Sandboxie v2.86

Discussion in 'sandboxing & virtualization' started by ErikAlbert, Apr 23, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    This thread is about Sandboxie ONLY. So please, stick to the subject.
    You don't have to tell me how good or bad Sandboxie is. So no emotional outbursts or comments regarding Sandboxie, because these comments don't make me any wiser.
    You don't have to tell me that Sandboxie causes some troubles on certain computers, all softwares have that in common and that doesn't make me any wiser either.
    I don't want any comparision with other softwares either, this is about Sandboxie, nothing else.

    I only want to know HOW Sandboxie works, in other words the philosophy behind Sandboxie. I'm using Sandboxie for two days, so I'm certainly not an experienced user of Sandboxie, but Sandboxie seems to love my total system so far.
    The bottom line is : I want to figure out, if Sandboxie is worth my time to LEARN it in detail and use it in my frozen snapshot as a protection in the period between two reboots.
    This thread might also be usefull for potential users and for discussions, but first I like to know if I understand the concept of Sandboxie and I would like to have an answer to my questions.
    ---------------------------------------------------------------------------------------------------
    As far as I understand Sandboxie works like this, if I'm wrong please correct me :

    1. You can choose which application has to run sandboxed or NOT.
    Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
    It seems to me you have to decide carefully which application will be sandboxed or not.
    What are the general rules to run an application sandboxed or not ?

    2. Once an Application is sandboxed :
    a. It can only read objects on the REAL harddisk
    b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

    3. This means to me that the SANDBOX can contain GOOD and BAD objects.
    a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.
    If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
    When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
    If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

    b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.
    If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
    If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

    Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.
    ----------------------------------------------------------------
    If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

    Thanks in advance for your co-operation. :)
     
    Last edited: Apr 23, 2007
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    1. Yes you choose. It only sandboxes (virtualizes..) what you want, or what you specifically assigned. Your FW is not sandboxed.
    General rules? I don't know how to answer, you sandbox what you want to completly isolate from your system. Mostly browser, messenger, like that. Every change, download, etc. goes to the virtual container, the sandbox. Registry changes go to fake registry, files to fake file system...
    To retrieve what you want, you define what folders you want monitored, and assine them to the "Quick Recovery". In the GUI, Configuration-Sandbox Settings-Set Automatic Cleanup options. Should be really simple to use. You add folders here, and choose how you want it to run. If you tick "automatically delete contents..", when you close the browser or whatever, if anything is in those folders, you'll be asked if you want to check them, using "Quick Recovery".
    I could go on and on, but this is waste.

    No post can explain better than SandboxIE's site:
    http://www.sandboxie.com/index.php?HelpTopics
    Read Getting Started, all the way down to FAQ. You'll read it easy. And understand. Trust me.

    2. Yes. But you can set what folders are not to be allowed read.

    3.
    a. yes. It's you in control of what you keep. When you delete the sandbox, everything you didn't copy to the real file system, and left there, is deleted (or erased, if you want to associate an eraser to SandboxIE).

    b.exactly.

    Conclusion: yes.
    ----------
    Sort of. You sure can look at everything that was writen to the sandbox. And only changes made exist, so it can be useful for that.

    From what i read in your post, you don't want to miss the FAQ, and this.

    But i really think you can/should read the whole site:) . Skip the fuctions you don't care, and it won't take you much time. It's a good read.:thumb:
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Why would you want to run your firewall sandboxed?
     
  4. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I think it also depends on how you define what a bad object is. Does a bad object always have to write to the hard-disk or change registry entries? If you download a password stealer program and run it, it can still do its damage even though it may not have written files to the hard-disk or modify the registry. A firewall program may or may not catch it when it sends out data.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Erik

    I am posting in this format as I am a bit lazy.

    As far as I understand Sandboxie works like this, if I'm wrong please correct me :

    1. You can choose which application has to run sandboxed or NOT.
    Weird question : what happens when Look'n'Stop (my actual firewall) is sandboxed ?
    It seems to me you have to decide carefully which application will be sandboxed or not.
    What are the general rules to run an application sandboxed or not ?

    Yes you can chose what is sandboxed. You wouldn't want to run a firewall sandboxed. What you really want to run sandboxed is applications that download from the web, or something like winzip if you have occasion to be suspicious of the contents. I run Opera and IE sandboxed, and chose not to run my email clients sandboxed. If an Email were to have an attachment I am curious about, I would leave it alone in Outlook, and go on the web, and use the web based email to check it out.

    2. Once an Application is sandboxed :
    a. It can only read objects on the REAL harddisk

    It can also read files in the sandbox.


    b. All write operations are done in a Transient Storage Area, called SANDBOX and NEVER on the REAL harddisk.

    Yes. Although you can specify exceptions.

    3. This means to me that the SANDBOX can contain GOOD and BAD objects.
    a. If I download IZARC37.EXE, which is a GOOD object, the file will be written and stored in the SANDBOX under the right folder, that looks like the real folder, but is in fact a folder in the SANDBOX.

    YES

    If I want to keep IZARC37.EXE, I assume, I have to copy/paste this file FROM the SANDBOX TO the real folder.
    When I clean the SANDBOX : the file IZARC37.EXE will be removed, but is still stored in the real folder.
    If I don't want to keep IZARC37.EXE, I just clean the SANDBOX and everything is gone.

    No you normally don't have to copy paste. First there is an automatic clean and recover which I don't use. There is a manual recover which allows you to easily recover files to where you placed them or even choose another location. Should you select the delete sandbox option, if there are recoverable files, you will first be given a recovery option.

    If I chose a non standard download area like my D: drive, then I might have to copy and paste.


    b. If I download TROJAN.EXE, which is a BAD object, the file will be written and stored in the SANDBOX just like a GOOD object.

    Yes it will.

    If I doubleclick TROJAN.EXE inside the SANDBOX, the TROJAN will be executed, BUT whatever the TROJAN writes, it will be kept inside the SANDBOX and won't affect the real harddisk.
    If I clean the SANDBOX, everything what the TROJAN.EXE did, will be GONE forever.

    Correct.

    Conclusion : if the user doesn't know the difference between GOOD and BAD objects, he still can infect his own computer by moving the bad objects to his real harddisk.

    This is true. No substitute for thinking
    ----------------------------------------------------------------
    If the above is all TRUE, I assume that I can use Sandboxie to LEARN what a BAD object can do to my computer, because each write operation of the BAD object will be visible in the SANDBOX. Am I right about this ?

    It should be.

    Erik you are protected to a degree, as Sandboxie won't let you install a service. For instance when I tried installing KAV in the Sandbox when it tried to install a service it couldn't so the install failed and KAV rolled it back. Online Armor let me install, but once I tried to start it, it couldn't start it's service so it failed. Deleted the sandbox and everything was gone.

    Pete
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I didn't ask that question out of stupidity. I would never sandbox my firewall. I just put it extreme, because I like to know what Sandboxie-users make decide to sandbox an application or not, which doesn't seem to be clear in Sandboxie.
    Where is the limit of usefull sandboxing ? What is absurd in sandboxing ?
    It seems to me, I have to figure it out myself. :)
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You should sandbox applications which may be used to install/download/execute malware. For the most part, browsers, mail clients, IM clients are the usual target for sandboxing. IMO, mail clients shouldn't be sandboxed if you read mail as only-text and discard unknown/unrequested mails/attachments. On the other hand, attachments which you trust can be saved to disk and executed inside the sandbox.
    You can also run a sandboxed copy of Word/Excel/Powerpoint/PDF viewer if you suspect that some document may have dangerous macros/scripts embedded.
    Installing apps which require:
    - Kernel drivers.
    - Register of service.
    - Add autostart entries to registry.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks you guys. At first sight, Sandboxie seems to be good for immediately usage and it can be usefull in the future, when I want to know, what a malware exactly writes on my computer.
    If I execute the malware for real in my frozen snapshot, I can check the Detailed Log, if FDISR removed the same bad objects during a copy/update FROM Freeze Storage.arx TO frozen snapshot. At least that's what I hope. :)
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Lucas,
    OK. I got the picture. Thanks.
     
  10. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Part of the beauty of Sandboxie is that you should be able to open sandboxed files with native programs, and the launched app will automatically run the file sandboxed.
    i.e.: If I download/open a .pdf file (whilst browsing sandboxed), my pdf reader will automatically launch and open up the file in a sandboxed environment.
    The same should apply to most app.s.
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Sandboxie, or a sandbox interrupts the flow of processed information to the hard disk. The concept of a sandboxie is to keep the overall integrety of your machine security while not having to harden the controls and loosing useful function.

    Some problems found with Sandboxie are that it needs to reduce conflict with third-party software and elimanate malfunctions such as system and program crash/lock-up as soon as it started and when closing. That said versions and fixes come regularly and Sandboxie has an active community.

    Things to learn and of interest are SandboxieIni and Portable Sandbox.

    When I have some more time I'll come back to this thread.:)
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What I like about Sandboxie is that it also works on my second harddisk = my data partition [D:], which isn't protected by FDISR.
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    One thing i still didn't figure out: what completes SandboxIE. Right now, despite the whole arsenal installed :)) ), i'm only running active CPF, SandboxIE and Antivir.

    With SandboxIE, i have what i want to have. But because i'm hooked, as you guys, i look for what completes it, like - if malware runs inside the sandbox, it can still do something, like recording my Wilders password :) .

    What completes what SandboxIE lackso_O
     
  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Using Sandboxie reduces the need to have antispyware programs etc. So I am running also it with Comodo and have also Avira AntiVir. Though Avira is not of course much needed with Sandboxie.
    I like the fact that CPU usage from my security programs is zero.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Recording the password doesn't sound dangerous to me, unless it SENDS the password to the thief, that is dangerous.
    If the recorded password is still in the sandbox, it will be removed once you clean the sandbox. Recording and sending are different actions.
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :) Great minds..
    That's a very good point. Malware won't have privileged access, and easily detected by Comodo. Or is it?
    But as i'm thinking of turning off certain features in Comodo, i would still like to know the answer, not envolving the firewall. You know, i got to install something:D
     
  17. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    You have to think of Sandboxie as a "one-way" valve,
    Stuff cannot be written TO harddrive, but stuff can be READ (accessed) from HD and potentially sent out.
    Per Erik's observation above: Any nasties on your system will simply and completely go away upon shutdown.
    Merely good outbound protection. Be it good firewall/HIPS, warning if anything should attempt to "phone home".
     
  18. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Addendum to prior post.
    Although Sandboxie does allow you to surf with virtual impunity, some common sense browsing procedures should keep you quite secure.
    For instance: If I do any online banking / security trading, upon completion I DO NOT instantly start browsing various crack / porn sites.
    Common sense dictates shut down browser (thus hopefully clearing any sensitive data in memory), re-open browser, THEN browse the dark side.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My on-line banking isn't so dangerous anymore since my bank created recently a very complicated login procedure, which is explained in this thread :
    https://www.wilderssecurity.com/showthread.php?t=169704
    Even a malicious keylogger is worthless with such a login procedure.
    Thanks for the other explanations, all bits help. :)
     
  20. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    My bank also has all sorts of high technological security stuff as well.
    Call me old fashioned / overly paranoid, but it's no big deal after online banking to simply close browser, re-open.
    My K-Meleon takes <1.5 seconds to open. :)

    Regards
     
  21. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Kind of off topic, but the question is about sandboxie...
    Is there anyway of viewing the sandoxed 'virtual' registry?
     
  22. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    argus tuft :
    You could dump the sandboxed registry held in registry.dat within the data folder. Sandboxie also creates values in the real registry in memory.

    Erik :
    You can also create and use a sandbox across machines portable sandbox.

    You can tweak SB via SandboxieIni for example block drivers is a setting in SandboxieIni.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Gave Sandboxie a trial by fire last night.

    Downloaded DFK - Threat Simulator by Morgud. Ran it on my VM machine.

    First pass I disabled all security software, and ran it. Geesh, did it take hold of the machine. I rebooted and it even created it's own password protected account. I was able to boot back to my account and ran a KAV scan. It found some 29 different malware.

    I reset the machine back to it's pretest state, and ran another pass, this time Sandboxing the first exe that starts the whole thing. Also had security software totally disabled. While it was able to seemingly take parts of the machine, Sandboxie by blocking some of the service installs prevented some of the stuff from getting in. I rebooted, and the DFK account wasn't there. Once back in, I deleted the sandbox and did a KAV scan and the machine was clean.

    Did a third test same way, only before rebooting, I just terminated all sandbox processes, which made the apparent effects of the take over go away, and then deleted the Sandbox. Again a KAV scan showed clean.

    So while there were some visible effects, in fact Sandboxie alone protected me from the threat simulater. Very impressive.

    Pete
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Sounds very encouraging to me Peter. Another step forward in my plans. I'm getting closer and closer every day to what I really want. :)
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047

    What I really like is no complicated worries about where I save files I download, and no reboots to clean up. If I was using a frozen snapshot for just surfing, I think it would be bye bye frozen snapshot.
     
Loading...
Thread Status:
Not open for further replies.