Sandboxie

Discussion in 'sandboxing & virtualization' started by starflame, Jul 20, 2009.

Thread Status:
Not open for further replies.
  1. starflame

    starflame Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    20
    At the moment we are using Sandboxie in the office however some users are finding it difficult to use. When saving a file off the internet, sandboxie pops up asking do we want to recover the file. However when saving a picture using "Save as" nothing comes up and people have to go into the sandbox to save the file.

    Is there an "easy mode" in sandboxie which allows people to save into their profile or should we change the software for something else?
     
  2. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    IIRC, adding the default location for picture-saving to the Immediate or Quick Recovery setting in SB settings should mean users will then get the Recovery dialogue box for pictures just as with other downloaded files. They will then not have to drill down into the SB to retrieve them.

    An alternative would be to ask users to select an existing recovery location (ie one already listed under Recovery in SB settings) when presented with the Save As dialogue box when downloading pictures. I doubt users would remember to do this though...

    HTH

    philby
     
    Last edited: Jul 20, 2009
  3. starflame

    starflame Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    20
    I have tried that by adding c:\Users\username but sandbox then goes wild with popups about accessing every single cookie, javascript, flash, etc. etc..

    Does it not add all the sub-folders automatically?
     
  4. starflame

    starflame Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    20
    Infact ignore that.

    Sandboxie is setup to auto recover these files but isn't working.
     
  5. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    That is one of the reasons I don't use sandboxie and stick with DefenseWall.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You need to set the browsers saved download folder and Sandboxie to Quick Recovery from that same folder.

    Seems you may have set the whole of C:\Users\username as Quick Recovery which will invoke immediate recovery for anything created there including temp inet cache items.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    or just sandbox the user space my documents/destop then all you save goes to normal location(user spcae)when open saved files will be force to open sandbox
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    My solution requires less work on my part. I make a custom directory for downloading into to, in My documents called, of all things, MyDownloads. I then give direct access to this directory for Sandboxie. This way, all things are downloaded to one directory, SB writes directly to that directory, no recovering needed.

    I do this because all my browsers are set to save there without question. And I have restrictions on that directory as well. That directory is also forced to open in a testing Sandboxe that has no outbound network access. So it is sort of a sandbox, for programs downloaded by Sandboxie, that by default are opened by Sandboxie, with no access to anywhere else but the testing Sandbox.

    lol, sounds a mess but it works really simply.

    Sul.
     
  9. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Very clever idea! That is why SBIE is a great security program. Unlimited safety setups.

    Ice
     
  10. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    This is exactly how I do it except my custom directory for downloading is called "Untrusted Downloads". :thumb:
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Do you force that "untrusted downloads" directory into a testing sandbox with no outbound net access? Do you use SRP to either deny or restrict an executable in that directory? The way I look at it, since everything goes there except the cache, it is only one place I need the most security.
    After it has proven itself (referring to a downloaded file) in SB or vmWare or virus scan etc, then and only then do I move it somewhere not as secure.

    I love setting my browser (Kmeleon) to just save there and don't ask questions. I always know where to look, always find it, no matter if browser is sandboxed or not. And I always know if something ever, somehow, downloads and installs or runs, I know it will (should) be picked up by one of my means.

    Eh, maybe you can make some use of these ideas ;)

    Sul.
     
  12. mjgent

    mjgent Registered Member

    Joined:
    May 19, 2008
    Posts:
    43
    Location:
    Sandboxed in a VM behind a UTM
    Yes, I do force that directory into a testing sandbox without net access. I don't use SRP yet but am learning from some of your other posts (https://www.wilderssecurity.com/showthread.php?t=248371) and (https://www.wilderssecurity.com/showthread.php?t=244265) :).

    If I'm using a program that needs a reboot for install and I don't plan on using it much I'll just install it into a VM to use and may never install it on the host machine.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Absolutely. That is what I do as well. Since I started using ShadowDefender, I just stay shadowed most of the time. This still does not help with as you say, things that require a reboot, but it is convenient to know that unless I make specific exceptions, what I do will be gone on reboot.

    vmWare is worth it's weight in peanut butter for me. For the very same reasons you state of rebooting, it is invaluable.

    Sandboxie is not my holy grail, but it is a very convenient and easy thing to use that is actually very useful and very flexible.

    Sul.
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Sul

    Nice solution, I have a question.

    I always have thought of combining PGS or AppGuard or (Trust-No-Exe with EdgeGuard Solo) with sandboxie. In this combo PGS (or AppGuard) enforces web facing aps to run as limited user and applies a default deny execution to all directories in the user space, except my Tempororary directories (all. T:\TEMP) and a special directory called Install (T:\Install).

    Programs running from T:\Install are forced to open in a Sandbox. I have asked at SBIE forum, but did NOT get an answer that worked. Could you tell me how you realised this with SBIE through a temporary sandbox?

    This has the advantage that you have
    a) Internet facings aps running with reduced rights
    b) a default deny execution option for the user space, except
    c) temp and install directory, which are sandboxed by SBIE
    d) all files (non-executables) can be handled by the users in a transparent way (no need to know whether it is in or out of the sandbox)
    e) requiring little CPU cycles and no delay at browser startup.

    Regards Kees


    NB: above is another reason for a PGS release candidate without the time limitation :)

    Edit:
    Now I know my confusion: Forced Folders is not available in the Free version.
     
    Last edited: Jul 21, 2009
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I simply look at my threats for me. They are either an internet facing application or a downloaded file from the net. So as you say, it is simple

    1) restrict net facing apps with SRP
    2) all downloaded items go to a directory that itself is restricted with SRP
    3) use SBIE to force net facing apps into network sandbox, yet also restrict outbound access to only those apps
    4) use SBIE to force downloads directory into a test sandbox with no outbound access at all

    We see because of SBIE even firewall rules are not needed within the sandbox if all you need to do is deny or allow a process network access.

    Simple and effective so far. I look at it as a layering effect.

    For a program such as browser
    A) executable starts, SRP restricts to User
    B) SBIE detects process and pipes it into a sandbox
    C) because directory of SBIE is not restricted, browser acts as if SRP had never restricted it
    D) if browser ever escapes SBIE, now the realization of restriction becomes evident
    E) SBIE has features to allow only the browser outbound access to internet. Any other exe is denied outbound access

    For the downloads directory
    A) any executable starts, SRP restricts to User
    B) SBIE detects executable, starts in a test sandbox
    C) because directory of SBIE is not restricted, programs install as if SRP was not restricting
    D) if program ever escapes SBIE, the SRP restriction will be evident
    E) this test sandbox has no outbound network access of any kind.

    Using SBIE this way does require the bought version not the free.

    As of late I have been using Shadow Defender as well. I add it in the equation as a system protection primarily. I make exclusins for many areas, but not ones that can effect the system stability. This way I can go about business as usual, save files and projects, keep bookmarks etc saved and current. But if I install or something escapes SRP or SBIE, I know it will be gone on next boot.

    Which leads to the latest news of POC vulnerabilities agains things like SBIE or SD. If this happens, and becomes a common threat, I feel I am ready to start a new chapter and go *nix and forget about MS and the problems that always go with it. I will play games on MS partition and say to heck with it's other uses and focus on new program languages for new tools geared in *nix. Beating the @$$o's is interesting, but at some point they can have thier corrupt POS operating system with all of its bugs to themselves and the rest of the masses that cannot keep up with thier crime.

    And yes, PGS will be at release version 1 soon, so no time contraints.

    Sul.
     
Loading...
Thread Status:
Not open for further replies.