Discussion in 'sandboxing & virtualization' started by whitedragon551, Dec 1, 2010.
How do you run suspect programs in the sandbox?
is the sandboxie new licence system life time?
1 Year = 13 Euros (~$18 US)
Lifetime = 29 Euros (~$40 US)
right click on suspect program run sandboxed from context menu
My plan is to have a sandbox for browsers and then all other internet facing applications separately. Ill also have a hardened sandbox for suspect files.
I have been doing what you suggest for some time now.
My "downloads" directory is forced to start in SBIE. It allows all to run, but denies network access to everything.
I have another box that I labeled "Live Test". I can install/run items in there that I do want to allow net access but still keep in a controlled environment.
I have a "media" sandbox for any program that might connect to a network resource outside of my LAN.
It works very well. I haven't touched my configuration much at all since I finished it.
Ive also removed the default Sandbox configuration in Sandboxie. Created my own folder called Sandboxie and have it set to hidden. I then configured Sandboxie to use that hidden folder so there is no chance of my wife or kids browsing to it and bringing a nasty out accidentally.
If you start explorer, navigate to c:\sandbox, execute a file, it should open in the correct sandbox. So if your wife/kid were to go there, it is still contained to within the sandbox. Hiding helps too, but maybe is not needed depending on what the goals are.
(it may only work on sandbox contents that are 'forced' even though you are exploring c:\sandbox)
There are of course many ways to approach it.
Personally, my approach was to segregate threats into different sandboxes. It is all individual tastes I suppose.
I have a sandbox for each browser. The sandbox restricts only approved applications to start and access the network. This ensures when I use Chrome, only chrome and associated programs (like foxit) will be allowed. I use one browser for online transactions, and that sandbox is set to delete itself - keeps a clean state for online transactions.
Other browsers keep settings/cookies, but these are never used for sensitive browsing.
Media players are housed in a different sandbox(es).
I allow all sandboxes direct access to my downloads directory, so I don't have to do any recovering of those files.
The downloads directory itself is forced into another sandbox. This sandbox allows all executions but denies any outbound network activity. It is here that I do most of my "testing" of new things that will work in SBIE.
I have other boxes, such as LiveTest for unhindered testing, and TestBox for specialized purposes.
All of my boxes are configured to lock down specific files and registry areas that might pose issues within the sandbox environment.
The way I set mine up is really to achieve 2 main purposes. First is of course so that each box is as secure as is reasonably possible, but second, and probably the more important for me, is to keep track of what is in the sandbox environment. I know if I install flash into the Opera sandbox, I can delete any other sandbox and know still what is in the Opera sandbox. As well, if I want to find something I used in a sandbox, I know which one it will be in. I rarely use the recovery feature because almost everything I might want to recover is downloaded and in the downloads directory, for all boxes to use.
For example if I download a setup program, it goes into my downloads folder, no recovery needed. If I browse there and execute the setup, it is forced into my "downloads" sandbox. I know right where to look if I need to. I can also choose to execute that setup program into my LiveTest sandbox. Again, I know right where to look to get something if I need to. The original setup program is always untouched in the downloads folder. If, after testing it in a sandbox, I want something, I open that sandboxes directory and copy it out. Or if I want to install it to the real system, I copy it out of the downloads directory and place it somewhere else (desktop) and run the setup. If I like the new program, I might then archive it to another area.
Thats just how I do it. For me, it could be different, but could never be setup to require me to "recover" all the time. I don't like to take the time for that, and don't want to build up a "recovery list" to will include all the places "out of the ordinary" that are not recovered by default.
Separate names with a comma.