Sandboxie: What do you sandbox, other than your browser?

Discussion in 'sandboxing & virtualization' started by Tyrizian, Jun 29, 2013.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Overkill

    If you don't have FDISR it is no longer available. In fact I am now using AX64 Timemachine as a FDISR replacement.

    I've even tested it for removing malware like FDISR did and it works fine.

    Pete
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    Hi Aladdin. At this time, there is a known printing issue when using Sandboxie and W8.1. If you are using W8.1, I think you just need to wait for the fix that will come in a future SBIE version.:)

    Bo
     
  3. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Hi Bo,

    Thank you for your prompt reply.

    Best regards,

    Mohamed
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I have a problem with EMET 4.0 the GUI agent won't run.

    Is there a clash with Sandboxie?
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Don't tell you run EMET itself within Sandboxie... Otherwise, unlikely.
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Right, I don't run emet within sandbox but sandboxie does have emet configured.

    So far just running the browsers and the emet standard entries. Excel, etc


    I gave up on EMET! It blocked it's own office products from M$ fro m even loading!
     
    Last edited: Oct 30, 2013
  7. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,344
    Location:
    USA
    I see, I am using AX on my daughters pc and I really like it
     
  8. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    256
    Location:
    Poland
    Hi everyone.

    Can smb tell me how configure sandboxie to get better security performance with sandboxie and other programs

    I have got paid version.

    This setup I use for firefox
    1)Auto-delete sandbox during close program (that should push out my surfing data saved and not only... storaged by Firefox)
    2)Force run program in sandboxie (here i put "firefox.exe"- always in protect mode, off only for main updates FF+addons)
    3)Drop administrators rights (less power more secure)
    4)Allow only run & connect to network specific program which i run in sandbox (here i put "firefox.exe" and plugin-container.exe)
    5)Allow read- access only C:\Windows (Program dont should read more than need - that improve security)
    6)Allow direct access for firefox.exe
    -%AppData%\Mozilla\Firefox\Profiles\*.default\adblockplus\pattern* (here adblock keep my filter list)
    -%AppData%\Mozilla\Firefox\Profiles\*.default\NoScriptSTS.db (Need for NoScript save settings)
    -%AppData%\Mozilla\Firefox\Profiles\*.default\prefs.js (Need for NoScript save settings)
    7)Block file access for My Documents and rest partitions D E G H I
    8 )Quick Recovery "F:\Temp" (I use SSD disc so i move/save temp and any downloaded files to older HDD partition)

    I)What i should add/block yet for improve security.

    II)How configure sandboxie with this programs:
    a)Packers:7-zip/Total Commander (for safely unzip & preview comressed file)
    b)Messengers AQQ\Teamspeak3 (I Think no need, but sometimes better have it too)
    c)Rest network apps with hight risk: ThunderBird & JDownloader
     
    Last edited by a moderator: Oct 30, 2013
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    I suggest you create a new sandbox, you can name it Packers if you like. Force 7zfm.exe to run sandboxed in the new sandbox. Make sure to add in Quick recovery, the folders where you want files to be unzipped.

    In restrictions, you can block all programs from having access to the internet and only allow 7zfm.exe to have Start/Run access. Apply Drop Rights.

    I am not too familiar with Total commander but if its similar to WinRar and 7 Zip, you could also force it to run sandboxed in the same sandbox as 7Zip. On my case, I also run and force WinRar and HJSplit in the same sandbox as 7Zip.

    Setting 7Zip the way I described, unzipping a file, will always be done sandboxed in the "Packers" sandbox but you would not be able to view the file because of the Start/Run restrictions. You can view unzipped files in your (Forced) downloads folder or you could loosen the Start/Run restrictions in the Packers sandbox that would allow you to view files in the Packers sandbox immediately after unzipping. I do the latter.

    Don't forget, set the sandbox to delete on closing. This is basically how I handle RAR, Zip files. Never had a problem with one, unzipping or viewing.

    For Thunderbird. I never used it but I am pretty sure its similar to Outlook Express which I have used. This is what I would do. Create a new sandbox. Name it Thunderbird. Go to Sandbox settings>Applications>EMail Reader, Tick Thunderbird.

    Make TB a forced program and allow the TB process or processes Start/Run and Internet access. You should also allow access to your browser and PDF reader, so you can open PDFs and click on links in Emails while you are using your mail. For me, that's enough but if you get Word, Excel files a lot, you might want to allow those too. In my case, most attachments other than PDFs, I rather download to my Forced downloads folder or desktop. Whichever way I do it, attachments are never run out of the sandbox.

    Add your download folders to Quick recovery and block programs that run in the sandbox from having access to your personal files and folders. The above and setting the sandbox to delete on closing is what I do in my EMail client sandbox. HTH.:)

    Bo
     
  10. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    256
    Location:
    Poland
    Ok big thx.

    So configuration is similar like in my browser, just other program in other box.
    So i will put all packers in to the one diferent box cause no need split each alone if all will work on same privileges.
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    I think, being able to block all programs from having internet access makes it a good reason for you to use a separate sandbox for 7Zip and Total commander. Thats why I run 7Zip, WinRar and HJSplit in a separate sandbox. The best suggestion that I can give you about configuring your sandboxes is this: make sandboxes as tight as possible, tailor them according to the programs that you you will use in the sandbox and keep them convenient and comfortable to use. Thats what I always try to achieve and it works great.

    Bo
     
    Last edited: Oct 31, 2013
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,344
    Location:
    USA


    Can I just copy the above forced drive letters and paste in my sbie ini or do I have to do it within the program?
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    You can copy and paste all the Forced drive letters from above to your Sandboxie configuration file (USB sandbox). But in two computers, all I do is force one letter and my USB drives are covered. :)

    Bo
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,344
    Location:
    USA
    What other tweaks should I make for usb sandbox?
     
  15. guest

    guest Guest

    one separated sandbox for:

    - my download folder
    - my Browsers

    nothing more for the moment
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    Overkill, I think blocking all programs from having internet access is the important settings for your USB sandbox. I also suggest you set the sandbox to delete on closing, enable Drop Rights and block programs running in the sandbox from having access to your personal files and folders. I allow all programs to start and run in my USB sandbox but if you like to make things tighter, you can set it up so only the programs that you use often can run.

    Bo
     
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I have 3 different sandboxes for Firefox. One normal one (most used) just named "Firefox", which allows bookmark access. But not downloading/recovery. One named "FirefoxDownloads" that allows recovery. And one called "FirefoxSecure" that allows neither. In all 3 of them only FF is allowed for both start/run & internet access.

    Also sandboxed is VLC, Pidgin Messenger, one for "NewDownloads", where I scan anything recovered before moving them to my physical computer, since I don't allow scanners inside my browser sandboxes. 2 for emulators I have. And one called "Realtime" where I sandbox removable drives & USB ports, allowing only VT Hash Check & MBAM to run in them.

    Used to use one for UTorrent too... but don't use it anymore.
     
    Last edited: Apr 25, 2014
  18. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Do any of you sandbox your E-mail client, if so, which one do you sandbox?
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    I sandbox Outlook 2010, TyRidian.
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,191
    Location:
    Nicaragua
    I sandbox Outlook Express. Receiving and sending E mails sandboxed using an EMail client makes it sort of like, the mails are saved to the hard drive, you have read them and recovered attachments but the mails themselves........ have never been open.

    Bo
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Outlook 2010 (and also Thunderbird when I've been playing with that). I put in direct access to the pst files. Adding attachments comes from the default download directory rather than allowing Outlook to browse my real filesystem, but I'm happy enough with that inconvenience, it makes you think what you're doing.

    As far as the list of sandboxed apps, I have one per: Acrobat, Chrome, Copernic, Explorer++, FF, Google Earth and Picasa, IE11, Excel & Word 2010, Nitro, Password Safe and TrueCrypt, Skype.

    I've had most problems with Word add-ins. I run Emet 4.1 update 1 and had few problems with that.

    I also add the following to most profiles manually in the config file, according to some good posts a few years back:

    ClosedFilePath=\Device\Mup\
    ClosedFilePath=%Personal%
    ClosedFilePath=C:\AUTOEXEC.BAT
    ClosedFilePath=C:\boot.ini
    ClosedFilePath=C:\ntldr
    ClosedFilePath=C:\NTDETECT.COM
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
    ReadFilePath=C:\Windows\

    Also, I DropAdminRights although I don't run in admin accounts.

    In addition, I add ClosedFilePath for most of my drives according to what the applications is doing. So for example, there is no reason for a browser to get at my data (every reason why not to!). Conversely, I close internet access for Office and pdf viewers, if I need to follow links from those, I do so manually.
     
  22. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A sandbox by itself is not enough protection...

    Most Important
    - Put a huge complex passord on your Administrative account...
    - Do not use your administrative account for day to day operation... Ever! It's designed for administration purposes not regular use for a reason.
    - Create a limited user account, put a password on it. Use that one.... Do not grant your limited account administrative privileges....

    Note: Do not worry, you can still run many applications that require it via "Run As" then Chose administrator when necessary. The idea is to limit background applications ability to activate in administrator mode and gain full unlimitted access to your system in the background unseen.

    If you are following this guidance to implement this on an old system (Not a fresh windows install) then you must also perform the following:

    Prior to implementing you tight security protocols... You must investigate each and every process that automatically loads, either at boot time or at login time for each user account you wish to protect. The idea is to validate the process as legitimate or malicious.

    Also invetigate each and every process that runs live, many could be spyware, or backdoors, effectively rendering your sandboxes useless.

    You can use this program to investigate each and every process and document and validate them using this tool:
    Advanced Process Analysis and Identification System free from here: https://hermes-computers.ca//apais_1.php

    Now you are ready to create an effective sandbox strategy...
    # 1 - I prefer developing a RamDrive -Make it at least 1 Gig or better (Look it up) free ramdrive: http://www.softperfect.com/products/ramdisk/
    # 2 - Move all sandboxes Primary storage location to your new RAMDrive this will isolate them from in built trackers trying to prevent control.
    # 3 - Create a new individual Sandbox for each, and every internet facing program - regardless of it's reputation
    # 4 - make all your sandboxes autodelete on exit. So as to preven session persistent tracking by greedy corporate spooks...
    # 5 - Configure Each Sandbox with the utmost care - make it tight - Learn how to do it proper - default settings are not enough...
    # 6 - Most Important - Put a password on Sandboxie so no one can change the settings via remote control...
    # 7 - Use Firefox - Keep it updated - regularly upgrade your addons...

    Run Firefox with the following configuration
    A - NoScript
    B - Do Not Track Me
    C - FlagFox
    D - HTTPS Everywhere from https://www.eff.org/https-everywhere
    E - Use Roboform for your passwords, keep them big unreadable, and most important all different
    F - Use DuckDuckGo for search engine... https://duckduckgo.com/ Frack the trackers!

    Note: Ramdrive's already work more or less like a sandbox as sandboxes use memory to virtualise live on going. This will greatly improve the sandbox ellement's performance. Your web browser will substantially increase in speed once properly loaded. This is also an effective counter tracking mechanism, as your browser leaves an anormous amount of data visible to each and every site you visit. By compartmentalizing everything within sandboxes and runing it all within one or more RamDrive's you effectively eliminate most of the persistant tracking effort of the browser and it's scripts. Each time you shutdown you will vapourize the content of the RamDrive... This is what kills the Anti-privacy trackers and persistent mechanisms...

    Remember to tell those who track you for profit: We do not forgive, We do not forget...

    Security is not by default, it's by design... Your design.

    Guy Deschênes
     
    Last edited: Jun 25, 2014
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    All you sayed Hermes what ever, just wont work if you are against hackers. You can try what ever you want. Just won't work with normal internet surfings.
    You could try stay with only http, https etc. and avoid Flash, java and all the plugins. Maybe that way, I don't really know.
    Sandboxie might help some in that security though. What you posted is not normal to do at all. More like against some sickness in this world against our PCs.
     
  24. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I don't think anyone's saying a sandbox is anything other than a component of increased security, along with account security, attack surface reduction, engagement of brain and so on. Sandboxie is something I'm delighted to have in the toolkit though on a benefit-vs-effort equation. For various reasons, I'd also include VMs since this section is about sandboxing and virtualisation.

    I've also had a good experience with the Yubikey and Lastpass combination on Windows 7, which allows for 2FA on both logon and Lastpass.
     
  25. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Jarmo P...

    The only thing the above stated guidance fails to protect against effectively is very tedious and rather expensive to implement Browser Fingerprinting...

    https://panopticlick.eff.org/
    https://wiki.mozilla.org/Fingerprinting

    If you understand how the Internet works and the relationship between servers and Internet centric client applications you would readily understand the effectiveness of this methodology...

    The reality that the government is siphoning data between points is a problem for privacy conscious types...

    However the use of encryption is effective regardless of rumors and misinformation rampant these days. This however is not something that is effective against such efforts. These are methods that are targeting intrusive privacy busting efforts by hostile snooping corporations and hackers.

    It is the equivalent of erecting a fence around your property, adding a few guard dogs and a good alarm and monitoring system. It doesn't prevent the DEA or the ETF from barging in and destroying your life, but it will stop the local neighborhood idiots from trampling your flowers...

    By the way, properly implemented this methodology not only works, it actually dramatically improves all internet performance. (RAMDrive) With the rare exception of blocking hacker loving Java script by default. (NoScript)

    It must be said... Default Sandboxing by itself doesn't not protect your privacy...

    In fact if you run a sandbox improperly configured, you are fully exposed to data theft. Typically a default sandbox is only able to protect you against writing to the drive or renaming files and other similar types of behaviors. Unless you configure your sandbox to prohibit access to sensitive disk areas and impose other similar limits to the applications being sandboxed you are still vulnerable to multiple types of hostile penetration by criminals and other government officials...

    For example:
    An easy effective countermeasure against such predation is to simply keep all your data on another drive say D:\ and configure your sandboxes to completely prohibit access to the D:\ Meaning your web browser or other applications running inside the sandbox would be unable to scan and exploit data stored on D:\ as access to it would be immediately blocked...

    This is the only guaranteed way you will not be breached and your intellectual property remotely stolen while sandboxed in the name of National Security...

    The only open issues remaining are in built O.S. vulnerabilities and installed applications providing backdoors and other similar hostile elements. Also addressed in my previous post.

    However not implementing such measures typically leaves you open to countless security horrors and untold data theft and identity theft...
     
    Last edited: Jun 26, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.