Sandboxie - Templates_Local -- great!

Playing with Sandboxie, v338 has a Templates.ini file in the program directory. Examining this the other day, it is a nice feature. You have preprogrammed templates, and this tells how to make Local templates in your Sandboxie.ini file. It can provide some nice shorcut features.

I decided to play with this to see if I could force all executables on all drives but c: into a sandbox. The NOT character is !. I knew that but it was not working. Here is what I was trying to do: logically say to forcefolder every drive EXCEPT c:\, with this structure ForceFolder=!c:\. This does not work, as the ! is currently limited to processes. However, it did lead to learning a little about the templates.

To make one, create an .ini secion in your Sandboxie.ini file. The suggested guideline is to use [Template_Local_Name]. It appears that Template_ is removed, so you reference the template as Local_Name. Some monikers to use for example would be
Tmpl.Title
Tmpl.Class
There are many procedures to use as well. Just examine the templates.ini file in the program files directory of Sandboxie.

Anyway, I add this to my Sandboxie.ini file

Code:

[Template_Local_LockDrives]
Tmpl.Title=LockDrives
Tmpl.Class=Misc
ForceFolder=e:\
ForceFolder=f:\
ForceFolder=g:\ 

Then, in my chosen sandbox section, I add this

Code:

Template=Local_LockDrives

Now, when an executable in e, f or g is created, it is forced into the associated sandbox. You could prepopulate one template with your local hdds for one sandbox, and another template for all remaining drive letters for a different sandbox, thereby seperating hdds and removable media to different sandboxes.

I have not tried this with autorun stuff yet though. But I can see templates becoming very handy, as well as good to share what you come up with because it is so easy to apply.

Cheers.

Sul.

 

Here is some more information on templates. I labeled much of it for those who don't use the .ini method much. I have been revamping my approach with sandboxie, and quickly tired of copying and pasting things around, so I made use of the templates feature quite heavily.

So first there are some variables that you can use which are quite convenient. They can vary on machines though, but these are pretty much standard
# these are typical variables using in Windows XP, they may differ per machine/OS
# you may use these variables by enclosing in % signs
# for example, %desktop%\notepad.exe refers to the notepad.exe application located on your desktop

##### Section of Friendly Shell Folders #####
# AppData = user \application data
# Cache = user \local settings\temporary internet files
# Cookies = user \cookies
# Desktop = user \desktop
# Favorites = user \Favorites
# History = user \Local Settings\History
# Local AppData = user \Local Settings\Application Data
# Local Settings = user \Local Settings
# My Music = user \My Music
# My Pictures = user \My Pictures
# Personal = user \My Documents
# Programs = user \Start Menu\Programs
# Start Menu = user \Start Menu
# Startup = user \Start Menu\Programs\Startup

##### Section of All Users Shell Folders #####
# Common AppData = all users\application data
# Common Desktop = all users\desktop
# Common Documents = all users\documents
# Common Favorites = all users\favorites
# Common Programs = all users\start menu\programs
# Common Start Menu = all users\start menu
# Common Startup = all users\start menu\programs\startup
# CommonMusic = all users\my music
# CommonPictures = all users\my pictures
# CommonVideo = all users\my videos

##### Section of Sandboxie Explicit Variables #####
# SystemDrive = first two characters of system drive (ie. c: )
# User or UserName = the user
# Sandbox = name of sandbox


Now an example of a .ini file utilizing some templates.

[GlobalSettings]
# # this is a typical global statement made by Sandboxie
FileRootPath=C:\Sandbox\%SANDBOX%

# # create a group of processes that are to be allowed internet access for the K-Meleon template and sandbox
ProcessGroup=<InternetAccess_Kmeleon>,foxit.exe,acrord32.exe,winget.exe,k-meleon.exe

# # create a group of processes that are to be allowed to start/run for the K-Meleon template and sandbox
ProcessGroup=<StartRunAccess_Kmeleon>,foxit.exe,acrord32.exe,winget.exe,k-meleon.exe

[Template_Local_LockDrives]
Tmpl.Title=LockDrives
Tmpl.Class=Local

# # create a list of drive letters that will be forced to open in a Sandbox
ForceFolder=e:\
ForceFolder=f:\
ForceFolder=g:\

[Template_Local_Lock_Autorun_Registry]
Tmpl.Title=Lock_Autorun_Registry
Tmpl.Class=Local

# # create a list of registry keys to be restricted to Read Only within the Sandbox
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ReadKeyPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

[Template_Local_Lock_Autorun_Directory]
Tmpl.Title=Lock_Autorun_Directory
Tmpl.Class=Local

# # create a list of directories to be restricted to Read Only within the Sandbox
ReadFilePath=%Startup%
ReadFilePath=%Common Startup%

[Template_Local_Lock_Root_Files]
Tmpl.Title=Lock_Root_Files
Tmpl.Class=Local

# # create a list of files to be restricted to Read Only within the Sandbo
ReadFilePath=C:\AUTOEXEC.BAT
ReadFilePath=C:\boot.ini
ReadFilePath=C:\Config.sys
ReadFilePath=C:\IO.sys
ReadFilePath=C:\MSDOS.sys
ReadFilePath=C:\ntldr
ReadFilePath=C:\NTDETECT.COM

[Template_Local_Recover_Folders]
Tmpl.Title=Recover_Folders
Tmpl.Class=Local

# # set the AutoRecovery feature to ON
AutoRecover=y

# # create a list of directories to monitor for Quick Recovery
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%

[Template_Local_Deny_All_Network_Access]
Tmpl.Title=Deny_All_Network_Access
Tmpl.Class=Local

# # create a list that closes all network access within a Sandbox
ClosedFilePath=\Device\RawIp6
ClosedFilePath=\Device\Udp6
ClosedFilePath=\Device\Tcp6
ClosedFilePath=\Device\Ip6
ClosedFilePath=\Device\RawIp
ClosedFilePath=\Device\Udp
ClosedFilePath=\Device\Tcp
ClosedFilePath=\Device\Ip
ClosedFilePath=\Device\Afd*

[Template_Local_Allow_Direct_Access]
Tmpl.Title=Allow_Direct_Access
Tmpl.Class=Local

# # create a list of directories or files that the Sandbox will have direct access to
# # saving or deleting from this path effects the real path. Quick Recovery is not needed on these objects.
OpenFilePath=%Personal%\My Downloads\

[Template_Local_Kmeleon]
# # create a template for use with K-Meleon browser, which SBIE has no defaults for
# # some prerequisite formalities
Tmpl.Title=Kmeleon
Tmpl.Class=Local

# # force the K-meleon.exe into this Sandbox
ForceProcess=K-Meleon.exe

# # enforce only specific programs have internet access in this Sandbox
# # use a GLOBALLY identified <group process name>
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Ip
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Afd*

# # option to show a message when a program tries to access the network without permission
NotifyInternetAccessDenied=y

# # enforce only specific programs may start/run in this Sandbox
# # use a GLOBALLY identified <group process name>
ClosedIpcPath=!<StartRunAccess_Kmeleon>,*

# # option to show a message when a program tries to start/run without permission
NotifyStartRunAccessDenied=y

# # AutoRecovery for a folder that K-Meleon (specifically) might use
RecoverFolder=%Personal%\My Torrents

# # give direct access to K-Meleons cookie file
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\cookies.txt
# # give direct access to K-Meleons bookmarks file
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\bookmarks.html
# # give direct access to K-Meleons opera hotlist file
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\opera.adr

The differences between not using Local Templates and using Local Templates

## this is the default box made by Sandboxie
[DefaultBox]
# # is this box enabled and active ?
Enabled=Yes
# # sandboxie assigned value
ConfigLevel=6
# # is Auto Recovery enabled in this Sandbox ?
AutoRecover=y
# # list of directories to monitor for Auto Recovery
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
# # List of lingering processes to monitor for
LingerProcess=trustedinstaller.exe
LingerProcess=wuauclt.exe
LingerProcess=devldr32.exe
# # list of templates pre-defined by Sandboxie to load with this Sandbox
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore

# # the Default Box settings modified by using custom made Local Templates
[DefautlBox_Custom1]
Enabled=Yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=LingerPrograms
Template=AutoRecoverIgnore

# # a Sandbox using the Default options plus some other custom Local Template options
[DefaultBox_Custom2]
Enabled=Yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=LingerPrograms
Template=AutoRecoverIgnore

# # we could deny all access of any program to the network using this
Template=Local_Deny_All_Network_Access

# # we could allow directe access to a custom list of directories using this
Template=Local_Allow_Direct_Access

# # we could force a list of drives to start in this Sandbox using this
Template=Local_Lock_Drives

# # we could restrict certain registry values using this
Template=Local_Lock_Autorun_Registry

# # we could restrict certain directories and files using these
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files

# # ----------------------------------------------------------------------------------------------------------------------

# # an example of a Sandbox made by using Sandboxie
# # this box restricts access to the network to only Firefox.exe
# # NOTE, it uses these two GLOBAL process groups which would be in the top [GlobalSettings] area
[GlobalSettings]
ProcessGroup=<StartRunAccess_FFox_box>,firefox.exe
ProcessGroup=<InternetAccess_FFox_box>,firefox.exe

[FFox_box]
Enabled=y
ConfigLevel=6
AutoRecover=y
Template=Firefox_Cookies_DirectAccess
Template=Firefox_Bookmarks_DirectAccess
Template=Firefox_Force
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
NotifyInternetAccessDenied=y
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\RawIp6
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Udp6
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Tcp6
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Ip6
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\RawIp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Udp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Tcp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Ip
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Afd*
NotifyStartRunAccessDenied=y
ClosedIpcPath=!<StartRunAccess_FFox_box>,*

# # see how some of the values in this box refer to existing templates ?
# # for example, Template=Firefox_Cookies_DirectAccess
# # this is predefined in the file Templates.ini, which is in the Sandboxie Program Files folder

# # here are the entries for Firefox from the Templates.ini file
# # notice that these templates use a structure that is not used in your own custom templates

# # first a path is set for where firefox places its files in this section
[TemplateSettings]
Tmpl.Version=1
Tmpl.Firefox=%AppData%\Mozilla\Firefox\Profiles\*

# # next firefox is broken down into different features, as below
[Template_Firefox_Force]
Tmpl.Title=#4323,Firefox
Tmpl.Class=WebBrowser
ForceProcess=firefox.exe

[Template_Firefox_Bookmarks_DirectAccess]
Tmpl.Title=#4336,Firefox
Tmpl.Class=WebBrowser
OpenFilePath=firefox.exe,%Tmpl.Firefox%\bookmark*
OpenFilePath=firefox.exe,%Tmpl.Firefox%\places*

[Template_Firefox_Cookies_DirectAccess]
Tmpl.Title=#4328,Firefox
Tmpl.Class=WebBrowser
OpenFilePath=firefox.exe,%Tmpl.Firefox%\cookies*

# # now we can make our own Firefox Local Template if desired
# # the advantage is not to create our own Firefox template, but to show how to make a template
# # and how it can be streamlined to our needs
[Template_Local_Firefox_box]
Tmpl.Title=Firefox_box
Tmpl.Class=Local
# # force Firefox.exe to run in this Sandbox
ForceProcess=Firefox.exe
# # give direct access to these files used by Firefox so we don't have to recover them
OpenFilePath=Firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*
OpenFilePath=Firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*
OpenFilePath=Firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\cookies*
# # ensure only Firefox has internet access, using the GLOBAL process group
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\RawIp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Udp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Tcp
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Ip
ClosedFilePath=!<InternetAccess_FFox_box>,\Device\Afd*
# # set the option to alert if other programs try to access the network
NotifyInternetAccessDenied=y
# # ensure only Firefox.exe is allowed to start/run
ClosedIpcPath=!<StartRunAccess_FFox_box>,*
# # set the option to alert of other programs than Firefox try to start/run
NotifyStartRunAccessDenied=y

# # now we could create our own Firefox Sandbox
[Firefox_box_Custom]
Enabled=y
ConfigLevel=6
# # put in some generic values
Template=Local_Recover_Folders
Template=LingerPrograms
Template=AutoRecoverIgnore
# # and now our custom Firefox template
Template=Local_Firefox_box

# # the end result is the same, but you can create templates that are customized
# # to be used in any Sandbox, or specifically for one Sandbox

Sul.

 

Thank you. I have bookmarked this excellent post.
The templates feature is very handy not only for
ones own use but also for sharing with others.

 

Stay tuned. I have more intensive testing involved right now, seeing some deviances from what I would have expected, but so far manageable. I will post up a new .ini, and some other settings added to it.

Sul.

 

After some more intensive testing, there are a few things I found out. First and probably foremost is that using a variable found in the registry, such as %CommonVideos%, which is present and should point to all users\shared documents\shared video, does not function properly across different machines. It is not an environment variable, which probably is why, but SBIE documentation only states that if it exists in the registry it can be used. There is also no working of things like %Common Startup%, likely due to the space in the name, as SBIE appears to want variables and assignments without spaces. Even enclosing in quotes did not make it work. So, borrowing a little template technique from the Template.ini file, I made some globabl values to use as variables.

The advantage of variables is that you can build a Sandboxie.ini with variables and then share them with your friends and family, knowing that in most cases with default installs, your Sandboxie.ini should work on thier machine. Usually.

I have been specifically looking to overcome some problems associated with ShadowDefender. When running in shadowed mode 24/7, certain things fail to work properly, primarily due to the registry. For example, LiveMail works, but because there are no exceptions in ShadowDefender for registry keys, LiveMail cannot write to the registry and when you reboot and run it, it is semi-corrupted. I had thought that perhaps Sandboxie might help me out.

Also after using Sandboxie off and on for perhaps two years now, I have decided that it would be more convenient just to segregate out each browser/program into its own box. Not as simplistic as I usually like, but I think much more robust. However, the creation process is slow from the GUI, and from the .ini required copy/pasting, which can also become quite tiresome. So, templates to the rescue as I found out.

What I found though was while creating a template for locked registry keys was nice, when I made a template for each browser, it occured to me that using the ForceProcess within it precluded using that process anywhere else. For example, if I ForceProcess=Firefox.exe in the Template for Firefox, then no other box can really use it. Not what I want. I therefore force the process per sandbox, this way I can still create one generic Browser_box that I can selectively start a browser in, and can still apply the browser template if need be because there is seperation.

It is of note that registry keys do not behave as one might think. For example, you would think that ReadKeyPath would be a sort of read only state. But it behaves a little differently that I first thought. Apparently, the lack of a reg key value means SBIE will recreate a key needed in the virtual registry. And also it is allowed modification. Using the ReadRegKey value does allow reading but not writing to the virtual registry. OpenKeyPath is basically giving SBIE direct access to the real registry key. CloseFilePath is not even allowing reading. I came upon a situation where I wanted to protect the HKCU\..\..\Users Shell Folders key from changing within the sandbox. A logical key to protect, along with others. However, when then creating a Firefox box, firefox would fail to run. The reason is that it needs, for some reason, to have access to this Users Shell Folders key. I had though allowing it to read would be enough, but it must need to write or at least have permissions to write. Closing the key had the same effect. Of course using OpenKeyPath on it is not what I wanted. I ended up omitting that key from the locked registry keys, so that firefox could read and write it in the virtual registry. Not particuarily a security risk really, since it is virtualized, but suprising to me none the less.

So here is a config that seems to be working. LiveMail works, although wlcomm.exe (I think) I have not allowed, as I have no need for it to go online. At least I have opened the direct access to the program file directory, so that if I delete my sandbox, the mails sent and recieved remain the same.


# ##### Section of Sandboxie Explicit Variables #####
# # SystemDrive = first two characters of system drive (ie. c: )
# # User or UserName = the user
# # Sandbox = name of sandbox

[GlobalSettings]
FileRootPath=C:\Sandbox\%SANDBOX%
ProcessGroup=<InternetAccess_Kmeleon>,foxit.exe,winget.exe,k-meleon.exe
ProcessGroup=<InternetAccess_Firefox>,foxit.exe,firefox.exe
ProcessGroup=<InternetAccess_IE>,foxit.exe,iexplore.exe
ProcessGroup=<InternetAccess_Opera>,foxit.exe,opera.exe
ProcessGroup=<InternetAccess_Browsers>,foxit.exe,iexplore.exe,firefox.exe,k-meleon.exe,opera.exe
ProcessGroup=<InternetAccess_LiveMail>,k-meleon.exe,opera.exe,wlmail.exe
ProcessGroup=<InternetAccess_MediaPlayers>,vlc.exe,mplayer2.exe,wmplayer.exe

## # user supplied variables for Current Users containers
Tmpl.UserAppData=c:\documents and settings\%user%\application data
Tmpl.UserCache=c:\documents and settings\%user%\local settings\temporary internet files
Tmpl.UserCookies=c:\documents and settings\%user%\cookies
Tmpl.UserDesktop=c:\documents and settings\%user%\desktop
Tmpl.UserFavorites=c:\documents and settings\%user%\favorites
Tmpl.UserHistory=c:\documents and settings\%user%\local settings\history
Tmpl.UserLocalAppData=c:\documents and settings\%user%\local settings\application data
Tmpl.UserLocalSettings=c:\documents and settings\%user%\local settings
Tmpl.UserMyDocuments=c:\documents and settings\%user%\my documents
Tmpl.UserMyMusic=c:\documents and settings\%user%\My Documents\My Music
Tmpl.UserMyPictures=c:\documents and settings\%user%\my documents\my pictures
Tmpl.UserPrograms=c:\documents and settings\%user%\start menu\programs
Tmpl.UserStartMenu=c:\documents and settings\%user%\start menu
Tmpl.UserStartup=c:\documents and settings\%user%\start menu\programs\startup

# # user supplied variables for All Users containers
Tmpl.CommonAppData=c:\documents and settings\all users\application data
Tmpl.CommonDesktop=c:\documents and settings\all users\desktop
Tmpl.CommonDocuments=c:\documents and settings\all users\shared documents
Tmpl.CommonFavorites=c:\documents and settings\all users\favorites
Tmpl.CommonPrograms=c:\documents and settings\all users\start menu\programs
Tmpl.CommonStartMenu=c:\documents and settings\all users\start menu
Tmpl.CommonStartup=c:\documents and settings\all users\start menu\programs\startup
Tmpl.CommonMusic=c:\documents and settings\all users\shared documents\shared music
Tmpl.CommonPictures=c:\documents and settings\all users\shared documents\shared pictures
Tmpl.CommonVideo=c:\documents and settings\all users\shared documents\shared video

[Template_Local_LockDrives]
Tmpl.Title=LockDrives
Tmpl.Class=Local
# #ForceFolder=e:\

[Template_Local_Lock_Autorun_Registry]
Tmpl.Title=Lock_Autorun_Registry
Tmpl.Class=Local
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
# #~ ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
ReadKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ReadKeyPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
ReadKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

[Template_Local_Lock_Autorun_Directory]
Tmpl.Title=Lock_Autorun_Directory
Tmpl.Class=Local
ReadFilePath=%Tmpl.UserStartup%
ReadFilePath=%Tmpl.CommonStartup%

[Template_Local_Lock_Root_Files]
Tmpl.Title=Lock_Root_Files
Tmpl.Class=Local
ReadFilePath=C:\AUTOEXEC.BAT
ReadFilePath=C:\boot.ini
ReadFilePath=C:\Config.sys
ReadFilePath=C:\IO.sys
ReadFilePath=C:\MSDOS.sys
ReadFilePath=C:\ntldr
ReadFilePath=C:\NTDETECT.COM

[Template_Local_Recover_Folders]
Tmpl.Title=Recover_Folders
Tmpl.Class=Local
AutoRecover=y
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%

[Template_Local_Deny_All_Network_Access]
Tmpl.Title=Deny_All_Network_Access
Tmpl.Class=Local
ClosedFilePath=\Device\RawIp6
ClosedFilePath=\Device\Udp6
ClosedFilePath=\Device\Tcp6
ClosedFilePath=\Device\Ip6
ClosedFilePath=\Device\RawIp
ClosedFilePath=\Device\Udp
ClosedFilePath=\Device\Tcp
ClosedFilePath=\Device\Ip
ClosedFilePath=\Device\Afd*

[Template_Local_Allow_Direct_Access]
Tmpl.Title=Allow_Direct_Access
Tmpl.Class=Local
OpenFilePath=%Personal%\My Downloads\


[Template_Local_IE]
Tmpl.Title=IE
Tmpl.Class=Local
# # use templates found in Templates.ini file first
# #Template=IExplore_Force
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Favorites_RecoverFolder
Template=IExplore_Cookies_DirectAccess
Template=IExplore_Feeds_DirectAccess
Template=IExplore_ProtectedStorage
Template=IExplore_Credentials
# # custom template values for IExplore
ClosedFilePath=!<InternetAccess_IE>,\Device\RawIp
ClosedFilePath=!<InternetAccess_IE>,\Device\Tcp
ClosedFilePath=!<InternetAccess_IE>,\Device\Ip
ClosedFilePath=!<InternetAccess_IE>,\Device\Afd*
NotifyInternetAccessDenied=y

[Template_Local_Firefox]
Tmpl.Title=Firefox
Tmpl.Class=Local
# # use templates found in Templates.ini file first
# #Template=Firefox_Force
Template=Firefox_Bookmarks_DirectAccess
Template=Firefox_Cookies_DirectAccess
Template=Firefox_Phishing_DirectAccess
# # custom template values for Firefox
ClosedFilePath=!<InternetAccess_Firefox>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Firefox>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Firefox>,\Device\Ip
ClosedFilePath=!<InternetAccess_Firefox>,\Device\Afd*
NotifyInternetAccessDenied=y

[Template_Local_Kmeleon]
Tmpl.Title=Kmeleon
Tmpl.Class=Local
# #ForceProcess=K-Meleon.exe
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Ip
ClosedFilePath=!<InternetAccess_Kmeleon>,\Device\Afd*
NotifyInternetAccessDenied=y
# #ClosedIpcPath=!<StartRunAccess_Kmeleon>,*
# #NotifyStartRunAccessDenied=y
# #RecoverFolder=%Personal%\My Torrents
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\cookies.txt
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\bookmarks.html
OpenFilePath=k-meleon.exe,%AppData%\k-meleon\*\opera.adr

[Template_Local_Opera]
Tmpl.Title=Opera
Tmpl.Class=Local
# # use templates found in Templates.ini file first
Template=Opera_Force
Template=Opera_Bookmarks_DirectAccess
Template=Opera_Profile_DirectAccess
# # custom template values for Opera
ClosedFilePath=!<InternetAccess_Opera>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Opera>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Opera>,\Device\Ip
ClosedFilePath=!<InternetAccess_Opera>,\Device\Afd*
NotifyInternetAccessDenied=y


[Kmeleon_box]
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
Template=Local_Kmeleon
# # specifically state to force K-meleon.exe
ForceProcess=K-meleon.exe

[Firefox_box]
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
Template=Local_Firefox
# # specifically state to force Firefox.exe
ForceProcess=Firefox.exe

[Opera_box]
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
Template=Local_Opera
# # specifically state to force Opera.exe
ForceProcess=Opera.exe

[IE_box]
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
Template=Local_IE
# # specifically state to force IExplore.exe
ForceProcess=IExplore.exe

[Downloads_box]
# # allow no outbound network access
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
ForceFolder=%Personal%\My Downloads
Template=Local_Deny_All_Network_Access

[Browsers_box]
# # default values for most boxes
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
ClosedFilePath=!<InternetAccess_Browsers>,\Device\RawIp
ClosedFilePath=!<InternetAccess_Browsers>,\Device\Tcp
ClosedFilePath=!<InternetAccess_Browsers>,\Device\Ip
ClosedFilePath=!<InternetAccess_Browsers>,\Device\Afd*
NotifyInternetAccessDenied=y

[LiveMail_box]
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
OpenFilePath=wlmail.exe,%Tmpl.Windows_Live_Mail%
OpenFilePath=wlmail.exe,%AppData%\Microsoft\Windows Live Mail
OpenFilePath=wlmail.exe,%Local AppData%\Microsoft\Windows Live Mail
# #OpenFilePath=wlmail.exe,*.eml
# #OpenKeyPath=wlmail.exe,HKEY_CURRENT_USER\Software\Microsoft\Windows Live
# #OpenKeyPath=wlmail.exe,HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
ForceProcess=wlmail.exe
ClosedFilePath=!<InternetAccess_LiveMail>,\Device\RawIp
ClosedFilePath=!<InternetAccess_LiveMail>,\Device\Tcp
ClosedFilePath=!<InternetAccess_LiveMail>,\Device\Ip
ClosedFilePath=!<InternetAccess_LiveMail>,\Device\Afd*
# #~ NotifyInternetAccessDenied=y

[MediaPlayer_box]
Enabled=yes
ConfigLevel=6
Template=Local_Recover_Folders
Template=Local_Lock_Autorun_Registry
Template=Local_Lock_Autorun_Directory
Template=Local_Lock_Root_Files
Template=Local_Allow_Direct_Access
Template=LingerPrograms
Template=AutoRecoverIgnore
# # box specific values
ForceProcess=vlc.exe
ForceProcess=wmplayer.exe
ForceProcess=mplayer2.exe
ClosedFilePath=!<InternetAccess_MediaPlayers>,\Device\RawIp
ClosedFilePath=!<InternetAccess_MediaPlayers>,\Device\Tcp
ClosedFilePath=!<InternetAccess_MediaPlayers>,\Device\Ip
ClosedFilePath=!<InternetAccess_MediaPlayers>,\Device\Afd*
NotifyInternetAccessDenied=y


Sul.

 

Much appreciated sully.

I'm really impresssed and like this approach. And it is a neat way of compartmentalizing different needs.
Btw, I have been a long time k-meleon user (still on 1.1.3) and a long time sandboxie user (still prefer to
use the sandboxie.ini file rather than gui to fiddle) and your experimentation with the templates will help
keep my sandboxie.ini uncluttered.
Thanks again.

 

Sully, looks like good work.

However, I just want to remind potential Sandboxie users that it is much easier to use the GUI to configure your sandboxes. This way, you eliminate any potential user error.

I think I've posted how I setup my Sandboxie more than enough haha. It's important to have a goal in mind - my goal was to contain/block all malware threat-gates and attack vectors. Because of this goal, I suspect Sully's setup will end up being fairly similar to mine, except I simply used the GUI to configure my own setup - it didn't take very long at all, and it's now "set and forget".

Sully, I've got a question about blocking or configuring registry keys to be "read-only". Am I right to say that this is purely a privacy issue that you're concerned about? As you said, every change takes place in a virtualised environment anyway. If it's a privacy issue, what information are you exactly worried about leaking out, and why would this matter?

For me, every sandbox I have has resource protection for "My Documents" - nothing in the sandboxes are allowed to access "My Documents" (not even read). To be honest, I don't acually have anything of worth to hide in "My Documents", but it's just nice to know that it's protected from the malware threat-gates anyway.

Anyway, good luck in configuring Sandboxie to suit your needs. My own Sandboxie setup has pretty much stayed the same in the last few months. The most recent change is that I've added a sandbox called something like "Downloads" - I use this sandbox on-demand only when I'm wanting to look at newly introduced files from unknown/untrusted sources with a sandboxed explorer.exe. Since I almost always recover these files on to my desktop, I've made this simple for myself by having a shortcut (in my Quick Launch bar) which opens a sandboxed explorer.exe (inside the "Downloads" sandbox) of my desktop. This "Downloads" sandbox is configured so that anything can start/run, but nothing can access the internet. Further, and like all my other sandboxes, I have blocked access to "My Documents" and configured Read-only access to C:\Windows.

Anyway, thanks for sharing Sully, and I'd appreciate your thoughts on my questions above. Cheers.

 

Yes, it is information for those who wish to tweak SBIE to your likings.

My goal is not quite as security conscious as yours I suppose. I like how SBIE compartmentalizes things, but I don't use it as an all-encompassing solution as you do.

It is most definately not about privacy, but two-fold. Primary reason is to stop the items within SBIE from creating startup or autorun instances as well as to keep some root files left alone. I think it wise to treat items within the sandbox with due respect, as even though it is virtualized, what you do in that virtual environment is no less at risk that what you do out of it. Secondary was to solve some issues where when using Shadow Defender some registry keys needed to be modified, ie. LiveMail. When SD is in shadow mode, it has no recourse for committing registry values, so SBIE cures the problem because the registry is virtual, plus you can also dictate very specifically if desired what to do with registry keys.

For my use, I am already using SRP on browsers and other applications from Admin. I use SBIE to contain my main threats, being browsers, email clients and media players. Testing new software is nice too, but I really only wish to mitigate my most pertinent threats. I include network access restrictions more than worrying about program execution. In one setup I had much more strict settings for a banking type use.

I tend to download everything to one directory any more. I have that directory under SRP as well as force everything in there to start in a Downloads box with no internet access. I find it myself easier to know that one directory is the one I place things into and is for the most part safe to execute in. The goal of using Shadow Defender in Shadow Mode 100% of the time only enhances that, and SBIE is a treat to use with Shadow Defender because of its virtual file system.

The objective of this post is only to introduce the templates to people who might not know it exists, and to give some working examples. It is not any easier really, but much more customized for those who dig that stuff.

Sul.

 

While I understand the point you're making, Sandboxie by its nature cannot be used as an "all-encompassing solution", since it doesn't provide system-wide protection. However, in theory, Sandboxie is able to contain/block all malware "threat-gates" and "attack vectors", and therefore system-wide protection is not needed. However, I like the idea of LUA + SRP to provide me with another layer of protection (in conjunction with the "threat-gates" and "attack vectors" that Sandboxie protects), as well as providing system-wide protection.

I still don't quite understand what this has to do with enhancing "security" when everything is done virtualised and private documents (eg. files in "My Documents") are protected from the sandbox environment.

Sounds good. As stated above, I also use LUA + SRP as another layer of defense - in my case, it mainly provides the system-wide protection that Sandboxie lacks.

Yes, I also tend to download to one directory only - my desktop. Funnily enough, I also have that directory under SRP (in fact, everything is under SRP except for C:\Windows and C:\Program files and one or two other folders, all of which do not have write access in my LUA).

There are problems with relying on a sandboxed folder to ensure everything executes sandboxed:
1. If "Windows Picture and Fax Viewer" is your default picture viewer, it will NOT open the picture sandboxed (even though it's being run from a forced sandboxed folder).
2. If 'Windows Media Player" is your default video player, it will NOT open some video types sandboxed (even though it's being run from a forced sandboxed folder).

The solution is to open your "downloads" folder with a sandboxed explorer.exe (which is very easily and conveniently performed with a shortcut as I described in my previous post).

It is not any easier really? I think for 99% of people who use Sandboxie, they would find it harder haha. But anyway, good of you to share.

 

Well, I don't know about that? Seems to me with basic configuration nothing in the sandbox is going to escape and infiltrate the real system this way, although I suppose it could happen but if you're running limited with SRP or some form of HIPS, I see this danger as so extremely remote it's not even worth worrying about.

Also, I agree those templates are fine for very technically inclined folks like yourself Sully, but for average users the gui is far easier to use.

 

Yes, all-encompassing would be to even open the 'legendary' starcraft lol. Yes I was referring to only using SBIE for download directory or average programs like browsers, email clients etc. But you get what I mean.

See the reply below for this answer...

Hmm, I was not aware of this aspect. I don't normally download pictures. It is simply a calling parent issue. I would imagine a reg tweak or environment tweak could fix that easily enough, maybe I will play with that sometime.

I am not sure how you took that, but I am saying that yes, 99% of the people would probably think it is harder, for sure.

Sul.

 

Really? Are you sure? Have you ever thought about what your virtual environment in SBIE is? It is truly, a virtual environment where you can install a program, located only in that environment. Meaning, if you install a program, that just happens to have a keylogger or wants to harvest some kind of information, or create autorun keys, it can effect what happens within that virtual environment. Yes, it may not really 'effect' the real file system, but unless you make strict rules for your sandbox, doesn't SBIE have access to your real OS to read, even if it cannot modify? Using some internet access restrictions or program start restrctions, and others can certainly nullify some if not all of this. But I prefer, if I am going to rely on SBIE for certain programs, to treat it like a real environment. You would not want programs making startup entries in your real system, so why would you in sandboxie. You would not want programs modifying shell folders keys in your real system, so why in sandboxie? It is really just a principle that to me says to treat it like the real OS when possible. Maybe not mandatory, but certainly can't hurt.

Oh yes, I agree, the gui is easier for a great many lol. But that is not nearly as fun as making something your own, IMHO.

Sul.

 

Realistically, in terms of adding "security", I still can't see the point of blocking access of registry keys. That's the strength of Sandboxie compared to other sandboxing software - everything is done in a virtualised environment.

With regards to keyloggers, the start/run and internet access restrictions (which should be applied to all sandboxes blocking/containing malware "threat-gates") will eliminate 99.999999% of all keylogger concerns. In fact, it's probably more likely for a banking web-site to be intrinsically compromised (and you can't do anything about this) than to get infected by an active keylogger while running Sandboxie properly. If you're still paranoid, you can use my method of always starting with a "freshly installed" IE 8 for sensitive browsing (like banking). This is easily achieved by always emptying out IE 8's sandbox on exit. Then when you want to do sensitive browsing, simply shut down all open sandboxes (thus eliminating all open malware "threat-gates") and open IE 8. For other non-sensitive browsing, I personally use Firefox.

Anyway, I do see your point, and blocking access to registry keys etc certainly can't hurt (in most cases).

 

Yes, I was disappointed when I found this out. I don't think it's possible to solve either...well, Tzuk himself and several other knowledgeable folk couldn't help me solve this issue.

Thankfully, I've found a very simple and convenient way to deal with it!

EDIT: interestingly, this same issue applies to other products like DefenseWall and GeSWall. For example, even though a .jpg file is "untrusted" by DefenseWall, it will open it as "trusted" if Windows Picture and Fax Viewer is your default picture viewer.

 

Yes, the shell is actually opening the picture using a namespace/clsid. I tried the COM clsid entry for what I found related (an option in SBIE) but no luck. I read that namespaces like that are 'supposed' to interface via COM, but don't know enough yet to determine.

I was able to create a batch file that properly opened a picture using rundll32. I was also able to make a registry open/command value that works the same way as the batch file. However, even if you unregister shimvw.dll, the action is still in preview mode. I am not sure you can stuff explorer into SBIE in that manner.

The technical reason it works for you is that when you load an instance of explorer.exe in SBIE, when you double click a picture (one associated with the viewer) it calls shimgvw.dll,ImageView_Fullscreen %path to file%. Since explorer is already in SBIE at this point, it is simply a child process and works fine.

I wonder if I were to examine how the execution of say xnview or infranview works when they are associated with for instance a .jpg. My bet is that they are using a dll as well. If I were really concerned I suppose it might be hacked into submission with enough determination and a healthy portion of google. But, maybe later.

Sul.

 

Exactly. It's so simple and convenient too. Just create a shortcut to your "downloads" folder. For example:
"C:\Program Files\Sandboxie\Start.exe" /box:Downloads "C:\WINDOWS\explorer.exe" /e,"C:\Documents and Settings\USERNAME\Desktop"

I've placed that shortcut on my Quick Launch bar for easy access too.

 

Actually, not really, at least not on a technical level; I trust the program enough to offer the requisite security for my needs and those of my family's.

I have found some programs don't install properly in Sandboxie, thus I use the VM for this purpose.

Given the measures I have in place such as lua, srp and vm, and a nice backup approach, should this concern me? I won't be holding my breath worrying about it. I'm not about to let paranoia consume me.

How does this happen in Sandboxie, and how do they remain after the sandbox is closed. Sorry, I don't get it

It's my principle to treat it like a security application only.

Agreed if one knows what they're doing as you clearly do, some others as well, but for most it's too complicated.

 

I don't think there is a reason not to trust SBIE for most cases either.

Yep, same here.

No, I don't think there is a paranoia concerning this. And as you mention, having a bacup plan should mitigate so many different issues that one could almost state that is all they need.

I realize you have your restrictions in place with lua and srp. But, lua does not effect sandboxes. The reason? Very simple actually. The restrictions of lua are based upon objects and containers as well as registry hives/keys. Translated to rights and permissions on directories and files and registry keys/values. The default security being use with LUA is defined already by MS. Files and directories are already declared for the users group. You have access here, but not there. However, when a new directory is created, it may or may not inherit rights and privelages.

For example, Program Files is set to propogate its permissions to children. Meaning when you create a new folder after installing some new program, the folder gets protected under the umbrella of the Program Files folder. It is inheriting rights. But, when you create a new folder, such as c:\Sandbox, the root drive has limitations on specific files and directories dictated by the security template. It does not include c:\sandbox because it is a new user created directory. Since c:\sandbox is not included in MS suggested rights, it basically gets a 'user can do anything to thier own folders' type of attitude.

The result? When you are in LUA, you cannot install to c:\Program Files because users are restricted. But, when you start a program setup in the sandbox, even though you are setting up the program like normal, it is not actually writing to c:\program files, but to c:\sandbox\xyz box\drive\program files. Since this is in a directory that is OK for a user to modify, you install what you like without being admin. So, your LUA and other protections such as these really mean nothing. Now if something were to ever escape SBIE, then your LUA would kick in and do its thing. This is one part of SBIE that I really like. Users can still go about life 'as if' they were admins inside the sandbox.

If you do not set your sandbox to delete things on exit, then anything that was created in it stays. If you put a virus in there, it stays. If you don't lock down what applications can run or what applications can go online, then the virus you put in the sandbox, the next time you start it, is free to execute inside the sandbox environment, and free to send information home. If you don't protect the 'windows' directory that is IN the sandbox from being modified, you can install a virus that can modify a system file IN the sandbox. What can happen then? If the virus has modified some DLL in the windows directory (in the sandbox that is), and then it executes the virus and calls the modified DLL to gather the windows activation key, which can be read from the real registry by the sandbox, and then the virus can make an outgoing connection, it can send 'home' the information it gathered.

Now, I am NOT saying this is going to happen, or has happened or even could happen. This is simply thinking through what the sandbox really is, how it operates, and what might be possible based on what facts I know. Playing with how sandboxie works in different situations leads to better understanding of how robust sandboxie can be used in differing environments.

I have to say, SBIE is really one of the best programs for so many different purposes. There are many great tools available, but I think SBIE is probably the most versatile.

And that is how it should be. I am not trying to convice you otherwise. Actually I am not really trying to convince you of anything other than some things are possible even if you don't know it. And that there are methods to control any possible weak spots. I simply like to explore and dig around and in general look at every view point possible. I apologize if it comes across as 'you better protect yourself better or you are screwed'. That is certainly not the intention

No, you are correct, most have better things to do. LOL, I spend a lot of time doing things like this, just to see how they work and what can be modified. Many times I play with it, but may not really use much of it. Sort of like taking something apart to see how it works, and once you put it back together, it is no longer interesting.

Later man.

Sul.

 

Sully, very nicely explained and thank you for shedding light on the inner workings of Sandboxie I will safekeep your explanation as a document with my other important info. I think I will look to re-configure my settings to bolster those directories you mention, although I do have it to auto-delete on the kid's computers, so maybe they are fine. Thanks again!

 

Haha, I guess there was a "reason" for demoneye to suggest step 5 then!:
https://www.wilderssecurity.com/showpost.php?p=1545178&postcount=108

Given the start/run and internet access restrictions are in place, I don't think it's necessary at all, but as Sully said, it won't hurt. Also, it's nice to "show off" Sandboxie's versatility and power.

 

Tzuk has included so many options if you wish to employ them to overcome most potential problematic aeas.

There is the option to, as mentioned, limit network access to specified programs, limit what executables are allowed to start/run, limit access to files/directories, registry keys among other thngs. The ability to force programs and directories, the ability to have direct access to many areas. The ability to autodelete, to have leading programs, to kill lingering processes. I mean, really this is a very versatile tool once you begin to understand what the whole virtual environment it creates is about.

I was always wondering why Tzuk put the DropRights option in. I know what it does, but one of the most common ways I employ SBIE on novice users computers is to put them in LUA and have them use SBIE as much as possible because it does not 'feel' like a restricted environment. But one day I realized, if you are using LUA properly, you should maybe also run in SBIE in the same manner, so as not to develop bad habits when you are in the real OS.

Suffice to say that delving into SBIE is always enlightening and because of the .ini, understandable. I really wish there was a heirarchal approach to the groupprocesses and thier usage throughout. In this manner you could customize the .ini to have a few basic templates, then mix and match them throughout, rather than the more explicit nature it has now.

Sul.

 

I agree, it's a fantastic and versatile little security utility. I wouldn't mind seeing an option to restrict Internet access to remote ports and perhaps protocols as well, but then this is getting into adding a firewall component - something not everyone will like.

 

Yes, I think Tzuk will probably keep it as simple as possible. Sandboxie in my opinion is already perfect (in terms of the security it provides) on Windows XP. There are just a few minor graphical/visual issues that I'm waiting on Tzuk to look at.

 

Yes, and it's actually good that you've created a thread like this. There needs to be more education about what Sandboxie actually does for you. I've said it many times before - Sandboxie is by far the most amazing security application I've ever come across.

Many people think that Sandboxie is just another type of "virtualisation" product or just another type of "sandbox". As I've said before, it's much more than that, and when you get to understand how Sandboxie works and protects you, you'll never look back haha.

I think the key protective features of Sandboxie are the following:
1. Virtualisation
2. Anti-executable
3. Internet access control
4. Resource access control

Add to that the seamless way the virtualised sandboxes integrate with the REAL system - it's very easy and convenient to recover files out of the sandbox and on to the REAL system. Furthermore, there's no need to go through the inconvenience of restarting your computer to "flush out the toilet".

I really can't think of any other product like Sandboxie, and it's a wonder how Tzuk managed to conjure this most powerful program up by himself.