandbox.

    Bo
     
  4. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Thank you both for your replies :) Would like to know what others think as well.
     
  5. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    +1 :thumb: for Method 2
     
  6. Terarus

    Terarus Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    12
    I have my sandbox using the latter method you outlined.
    Even if you catch malware from pdfs or documents, it is still contained within the sandbox and if you have it only as a start/run thing rather than with internet access; the malware should become redundant.
     
  7. wat0114

    wat0114 Guest

    Second method - hands down. I don't know why people create multitudes of sandboxes just to cover every conceivable scenario of their daily computer routines.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    One quick response to this would be because we are interested in creating sandboxes that fit a particular need... and nothing else.
    The need might be broad... I might want a browser sandbox that also allows my email client and pdf reader and media player to start and have internet access. No problem. But I might also want to work with a narrower range of applications, like just my pdf reader and not the others, so it makes sense to me to decrease the number of things allowed to start/run and access internet in that sandbox. No sense in giving permissions to email and media and browser if I'm just using pdf. The right sandbox for the desired task. That simple. :)
     
  9. wat0114

    wat0114 Guest

    You mean, for example, if the pdf file is an exploit that uses the browser for malicious comms?... then I see your point.

    In my situation, I've got Sandboxie running on a couple machines the kids and wife use, so there's no way there can be more than one sandbox for them to choose from, depending on a given situation, is going to work for them, so I keep it necessarily simple with one configured to limit 'net access, force start/run, and restrict the ones that can run sandboxed for certain applications.
     
    Last edited by a moderator: Aug 12, 2011
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    The first few months that I used SBIE, I only had 2 sandboxes. As time
    goes by, I create more and more. Now ,I use 14 and I am sure, soon it
    will be 15. Maximizing isolation is the reason.

    Bo
     
  11. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    The biggest problem with Sandboxie isolation is user inconvenience.
    For eg. My browser and pdf reader are in different Sanboxes. There's
    a link in the pdf reader which I want to see. Now I cant click on that
    link straightaway and open the browser coz of SB isolation. Hence I
    need to copy the link, open the browser(which opens in another
    Sandbox) and then paste it there.

    Sure it gives me very good security coz if a pdf exploit gets executed
    as well it gets contained in its sandbox and due to internet restrictions
    cannot communicate outside. I only need to open my pdf reader
    unsandboxed when I've to update it.

    So weighing the pros and cons of both do you think method 1 is right
    from security standpoint?
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Method#2 is perfect for you, for your "browsing sandbox" but you should
    also have a PDF reader sandbox, for PDF files that you have on the hard
    drive. On my Foxit sandbox, only Foxit can run and nothing is allowed to
    connect. Thats maximizing isolation.

    I have 2 FF sandboxes, on one only FF starts/runs and connects and on
    the other one, Foxit and Flash can also run but only FF connects. If I
    need something else for Firefox, then I use a "All" sandbox, where all
    is allowed.

    Bo
     
  13. wat0114

    wat0114 Guest

    This is odd to me. Why not just one sandbox that allows FF to run and connect, and allows Foxit and Flash to run but not connect? Isn't this perfectly secure because Foxit and Flash are both sandboxed while restricted from the Internet?
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My guess would be that he wants to surf without having to worry about flash at all, and that the sandbox with flash allowed is used for specific sites. He probably finds it the easiest way to know what is going to happen within a given sandbox at a given website.

    I use FlashBlock on Chromium to do this rather than create a secondary sandbox. I could see why he chooses to do this though. I agree that you could do just as you suggest, but the option of more fine grain control is very alluring for me, and for bo too it seems ;)

    Sul.
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    As you describe is how I have one of my FF sandboxes but allowing as
    little as possible is something that I always do. Flash, I rarely use,
    elsewhere other than Youtube. So if I go to Youtube, I just open the
    Flash FF sandbox. I do it naturally, no thinking.
    If I was getting SBIE messages all the time, doing it this way would
    be inconvenient but I rarely ever see a SBIE message. That tells me
    that I found a balance between convenience and security on all of
    the sandboxes that I use.

    For the machines that your family use, restricting the sandbox as I do
    certainly wont work. You created a balanced sandbox for your family,
    that's the perfect sandbox for them.

    Bo
     
  16. wat0114

    wat0114 Guest

    Okay I see what you're doing. Obviously I don't do too much in the way of creating additional, fine-tuned sandboxes geared toward specific uses, and as you suggested, it certainly would make things confusing for family members who aren't interested in this sort of thing :)

    I tried that plug-in but I depend on flash so much I ditched it and just use Ad Block instead. Lots of options to suit the unique requirements of different folks :)
     
Loading...
Thread Status:
Not open for further replies.