Sandboxie: What do you sandbox, other than your browser?

This will be short...
As a follow up to my previous post...
An effective Sandbox Configuration Strategy would be similar to this:

- Create a sandbox for every Internet facing apps...
- Only allow the stated app to Start/load in the sandbox... "Restriction" + "Start/Run Access"
- Control each and every background applications that wants to load! Investigate each ones as per event
- Force all applications in the folder to start sandboxed "Program Start" + "Forced Folders"
- Only allow the stated app to access the Internet... "Restriction" + "Internet Access"
- Only allow access to the application directory to the stated application
- Drop Rights - Reduce admin privileges "Restriction" + "Drop Rigts"
- Prohibit all Drive access not related to the application under sandbox "Resource Access" + "Blocked Access"

For example: Firefox doesnt need acces to Z:\engeneering\ so block all access to Z: under "Resource Access" + "Blocked Access".

- Put a password on sandboxie.... a complex one...

 

Most of us don't have anything else but a store bought C drive, no partitions etc. It was one thing to get angry. Some of your advices have shortcomings also.

Also I would never password protect Sbie. It would mean I am a target of someone and being so, all protections loose their meanings!

 

Jarmo, Not protecting Sandboxie with a password, simply means you are willfully granting access to all your settings to anyone with the ability to breach Windows inherent in built weeknesses, and security holes and backdoors...

Granted these are usually the most difficult exploits to access. The reason is simple this would require advanced albeit archane knowlege of such holes prior to exploit, this eliminates a large number of would be attackers.

As to my advice being wrong, please describe the mistake in my methodology...

Trust me, I make a living doing remote administration, you can hide everything inside hidden background processes, something simillar to what Microsoft does with svchost.exe However for hackers to do so they must first get you to install an application with admin privileges.

However it is much easier for them to exploit your multiple Internet facing applications, and this is where sandboxes actually shine...

Typically web browsers inbuilt script interpretor engines, are the defacto penetration methodology used by doctored web sites specially built for that purpose as well as e-mail embeded http links with specially ingeniously crafted script based bypasses, again exploiting browser script engines vulnerabilities...

This is why I strongly recommend users utilize Firefox toguether with NoScript, and a few other useful pluggins and addons...

I can only guess that those too lazy or afraid to defend themselves probably deserve to be taken advantage of...

Currently the rate and scope of intimidation is massive...
There is much misinformation and bad advice...

Be not affraid you have a right to protect your own space from intrusions...

 

I don't use Firefox due to the lack of low rights container, but when I would be advised Firefox, I would ask Sandboxie a license with it to protect all my medium / basic user processes.

 

Sandboxie experts, please let me know how my Sandbox configurations are and if I can do anything else to make them more secure (Adjustments and or Adds)

Here are my configurations:

Sandboxie: External (USB Drives) Configuration


1. Delete Invocation:

- Select “Automatically delete contents of sandbox”


2. Program Start > Forced Folders:

- “L:\”, “G:\”


3. Restrictions > Internet Access:

- Hit “Remove” button to add “NotifyInternetAccessDenied=y” to configuration


4. Restrictions > Drop Rights:

- Select “Drop rights from Administrators and Power Users groups”


5. Resource Access > File Access > Read-Only Access:

- Add “C:\Windows\”


6. Resource Access > Blocked Access:

- Add “%My Pictures%\”, “\Device\Mup\ (File Sharing)”, “%Personal%\ (My Documents)”, “D:\”


Sandboxie: Firefox Configuration:


1. Delete Invocation:

- Select “Automatically delete contents of sandbox”


2. Restrictions > Internet Access:

- “firefox.exe”, “dllhost.exe”, “plugin-container.exe”, "updater.exe"


3. Restrictions > Start/Run Access:

- “firefox.exe”, “dllhost.exe”, “plugin-container.exe”, “FlashPlayerPlugin_Version number.exe”, "updater.exe"


4. Restrictions > Drop Rights:

- Select “Drop rights from Administrators and Power Users groups”


5. Resource Access > File Access > Read-Only Access:

- Add “C:\Windows\”


6. Resource Access > File Access > Blocked Access:

- Add “%My Pictures%\”, “\Device\Mup\ (File Sharing)”, “%Personal%\ (My Documents)”, “D:\”


7. Applications > Web Browser > Firefox:

- Add “Force Firefox to run in this sandbox”, “Allow direct access to Firefox bookmark and history database”, “Allow direct access to Firefox/Waterfox/Pale Moon phishing database”

Sandboxie: IE Configuration


1. Delete Invocation:

- Select “Automatically delete contents of sandbox”


2. Restrictions > Internet Access:

- “iexplore.exe”, “dllhost.exe”, “rundll32.exe”


3. Restrictions > Start/Run Access:

- “iexplore.exe”, “dllhost.exe”, “rundll32.exe”


4. Restrictions > Drop Rights:

- Select “Drop rights from Administrators and Power Users groups”


5. Resource Access > File Access > Read-Only Access:

- Add “C:\Windows\”


6. Resource Access > File Access > Blocked Access:

- Add “%My Pictures%\”, “\Device\Mup\ (File Sharing)”, “%Personal%\ (My Documents)”, “D:\”


7. Applications > Web Browser > Internet Explorer:

- Add “Force Internet Explorer to run in this sandbox”, “Allow direct access to Internet Explorer favorites”, “Allow Internet Explorer favorites to Quick Recovery folders”

 

Ty, the only thing really that I recommend you change is the list of programs that you allow internet access in your Firefox sandbox. You don't have to allow internet to anything but Firefox since Firefox does everything perfectly well without dllhost.exe, plugin-container.exe, or updater.exe having access to the internet.

In my Firefox sandbox, Firefox is the only program that has access to the internet. Plugin container doesn't require access to the net on most sites to watch videos. About dllhost, I know you see that exe asking to run sometimes, like when you open File explorer to upload a file but you can close or Hide the message if it bothers you and you ll still be able to do what you are doing. In my Firefox sandboxes, I don't allow dllhost to do anything.

About updater.exe. Firefox wont update sandboxed, I think its better to disable Automatic updates, that way updater.exe wont ask to run at all.

About dllhost and rundll in IE. I find Internet explorer runs better in W7 when I allow this exes to run, for that reason, they are allowed. In my XP, it doesn't make a difference so they don't run in XP. But you can eliminate them from the internet access list. You wont notice the difference.

You could make your USB sandbox a little tighter by restricting the programs that are allowed to run but its not really necessary.

Bo

 

Thank you for your reply, I took your advice and hid all messages that popped up, asking for Internet Access.

I feel that my sandboxed browsers are a lot more secure now

Thanks again

 

You are welcome. And yes, I think you are safer now. I recommend you create a sandbox for sites that require Flash to have access to the internet and have it ready for those rare occasions. I have one in which i allow Flash to have access to the net and also disable Drop Rights since I found that there are sites where videos wont play if Drop Rights is enabled.

Bo

 

Hello all, I got a lifetime license long time ago and just started using SBIE.

I am using Firefox and Thunderbird Portable mainly (on 7 Ultimate 64 SP1), very rarely create documents in M$ Office and also mainly do programming either with Aptana or any other editor.

I will need to test code in IE from 7 to latest and instead of doing this in VBs I like to try it with SBIE, is that safe to do?

Just for loading code and making sure it performs well across browsers, apart from that I actually never have the need to run IE.

Will need to test in Opera and Chrome as well but only really to see how code loads and not have it break, my main browser is and kinda always has been FF.

Is it safe to assume settings from this post https://www.wilderssecurity.com/thre...-than-your-browser.349624/page-5#post-2386238 are GTG?

Ideally at times I like to take FF and TB portable with me to other computers where SBIE is not installed and have them working with the latest history, bookmarks, saved selected cookies (startpage.com for example), addons and my passwords. This however is rarely the case so also happy to keep them running in SBIE if that is better security wise.

Tremendously happy for any input, really new to SBIE and trying to make sense of it.

 

Hey Frank. if you are going to use Sandboxie for testing, you should create a new sandbox and don't use restrictions. Most software installs sandboxed but not all. Is it safe to use SBIE for testing code? Safe it is but I really don't know what you mean by testing code. If Code is tested by executing a file, then, after you create the new sandbox, make sure you set it up Not to delete on closing, Sandbox settings >Delete >Delete invocation, Tick "Never remove this sandbox or delete its contents." Now you can run the code by right clicking it and run it in the new sandbox.

After the code is installed, close the sandbox and run IE by right clicking the IE icon and choose to run it sandboxed in the sandbox where you ran the code that you are testing.

About portable software. Things work in the sandbox fairly similar to regular software. Check Sandbox settings>Applications>Web browsers, there you can set bookmarks, cookies, etc to be saved out of the sandbox. For addons, you can set the sandbox to allow their installation to be saved out of the sandbox but its safer not to do that. That way you keep potentially malicious addons from installing on their own. Install addons out of the sandbox.

HTH Frank

Bo

 

Thank you for your reply Bo. You should really start thinking about making SBIE tutorial videos, with the solid interest in SBIE all around and the clicks such videos would get some income can be made as well (not sure about how YT does this though, never use YT but heard people make some cash there..).

I code sites at times and most of the clients want their stuff to run from IE version 7 or 8 to the latest version and since I cannot install multiple versions of IE on one box I am thinking of doing this with SBIE. Aptana makes a local server for each project so I can access the code with e.g. 127.0.01/ProjectName.html and open the URL in the various versions of IE. That is all about the code, just to clarify for you.

So yeah, to preserve the bookmarks and history of let's say FF portable I can simply tick those options and that should be fine?

I have an external drive just for content from the web, be this pictures, music or software. Is it a good idea to keep such a drive sandboxed at all times and if I like the one or other item from it I can manually recover it from the sandbox? With a 4TB drive is it a good idea to do this thinking about the load put on SBIE? Can SBIE handle such a volume of data? What if SBIE crashes (did so already a couple of times unfortunately), are the sandboxed files lost then?

In this post of yours https://www.wilderssecurity.com/threads/sandboxie-vs-virtualbox.365209/#post-2384999 you have a great picture of how you use SBIE. Do you delete the contents of those sandboxes after use or do you keep them sandboxed forever?

For example I am thinking about the dreaded Adobe Acrobat Reader as well as Flash as well as Acrobat X or XI Pro. Ideally I would want those to be in the sandbox forever but I fear that the sandbox might "break" at some point and then I have to install again. (Well thinking about it, I rather install again as opposed to being left with a dodgy registry and other Adobe leftovers... ugh..) Would SBIE work for something like that?

Sorry for the many questions. Just recently I switched to Mint but there is other people that still need to use this box with M$ on it, so I am trying to make it as safe and locked up as possible.

Any ways, cheerio and all the best to ya.

p.s. I deleted the DefaultBox, is there a way to get back the default settings for that sandbox, the ones that are there on first install?

 

You are welcome Frank.

Ticking those settings should be all you need to do. Try it, if it don't wok, let me know. I have never run Firefox portable but I ll install it later if ticking the settings don't do what you want.

I use both, the Forced programs and Forced folders features at the same time to sandbox files and programs automatically. In which sandbox programs run or under which of those features files run when they get executed depend on where I am running the files from. So yes, use the Forced folders feature to sandbox files that run from the external drive but also Forcing programs like Acrobat, movie players, etc is a good idea.

You need to set sandboxes in order to be able to recover files out of the sandbox. Take a look at Sandbox settings >Recovery>Quick recovery.

If you Force the external drive,, the only load in Sandboxie is the file that you are running sandboxed. You don't need to worry about SBIE being able to handle all you have in there. If Sandboxie crashes, whatever is in the sandbox at the time, stays in the sandbox. So if you have downloads or malware in the sandbox in there it still gonna be there when you run Sandboxie control again.

Every once in a while, the sandbox might not delete. That usually happens when an antivirus is keeping a lock on a file and don't want to let go. If that happens, reboot the PC and after the reboot, you ll be able to delete the sandbox and recover files that you were not able to recover before. Ever since I stopped using real times antiviruses, almost 4 years ago, I only had that happen once. But other programs might lock the sandbox as well.

Yeah, thats a great picture. Lovely picture. I set all my sandboxes to delete on closing. But I don't keep any program that I install sandboxed for more than a few hours. If you are going to install a program sandboxed and would like to keep it for a while, then you should set the sandbox where you install the program not to delete on closing. Later, when you don't need the sandboxed program anymore, you can change settings that allow the sandbox to delete.

When you delete your sandbox, settings remain as they were. But there is nothing like a reset button to reset settings. You can create new sandboxes. They come with default settings.
Sandboxie control>Sandbox>Create new sandbox.

Enjoy SBIE, Frank.

Bo

 

Bo, great reply and pretty much got everything running smoothly though still exploring and loving it. SBIE truly is fully worth every cent!!

With TyRidian's settings for resource access I wonder why giving read access to C Windows makes sense. http://www.sandboxie.com/index.php?ResourceAccessSettings#file says under File Access > Read-Only Access: "This access mode excludes the effects of sandboxing on a file (or folder) resource, while allowing a program to read, but not modify, the real resource." The only thing I can think of here is that IE and Firefox are installed to C and need to access C Windows to work. Not sure why this is needed with USB drives.

In contrary to this, running Firefox portable this resource access file/folder exclusion is NOT necessary, since FF portable runs from the folder, meaning I can leave Resource Access - File Access - Read-Only Access EMPTY for FF portable, since it won't even need to touch C to work, am I correct?

Here comes a nut. Since there is multiple people using the box here I am trying to create multiple sandboxes for Thunderbird portable, each with their copy of TB portable.

Now I am able to rename ThunderbirdPortable.exe to ThunderbirdPortableUSERNAME.exe but since this exe calls on Thunderbird.exe and renaming Thunderbird.exe to ThunderbirdUSERNAME.exe reaps a "Thunderbird.exe could not be found, repair installation etc" error I think at this stage it is not possible to have multiple sandboxes for multiple users of Thunderbird Portable. I had two sandboxes set up with ThuderbirdPortableUSERONE.exe for one and the other sandbox set up with ThunderbirdPortableUSETWO.exe but again since they both call on Thunderbird.exe it always opens in the first sandbox that catches the exe instead of the one with the correct app folder.

Unless of course I found out where in the ThunderbirdPortable.exe the code says to look for Thunderbird.exe and change that to ThunderbirdUSERNAME.exe. Any idea how to take apart an exe and look at the source?

Another solution would be to make one sandbox for all instances of Thunderbird portable and simply in the Apps - Folders add the various folders. Fingers crossed it will select the correct folder for the chosen TB user.

EDIT:
It WORKS, pointing SBIE to the folder from where TB port. runs makes each instance of TB port. open in the correct sandbox, they even run smoothly next to each other at the SAME time. Loving this, sorted!

 

Nice that you got everything running smooth. Frank, Why did it take you so long to start using your license?

In my opinion, setting Windows as Read only is not neccesary. I don't do that in any sandbox. I guess it doesn't hurt nothing doing that but I don't believe people setting Windows that way are actually getting any more security. Real Windows is Read only by default so Windows is never modified by programs that run in the sandbox whether we set Windows that way or don't.

Bo

 

Bo,

The sandboxed explorer sounds intriguing, thinking of testing it later. For a general browsing sessions (non banking and looking up info on non flash pages) would that be a wiser choice in case of some zero/drive by malware sneaks by or would you suggest a sandboxed browser inside of the sandboxed explorer for best results?

 

It is a good idea for you to get used to using a sandboxed Windows explorer, specially so if you are using the free version. And to make it easier to run it, you should create the sandboxed shortcut.

To browse the internet sandboxed, you use a sandboxed browser.

To navigate around your C drive, open USB drives, running downloads, viewing videos, playing videos in your DVD drive or opening CDs, etc and etc, that's the time for you to use the sandboxed Windows explorer.

You know, even people who say that don't like Sandboxie or say that is not necessary to sandbox their browser can benefit from using a sandboxed Windows explorer. How? One can be used to run downloads, that right there is a huge benefit. To make things easier, Sandboxie allows users to create a sandboxed shortcut for your Downloads folder. That way, even if you are using the free version, you can open your Download folders in one click and files run sandboxed out of there when they are executed. And it can be done with the free version. Thats a real gift from Tzuk to all users.

Bo

 

thanks for the tip. Someone said earlier you should put up some tutorials and further educate on the many amenities of sandboxie and I concur, you know your stuff brother. Thanks again for your time.

 

You are welcome bberkey. Thanks for the kind words.

Bo

 

Haha, I was young, silly and naive, and new nothing about IT sec, thought that with one click I could "harden" my former box, that without reading and learning it would all work. Since that is never the case with anything and I only learned that later, most of all from learning IT hardware, software and now starting programming, I simply gave up and had an "open" box, I guess at the times for everyone to come and have a look. Those times are long over though..

 

Bo do you have any experience with installing and running Office 2013 ProPlus and Acrobat Pro XI sandboxed permanently?

Does M$ eat that or does it throw errors?

Asking since both are quite big installs so might have to VirtualBox those if that is better?

Really dislike having to use those two but oh well can't live without them either. Yes there is OpenOffice and Sumatra but I also need to edit PDFs, make PDFs and create documents, spreadsheets and all that malarkey and since the people this is for USE M$ and Adobe {warez} I really have no choice, sorry!

 

I've been doing so for O2010 Pro Plus and Acrobat for some while. You have to open access to some application/data directories, but this is easy enough. I'm not sure if you're suggesting installing into the sandbox itself, and why the size of that matters? I install natively, then run in a sandbox. I suspect that if you install into the sandbox, updates wouldn't be applied properly downstream but I haven't tried this.

I also use VMs, but my feeling is that it's horses for courses, and of course, there is the insane MS licencing to consider with VMs unless you have some form of corporate licencing which includes VM instances.

 

Frank, Office 2013 click to play versions won't work at all with Sandboxie due to App-V. The msi version still available for Pro-Plus will not run sandboxed in protected view and Excel 2013 won't run at all - at least on Win 8.1 x 64.

Cheers

 

Does the protected view issue apply even when there is direct access set?

Seems like another reason to stick with O2010(!).

 

If I was to install those programs, I would do it out of the sandbox and run the programs sandboxed. I know Chris and others are having problems running Excel, Click to run, etc. I think you should read this thread:

http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=19229&p=102342#p102272

I have no problem running Office in XP. In W7, I had a good experience with the Portable version of Libre Office and I am now using Kingston. For PDF Reader, I got Foxit portable in both computers. In all case, programs are installed out of the sandbox.

Bo

 

..and that works? So I have the rubbish on the disk, however I can let it run sandboxed and it won't mess with the system too much?

Sorry, never heard of "click to play versions" you mean pre-patched stuff available via p2p? The Office I have here is the real deal, unfortunately (and I mean this serious, would love for all people to use OpenOffice and that is it).
What is App-V?

Looks like I am making a last few good OS images and file backups before slapping those M$ apps on the drive. At least, from what you experienced and quite helpful people say, once on the drive I should be able to run them sandboxed. Looking forward to see the # in the top pf Office windows



Last issue, fingers crossed, is this: How do people go about this?

Let's say I download a .pdf form inside sandboxed Firefox and want to fill it out and work with it, edit it, in the original unsandboxed Acrobat Pro.

Is there a way to "pass" the .pdf from sandboxed Firefox to Acrobat Pro outside of the sandbox? I am thinking of when the dialog in FF comes up, "save" or "open with" I hit "open with" and select Acrobat Pro (or whatever other app), SBIE downloads the .pdf, recovers it immediately and then fires up Acrobat Pro where the .pdf form awaits my editing. Is that too much to ask?

Similar for let's say magnet links or .torrent files. Download from inside sandboxed FF and pass those on to unsandboxed p2p client with "open with" instead of download manually, immediately recover manually and then also add it to the p2p client, yes you figured right, m-a-n-u-a-l-l-y. I guess the method, if possible would be the same for both scenarious, if it works like that.

If this is not possible what are http://www.sandboxie.com/index.php?OpenIpcPath and http://www.sandboxie.com/index.php?OpenWinClass for then? I was thinking of simply checking the WinClass or set an OpenPath and get it to work, but so far nada..


Really happy I got my lazy *** off the ground and started using SBIE, this however comes in the wake of tremendous security and most of all privacy concerns.

Best Regards to you all