Sandboxie users, where do you allow access?

Question for Sandboxie users, where is it that you allow access to most often?

Is there a folder you usually let programs read or write to? Is it completely per-application with no method? Usually in /user/*? Usually in program files? etc

Very curious.

 

No access. Not even browsers for bookmarks. I am using a 3rd party bookmark application now so.

That used to be the only hole I let open.

 

How many programs are you running in sandboxie? Which, if you don't mind?

Have you run into any compatibility issues? Are they installed to the sandbox or just running in it?

 

I have been using Sandboxie since early 2005'ish (off and on back then, but now permanent). I can probably count on one hand the amount of programs that I've had to allow direct access to folders/files because of a conflict. These have mostly been chat clients, and for their voice servers, and, mainly to do with Yahoo Messenger. Everything else has been practically faultless. And that is pretty remarkable, because, sometimes I have 3 or 4 different applications running all at the same time with Sandboxie (can be a resource hog). Apart from a few bluescreens and lock ups when I first started using Sandboxie ... I have had amazing reliability with it.

I run everything that connects to the internet inside a sandbox - Windows Live Mail, Yahoo Messenger, Skype, all browsers. For instance, I have Live Mail set up with defaults, so I do wonder which access rights have been given under this default setting (for deleting emails, and changing settings, etc) these settings are not displayed in the folder access rights. This is my only slight niggle that I am going to look into.

So, the default settings that are enabled automatically for the known applications to function, these I am not so clear about. My only slight worry with Sandboxie, atm.

And no, I never keep anything lingering in any of the sandboxes, though, I have the default sandbox set up to not delete, should I want to try something there. I am running Sandboxie in a ramdrive that carries the image over at reboot - just incase I want anything saved.

Confessions of a fanboy

 

Thanks for the info.

 

I only allow access to bookmarks and favorites for Firefox and IE in addition for whats necessary to get OE working sandboxed. I prefer to allow direct access as little as possible to avoid opening holes.

Everything that I use often, runs sandboxed and in their own sandbox if they are programs like Foxit, Browsers, Outlook Express, WMP. Programs like Excell, Word and Power point share the same sandbox. USB, CD and DVD drives are forced to the same sandbox. WinRar and 7Zip as well share the same sandbox. I think Notepad and KMPlayer are the only program that I use all the time that I don't run sandboxed in their own sandbox.

All my programs are installed on my real system. Normally, I don't use SBIE for trying programs as I prefer to use something else for that but whenever I have installed something in a sandbox, it has worked perfectly.
Compatibility issues? Don't have any but I have noticed that some antiviruses do cause a delay deleting the sandbox. Thats one of the reasons why I prefer to run no antivirus along Sandboxie.

Bo

 

Gotcha. Thanks for the info.

 

Sorry for the off-topic.
May I ask what bookmark application you are running?

 

Bookmark Buddy http://www.bookmarkbuddy.net/index.php

$30 for a lifetime licence, or a borked (after 30 days) limited functions free version.

I can't remember the working differences between the free and payed, but the application is, along with Sandboxie, my most used and worthwhile. Definitely recommended.

 

I use a separate sandbox for each browser, and a sandbox for media players. Applications are forced.

I force my downloads directory.

Each browser is set to not ask where to download, but rather to save to the downloads directory.

I use foxit, never adobe or anything built into the browser. Therefore if I want to view a .pdf file, it is first downloaded into my downloads directory, then foxit opens in the sandbox to display it. Same goes for anything else executed in the downloads directory, it is in a forced sandbox.

I give each sandbox direct access to this downloads directory, so there is no recovery, ever. Browser A can download something, and browser B has access to it. Opening explorer lets me go directly to the downloads without needing to recover. To execute something outside of the sandbox, I copy it to the desktop then execute it. Normally moving it to the desktop doesn't work, as SBIE recognizes this and starts it sandboxed, so copying is how I do it. At least for simple things I trust and want to execute.

I give certain sandboxes access to bookmarks, but not all.

Sul.

 

Bookmarks being in their /user/appdata/program_name folder, correct?

Thanks.

I'm trying to see what areas are and aren't necessary for the majority of applications.

 

yes, appdata directory. There isn't much I have had to allow (disregarding bookmarks, which is only an option anyway). I really can't recall much, unless you start including flash or java, things like that that are installed in the real system in a locked down sandbox.

Sul.

 

How do you manage your plugins/ browser? All in one sandbox? Multiple sandboxes?

 

Each browser forced to its own sandbox makes isolation work better. By using multiple sandboxes for your browsers, programs, you can restrict each sandbox according to the program or purpose that you created the sandbox.

Plugins. I use Firefox and only use one plugin, Flash, so I also allow plugin container start/run but no internet. If I go to a site that needs plugin container to connect and if I want to use that site then I open another sandbox where I allow plugin container to connect.

Since I don't use other plugins or activeX in IE, that's all I do for plugins. I have never installed Chrome and only played with Chromium and Iron for a little bit but for Flash you don't need to allow anything like I do using Firefox.
If your PDF Reader opens within the browser, nothing needs to be allowed but if you open your Reader out of the browser like I do, then you need to allow the Reader start/run if you want to be able to view the PDF while browsing. If you use Java, you ll need to allow it start/run and internet access. I got rid of Java and all other plugins but if I ever need to use a plugin like Java or WMP, I install it on a sandbox and after using it, I get rid of it by deleting that sandbox.

Allow as little as possible but allow whats needed for you to feel comfortable using that sandbox. A restricted sandbox is great but Sandboxie on default settings its fine. IMO.

Bo

 

For the flash container, is it possible to run it in a separate sandbox? Does it have to be run within that sandbox?

 

I think you already tried that. As far as I know it can not be done but I never tried it or thought about doing something like that.

Bo

 

I tried with Java. Running Chrome and Java in separate sandboxes breaks both.

 

Myself, I go one of two ways. I either choose to install flash into specific sandboxes and not on the real system, or I install it on the real system and don't worry about if it is used in the sandbox or not.

It depends on if I am using chrome or chromium. For chrome, I generally don't do anything. For chromium, I will put flash in sandbox only and not delete it very often. If I have other browsers that need flash, and I am using chromium, then I might install flash to system.

I restore images a lot, messing with things, and my image has no browser on it, so sometimes I try chrome, sometimes chromium, or other browsers if the mood hits.

I don't worry about flash I guess because I trust that SBIE will keep it contained. When it no longer does this, then I will change things.

Sul.

 

When you install Flash to a sandbox are you also installing Chromium/whichever to that sandbox as well? Or to another sandbox? Do you have to allow access to the two?

Can anyone think of programs that they've *had* to allow access to an area to get to work? What about programs that load up drivers like CoreTemp or something similar?

 

I use a separate sandbox for each browser, and if I don't want flash on my system, then I install it to a specific sandbox. It stays within that box obviously until I delete the box. The browser itself (except chrome because it already has flash) would be installed to the real system, and only flash would be installed to the box. This way, the possible ill effects of flash are truly contained to the box.

With using SBIE I don't really worry about flash that much. Perhaps part of it stems from the fact that in typical usage I am going to places that I trust, so my chances of getting problems from places like warez/pr0n sites are really really slim to none.

I don't normally try to run things like coretemp in the sandbox, as I use it for browsing mostly and for testing installers etc. I have seen a very few programs not want to install (like firewalls/av) into a sandbox, but since I usually install them in the box, most things work without having to do anything special. I think though when you have something installed on the system and then try to run it sandboxed, more issues develop. I have seen a few like this, but don't remember specifically what they were. At least, they were not important enough to run in the sandbox all the time, so I did not investigate further.

Sul.

 

Thanks Sully.