Sandboxie technical tests and other technical topics discussion thread

@ Rasheed187
Yes I do. A bit less secure but convenient.

 

Yeah, I read what you said in the other thread. Me, I like Sandboxie on its own, I kind of believe that SBIE is at its best when nothing interferes with it. Even if programs like HMPA or MBAE worked great on the surface along SBIE, I would not use then. But thats me, Rasheed. I also believe, you thinking of SBIE as an anti exploit is not right, Sandboxie is not that at all. I think the Start Run restrictions can be thought of as sort of an anti executable but thats it.

I allow direct access to Bookmarks via Applications>Web browsers>Firefox, tick the option. And set my browsing sandbox to delete on closing. You allowing access to your bookmarks or profile folder shouldnt make your CPU usage go high. I dont particularly like the idea of keeping the browsing sandbox or any sandbox for a while, as you are doing. Perhaps, setting your sandbox to delete on closing, can make things better for you.

Bo

 

Yes, I feel a bit silly for not thinking about this earlier. After all, SBIE does give you all the options to avoid problems that may arise because of the separation between the real and sandboxed environment.

Well, I would personally always use tools like HIPS to get even more control on sandboxed apps, but that's a matter of preference. And when I say "anti-exploit", I'm talking about the ability to stop it from infecting the system, but of course SBIE won't stop running of exploits without any extra configuration.

And I'm not sure what triggered the high CPU usage, but for now I've chosen to run Firefox outside the sandbox with protection from MBAE. What I do like about running browsers "sandboxed", is the ability to shield data with the "file access" feature. This is something that can not easily be done with other software.

 

For me, using not only Firefox but my entire computer feels exactly the same, running sandboxed or unsandboxed, it doesn't make a difference. My CPU usage is always 0 or maybe 1 or 2 percent when in idle. The only time Firefox surges a bit is when I am watching videos. Or maybe when I have many webpages open at the same time. Usually I don't do that. I suggest, if you really want to use SBIE, lower the amount of layers, programs and your CPU usage will come down. Think about this, all security programs that you have on board are scanning files inside the sandbox. That translates into CPU usage, thats how it is.

Let me give a clear example of how different things are when you run SBIE on its own or along other security programs. All Sandboxie users get sometimes a program locking files in the sandbox issue. Thats a normal issue for SBIE users. I use to experience an issue like that about once every three or four months. Ever since I stopped using anything along SBIE (more than 4 years ago), it has never happened. Thats no coincidence.

Bo

 

@ bo elam

Well, running SBIE as my only tool is no option for me. And it's kind of weird, it started out of nothing, my only other tool at that time was EXE Radar, I doubt that this caused the high CPU usage problem. It also only happened inside a certain sandbox, if I ran FF inside another one, then the problem was solved.

So this all got me thinking of moving away from the real-time "browser sandboxing" approach. On the other hand, it does feel kinda safe knowing that your browser is running in its own virtual container, so I still have my doubts. Let's hope that HMPA will work correctly with the latest SBIE, that would be my ideal scenario.

 

I think your high CPU was caused for using an undeletable sandbox. But cant be sure.

Bo

 

@ bo elam

I'm not sure what you mean, but I personally don't feel like cleaning my sandbox on a regular basis. Of course I do clean my browser cache once in a while. With Opera 12 I haven't got any problems, I still run it sandboxed. But I've read an old topic on the SBIE forum, and sometimes these problems are hard to fix, according to Tzuk it's most likely some other app causing this behavior, but it's too hard to figure out which one.

BTW, I will now test Firefox and Opera with the HMPA + SBIE combo, to see what happens. But I was thinking, is it normal that HMPA can inject code into sandboxed processes? I'm a bit confused.

 

I believe you need to allow Full access to "\Device\NamedPipe\hmpalert" for HMPA to work along SBIE. I don't know how HMPA interacts with sandboxed programs, perhaps someone using both programs can tell you.

Bo

 

You said:
"....it stopped after cleaning the sandbox, but then it started again after a while".

To me, that kind of makes it obvious that something that you are doing in a regular basis, causes your high CPU usage when contents of the sandbox gets saved. And since you don't experience high CPU in sandboxes that you delete, using an undeletable sandbox could be the reason for your high CPU.

Bo

 

Tho I have no clue about that, is that high consumption occur even when you don't load any page (I mean, only 1 tab is about:home?)?

Tho I often open many tabs―dozens is not uncommon, rarely more than 100―still Firefox do not consume much CPU and memory. I think this is largely thanks to its single process architecture. But as you know now Fx implemented multi process architecture (currently in Aurora stage, right?), so we have to expect if we open many tabs, it will consume at least many memory.

 

Hi Yuki, I think Rasheed said he experiences high CPU only in Firefox sandboxes that are not set to delete, the ones he keeps contents for a while.

I never have many tabs open at the same time. I usually have maybe 4 or 5 but thats it. I don't know how you guys can handle having 60 or a 100 open all at once. If I had 100 tabs open, probably would take me longer to look for the tab I want than reopening the page.

Bo

 

Hmmm...still wonder why those undeleted contents cause high CPU, unless he really store too many things.

Well, there're some tab management addons. I rarely exceed 60 tabs, but when I find interesting page which still not worth bookmarking, I keep it open to read it later. Of course there will be other option, addons to save page or so, but somehow its my practice. Tho not my case, there're people who keep more than 1000 tabs. It's not joke, actually they are the guys who prevented Mozilla to completely abandon 64 bit Firefox in Nightly build.

 

I think it is something that he does regularly. And when the activity gets saved, after a while, it translates into high CPU. The following could also cause high CPU (I think). Yesterday he was talking about HMPA and MBAE. If he installs MBAE, runs fIrefox then uninstalls MBAE and installs HMPA. All the activity done by both programs within the sandbox gets saved, even after uninstalling MBAE.

Bo

 

No, I don't do anything different, and I normally never clean my sandboxes, I did it this time to troubleshoot. Outside the sandbox Firefox runs just fine.

Correct, it starts out of nothing (after 1 minute) without any websites running, it's just another weird problem.

 

Yes but the "hmpalert.dll" file is injected in every process, even sandboxed ones, regardless of that setting. I thought that SBIE prevented code injection from outside the sandbox, or perhaps I'm misunderstanding.

 

Well, but he said he once deleted and tho it temporary solved the issue, it arose again after a while?

Sorry I have no clue about high CPU issue, but about above you mentioned, usually injection can be done regardless of SBIE setting. That setting is to allow communication (IPC) via sandboxed process and HMPA.

 

Exactly, after deleting the sandbox, his issue is solved. But then the cycle starts again, thats why after a while, he experiences high CPU one more time. Trying to make sense to what he says, thats what I come up with.

Bo

 

Ok, I got it. I hope this helps him to troubleshoot it. Probably what we can help is quite limited.

 

Well, maybe an add-on or extension. If he's using an ad-blocker that could be the culprit, I've heard that. He should try uBlock and see what happens.

 

Rasheed, please remember, I am totally unfamiliar with programs like HMPA and MBAE. But I can tell you, programs outside the sandbox should be able to do their thing within the sandbox, if they cant, then you have a conflict and thats when settings like the Full access one for HMPA are required to work around the issue.

Bo

 

Nope, happens even with no extensions. I have chosen not to solve the problem, I will now run FF outside the sandbox.

OK I see, so it doesn't matter if the .dll file is loaded into a sandboxed process, because SBIE will restrict IPC? So malware can't communicate with the sandboxed process I assume? On the other hand, as already said, HMPA does seem to be able to make SBIE malfunction.

 

Addon causes high CPU is possible, but what you mean is that addon conflicts with SBIE?

 

It's basically the same situation as malware inside SBIE try to communicate to a program outside SBIE. SBIE should restrict it.

 

Yep. Lots of issue reports at SBIE forums about A/V extensions working alongside FF/Chrome, for example.
Or maybe another sort of add-on can cause issues in some scenarios where the OS version/architecture, browser and SBIE versions are in the mixture.
To sort those conflicts out people need trial and error, even support from the other third-party vendors, is kind of complex.

 

Ah, all right, I got it. I also know some problem reports about AV plugins. Thanks!