Sandboxie: What do you sandbox, other than your browser?

Discussion in 'sandboxing & virtualization' started by Tyrizian, Jun 29, 2013.

  1. chris1341

    chris1341 Guest

    Direct Access to what? Anyway, these are fundamental architectural issues that cannot be resolved by tweaking.

    I don't use pirated software . Please see below:

    App-V - http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/app-v.aspx

    Click to Run - http://office.microsoft.com/en-001/products/what-is-click-to-run-HA101868855.aspx

    You really shouldn't consider using recent versions of Office with SBIE unless you understand these terms and the impact this approach has on what SBIE does.

    See here - http://forums.sandboxie.com/phpBB3/viewtopic.php?t=8241. Its about Office 2010 on Win 7 but the principle is the same.

    By default Office installs for Office 2013 are click to run. If you want to change that see here - http://office.microsoft.com/en-001/...-an-msi-based-office-edition-HA101850538.aspx.

    Regards
     
  2. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Thank you for the links and information. I didn't know anything about all this. Eye opening. Thank you.

    Given all this info I am now really contemplating setting up a VM for all M$ Office, Adobe and other proprietary software that might not like to run sandboxed.

    Fingers crossed the various versions of IE will all work in SBIE but I think they should be fine.

    Really thanks to the users here I learned quite a few bits in the past days. ;)
     
  3. coffeetime

    coffeetime Registered Member

    Joined:
    Aug 26, 2012
    Posts:
    55
    Other than all the stuff mentioned, games in their own sandbox. Only couple issues like punkbuster needing to be installed outside SB no big deal (batch file to turn punkbuster services on/off).
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Trouble with O365/App-V sandboxes is that they are not really sandboxed in the sense that they can still access and damage resources/files on your machine natively if they are compromised. Which is the point of Sandboxie. Note that Office 365 requires you to be connected to the Internet from time to time to validate your licence, it's not possible to run in an isolated system or where the software is prevented from accessing internet services.

    For info, I run quite a lot of stuff in VMs, and this applies both to application and data segregation. Of course, MS licencing means you need an OS licence for each Windows VM instance, exorbitant unless you have a suitable corporate licences which does cover that. Makes you want to consider open source, no?!
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Just to be clear on MS Office 2010 and Sandboxie, I run Office 2010 Prof Plus installed from DVD not click-to-run or App-V versions of Office 2013. This is installed outside the sandbox (amongst other things, I believe there is a hook into the MS update service which needs to run natively). Running on W7x64 with SBIE 4.12. I apply a sandbox forced program to each of Outlook, Excel and Word. Outlook has direct access to the pst folder but is closed to everything else apart from Downloads, and excel and word get to see my document directories but are not allowed internet access. Word and Excel run slower, but not unbearably so, and I have had to deal with an Emet alert on file save-as with Word. For many reasons, I'm contemplating a lighter-weight counterpoint to Word and Excel for day-to-day editing and viewing anyway.

    My view is that the most important thing to protect with Sandboxie is Outlook and the Downloads folder (where the external input arrives), and obviously the browser. For applications like Acrobat, my priority would be to give them direct access to the necessary document areas (which you can restrict as needed) and any settings they store in AppData etc, but to ensure all child processes are sandboxed and killed on exit, and that none of them can get internet access (to prevent exploits from calling home).
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    deBoetie, I use Office in XP. I find that in my XP, Word works better, smoother and faster under Sandboxie Version 4 if I don't enable Drop Rights in my Office sandbox. This is something I did not have to do in Version 3.

    In very early Sandboxie version 4, Word and Excel could not be forced under Sandboxie. Later, after Tzuk was able to fix DDE issues for XP, I was able to force Word and Excel but then I found that if Drop Rights was in place, Word would freeze for a few seconds and would open up slowly. If I used a sandboxed Windows Explorer for navigating to the file, the slowness for Word to open up was even worst. After unticking Drop Rights, Word works fairly close to how it was under Version 3. You can try fixing your Word and Excel issues by unticking Drop Rights.:)

    Bo
     
    Last edited: Jul 22, 2014
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Thanks Bo, removing drop rights appears to have helped for the speed of Word and Excel, though a rebuild on an SSD may also have helped! I run as standard user anyway.

    Incidentally, I've extended sandboxing to OneNote 2010 OK, with direct access to the cache folder plus the local OneNote notebook locations. Internet allowed in this instance to have sync with OneDrive notebooks.

    PS - for those of us that need to use EFS to protect files (e.g. on Notebooks without WDE), this will not work for sandboxed applications because the ANONYMOUSUSER that sandboxie runs with does not have access to the EFS certificate, not can I see any way of giving it that access (and you'd probably not want it to!). The scheme I have come up with to cater for this is to have an encrypted drive which is opened on startup, and the sandbox direct access points at that drive. So, for example, Outlook data files can be protected this way on a notebook.
     
  8. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    So, you recommend taking C:\Windows off Read-Only Access, for all sandboxes?
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    Setting Windows as Read only is safe, it is mentioned in this Sandboxie webpage. I don't set Windows as Read only because I don't think is necessary.
    http://www.sandboxie.com/index.php?ReadFilePath

    Bo
     
  10. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Thanks Bo, I trust your knowledge on Sandboxie, I'll take it off.
     
  11. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    I have a couple questions concerning sandboxie.
    1) If I insert my usb drive it is sandboxed and the drive folder opens to show the content. If I close the folder, it is no longer sandboxed. Is this bad, do I have it misconfigured?
    2) I had to leave drive Z off from my list of drives I am sandboxing. Otherwise, if I start Shadow Defender I get an error. Anyone else seen this?
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    After you close the USB drive folder, you are still protected. You can test it navigating to the USB drive using an unsandboxed Window Explorer, when you run the files that are inside, you ll see they run sandboxed. You don't see the hash mark/colored border anymore but thats OK.
    I only have to add a couple of letters to sandbox my USB drives in W7 and XP. Perhaps you dont need to add Z to protect your USB drives, What is Z?

    Is the error a Sandboxie message, if so, Whats the number?

    I use Shadow defender on demand. Old version .346, never seen a SBIE error while using both programs at the same time (XP or W7). Both programs get along very well as far as I can tell.

    Bo
     
  13. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    Ok Bo, I tested #1) and you are correct, if you try and run a program from the usb drive it runs sandboxed. Good to know.
    #2)I am running the current version of SD 1.4.0.519 and what I have found is that if I have usb drive Z sandboxed I get permission denied from Sandboxie when I attempt to go into shadow mode.

    Thanks for you response!
     

    Attached Files:

  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    You should close all files, programs and folders that are open before placing Shadow defender in Shadow mode, that includes the sandboxed Windows explorer that opens up when you insert a USB drive. You can leave the USB drive in place but close the sandboxed explorer, I think after you do that, you wont get an error when you place SD in Shadow mode. And if you run something from the USB drive, it will run sandboxed. Test it. By the way, that's a great picture, I believe it tells the story of why you are having this issue and what to do to avoid it.

    Bo
     
  15. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    Bo, The screenshot I posted above was taken after enabling ForceFolder=Z:\ in Sandboxie, then attempting to go into shadow mode in SD. I did not have any usb drives plugged in, no open files, programs, etc... before attempting to enter shadow mode. I hope that I am more clear now.
     
    Last edited: Jul 30, 2014
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    Yes, you are. i am trying to make sense of this and just cant. I don't understand why your Z drive pops up as a sandboxed explorer when you try to enable Shadow mode. It doesn't make sense (to me). I cant reproduce it and never read anyone reporting something like that before.

    Something you can try is using a separate sandbox for that drive alone. Create a new sandbox, set Z as a Forced folder, don't apply Drop rights and see if it makes a difference. Many times a new sandbox fixes problems because of a setting in the old sandbox that messes things up.

    Perhaps something related to the type of account that you are using has something to do with the issue. The message that you are getting mentions the word permissions but again, why is the sandboxed explorer opening up?

    Bo
     
  17. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    I believe this anomaly may be caused by something I found in this article:http://shadowdefenderforum.com/index.php?PHPSESSID=2671b3c18b0e93bbf06b48dffe42f761&topic=126.0
    Perhaps SD is using a virtual drive for track 0 virtualization? Anyways I just left Drive Z out of my sandboxie usb config and all is well.

    Thanks again!
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
  19. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    244
    Location:
    United States
    Bo,

    I was thinking about some tips you gave me a while back about sandboxie and ramdisk involving temporary internet files. By moving the sandboxie container into the ramdisk, All write operations will be redirected there by SBIE, but to do that would that be essentially mean the browser is going outside of the sandbox to obtain the container on the ramdisk since the ramdisk is not snadboxed? Just a weird thought I had
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    The ramdisk folder (or wherever the container is located) is sandboxed, try opening any files from there.
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    Hi bberkey, I don't think it was me who gave you those nice tips, I have never used ramdisk and I am unfamiliar on how it works. But I am sure Sandboxie works the same whether the sandbox container folder is located in C drive or in the ramdisk. When I see Sandboxie users like Chris1341 and deugniet using ramdisk to place the Sandboxie container there, I know its a good idea to do so. Perhaps you got this tips from this thread.:)
    https://www.wilderssecurity.com/threads/sandboxie-with-ramdisk.361312/

    Bo
     
  22. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    466
    Hi, I think I need some help.

    I run SB 4.13.1 paid and my main setup is individual sandboxes for all browsers, plus a generic default one when I want to run a specific file sandboxed.

    Today I decided to make my Downloads folder (which I have moved to my data drive, separate from the OS) forced.
    Apart from including it under Forced Folders, Internet Access is blocked and I have Drop Rights enabled.
    As a have a sub-folder Torrents, I have given utorrent Direct File Access to it.
    No other specific settings.

    Niw, when I test the sandbox, office pdf mp3 txt files all run sandoxed, but for reasons I don't understand video files (avi & mp4 tested) run unsandboxed with all the programs I have run them on: potplayer, MPC-HC, KMPLayer.

    I have tried inserting these programs in Forced Programs and in this case the specific files run sandboxed, but in my understanding this should not be necessary. Can somebody help me out?
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    The only video player thats not supposed to start sandboxed out of a Forced folder is WMP. For that player, you need to use Force programs. If any of this player (potplayer, MPC-HC, KMPLayer) is set to open avi and MP4 files, then this files should run sandboxed out of a Forced folder. Of the three players you mentioned, I use an old version of KMPlayer, it runs well out of a forced folder.

    I think for testing purposes, you should create a new sandbox for your Downloads and see if Forced folders works correctly using the new sandbox. Seems to me a setting in the sandbox that you are using now is corrupting that sandbox. When you first try the new sandbox don't place the torrent folder in there AND use default settings. Blocking internet access and enabling Drop Rights should not create a problem, I also use those settings for my Downloads sandbox.

    Bo
     
  24. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    466
    Thanks Bo. Actually the sandbox Downloads was already new, I created it half an hour before posting, but I decided to run a test as per your suggestions

    So I did this:
    • created a new folder Dowloads TEST
    • created a new sandbox DowloadsTEST copying the Downloads settings (the one I that was the object of my posting) - I only deleted the utorrent settings
    • copied some files to the new folder Dowloads TEST (pdf, jpg, office, avi, mp4)
    I obtained some surprising results for the two video files (the others always opened sandboxed on both folders) :
    • MPC-HC & VLC open the files sandboxed both in Downloads and Downloads TEST
    • PotPlayer & KMPlayer open the files NOT sandboxed in either folder

    These are the simple settings used for the test:
    Code:
    [DownloadsTEST]
    
    Enabled=y
    ConfigLevel=7
    AutoRecover=y
    Template=AutoRecoverIgnore
    Template=Firefox_Phishing_DirectAccess
    Template=Chrome_Phishing_DirectAccess
    Template=LingerPrograms
    Template=BlockPorts
    BorderColor=#0000FF
    BoxNameTitle=y
    ForceFolder=D:\Downloads TEST
    DropAdminRights=y
    NotifyInternetAccessDenied=y
    NotifyStartRunAccessDenied=y
    NeverDelete=y
    ClosedFilePath=InternetAccessDevices
    ClosedFilePath=\Device\Mup\
    I am confused, any suggestions? Thanks
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,194
    Location:
    Nicaragua
    Newbino, since I don't know if you have done this, I suggest you run a file out of your Downloads folder using KMPlayer and open up Sandboxie control, see if KMPlayer shows up in there. If it is there, then its running sandboxed. I dont know if you have been running KMPlayer sandboxed in the past or not but you should know, KMPlayer doesn't use Window title so the # hash mark is not gonna show up on top of the Window when KMPlayer is running sandboxed.

    Another way to verify if a program is running sandboxed or not is to go to Sandboxie control>File>Is Window sandboxed?... Drag the folder that you see there into the video and see what it says. Important, for testing, I think you should not copy any settings from another sandbox.

    Bo
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.