Security question about Sandboxie

Hi everyone,

I've setup my Sandboxie to only run Firefox.exe in Internet access and Start/Run access. Now suppose if I receive an email attachment should
I allow the doc, xls, pdf, jpg programs to be added in start/run access
so that the attachment can be opened directly rather than saving
the files in a folder and then opening it??

Is it more secure to first download the attachment and then open it(In this
case, word, excel, pdf will be part of another Sandbox named office which will have its own Sandboxie settings).

In case if the downloaded files open automatically, will this be a weaker Sandboxie setting??

A similar analogy to the above situation is opening a link in an IM chat.
If I've created an IM sandbox where I've allowed only the IM to run in Internet access and Start/Run access then I'll have to copy paste the link by opening the browser separately.

Do you guys feel that creating a different Sandbox for different applications
provide enhanced security?? If yes, then I guess it'll create alot of inconvenience as far as interaction between the different Sandboxed program goes.

Awaiting your replies....

 

@Off topic

If I make a sandbox and install a software like Nod, Kaspersky, w/e and delete it's content, will it be completly removed from my system?

 

Yes it will be removed.

 

But is this safe or can damage the OS?

 

Start here: http://www.sandboxie.com/index.php?HelpTopics

 

Please dont forget the original question lol

 

Your browser sandbox is restricted to only allowing the browser to run. If you want to open a file that will be displayed by the browser, you need to do nothing. If you open a file like .pdf and use a browser extension, you might need to do nothing or make an exception for the browser extension itself, depending. If you open a .pdf file with a separate viewer, like foxit or sumatra, and you want the file to open when you click on the link in the browser, then you must make an exception for your viewing program.

If the file type is .rtf, and you use word, then you must make an exception for word.exe. And so on.

If you trust your pdf viewer to not mess with your sandbox, then make the exception. If not, then make a directory where you donwload things to, and force this directory into a sandbox. You may then download files, and execute them in your downloads sandbox, and keep it separate from the browser sandbox.

If I were you though, I would just allow your .pdf viewer or word processor etc programs to run in the sandbox. Things are contained within the sandbox, so you only have to worry that the file you allow would somehow get a keygen etc into your sandbox. If you delete the sandbox on exit, then you have even less worries. Regardless, your only worry is the integrity of your sandbox, not the system.

Sul.

 

@exus69
You need to find your own balance between security and usability. I would
ask myself if I was you, What files are the ones that I open all the time
while browsing?,and allow the programs that open those files.

For me, my browsing sandbox runs well enough by only allowing Firefox to
do anything or by also allowing Foxit and Flash to be able to start/run but
if I was opening Word documents often because that's what I get when
I open my Web mail, then I would also allow Word on my browsing sandbox.
Its still inside the sandbox, you are protected.

Make your browsing sandbox as tight as possible without loosing usability.
I know it can be done.

Bo

 

Anything that you run under Sandboxie, will be gone when you delete
the contents of the sandbox but installing real time antiviruses in a
sandbox wont do nothing for you when you are browsing.

Installing a scanner like MBAM, I think its a better idea as it can be
installed and deleted after running the scan. If you are using SBIE
100% of the time, the scan wont find anything but its fine just for
fun.

Keep in mind that antiviruses that install drivers, wont install in a
sandbox as SBIE dont allow drivers to be installed.

Bo

 

Assuming that I only have firefox.exe allowed in Internet access and the following in Start/Run access:

1)Firefox.exe
2)pdfviewer.exe
3)word.exe
4)excel.exe

With the above settings in Sandboxie, I can click on "Open with" to directly download and open a pdf document instead of downloading it in a folder first and then opening it from there manually.

Now my question is suppose that pdf document which I just opened contains a dangerous malware which my desktop internet security suite fails to detect. At this juncture, all those items listed in start/run access will be in deep trouble right?? So what will happen to them?? Will they be deleted or modified??

Even if they do get deleted or modified that will all happen in the Sandbox which will be deleted on exit so the new session of all those programs will be clean right??

Assuming that the malware doesnt delete/modify anything its only built for data theft will it be able to access any sensitive data on other drives or do I need to give a read access to those drives (all drives except C: ) ??

Please help

 

Anything wrong (or right) that happens is contained in the sandbox. If Adobe Reader is modified/corrupted while sandboxed, the modifications will be deleted along all other contents.
For ex. if you update Firefox 6.0 to 6.0.1 while sandboxed, that update will only last until the next time you delete contents. After that you'll have 6.0 back.

Right.

Something like a keylogger won't have access to anything outside the sandbox. If some types of Keyloggers may manage to read some data inside the sandbox (I think it's possible) that won't be a problem as long as internet access is allowed only to the browser. And, as always, when the box contents are deleted the malware will be gone.
http://www.sandboxie.com/index.php?DetectingKeyLoggers

 

In the above case is it possible that the malware which is inside the sandbox tries to hide itself under firefox.exe process and then send out the data coz firefox.exe is allowed internet access from within Sandboxie in the above settings?? I mean is it possible theoretically if not practically...?

 

According to Tzuk (see the link in my previous post)

Considering that Sandboxie asked permission for Firefox's plugin-container after I restricted internet access to FF only, I presume it would do the same for any other plugin.
theoretically, as you said, there may be other scenarios.
I think I'll post this particular issue at Sandboxie's forums; you made me curious.

Edit http://www.sandboxie.com/phpbb/viewtopic.php?t=11443

 

The items listed in start/run might suffer some changes but those changes
only happen in the sandbox. Your real system is untouched. When you
delete the sandbox all changes that are in the sandbox will be gone.
You should know that on default, your real system is read only to anything
in the sandbox unless you allow file access. Malware inside the sandbox
can not make changes to the system.

They will open as they were the last time they were opened out of the sandbox. Clean.

I think you meant "Blocked access". Remember your hard drives are Read
only already so if you want to block some file or folder from being read by
something inside the sandbox, you need to use Blocked access.

To protect against keyloggers using SBIE, just read guess10 response to
Jose. That how I understand it works. Basically, be careful about addons
that you install and start/Run/Internet restrictions will take care of the
rest. Deleting the sandbox is the end of the keylogger.

That looks like a nice, well restricted sandbox, perfect for you.

Bo

 

Actually, I just realised that limited user accounts CAN install
firefox addons without any issues!!! Isn't that a security breach??

Is there a workaround??

 

Does the above setting automatically block access to other drives since explorer.exe is not part of Start/Run access settings?? or the malware can access other drives even without explorer.exe so I need to explicitly mention the drives or folders in the Block access settings in Sandboxie??

 

@exus69
Blocking access to whole drives is too much, blocking access to files
and folders that contain sensitive, personal information is enough.




About the addons. I don't worry about them as I only use 3 of them
and they are well known. Don't install addons that don't get many
downloads or are not known. If you want to be extra careful, do your
sensitive browsing on a browser without addons.

Bo

 

Hi, do you mean installing MBAM in the sandbox ? I know people who do this, although, I fail to see the reason. Is it such a big deal to install it on the real system ?

 

Hi Mick92z, I was only giving him something that I(we)know that installs
well and runs fine sandboxed. Nod, Kaspersky, I don't know if they do. I
once tried to run Kaspersky scanner and it failed.

The only scanner that I am using on my computer is HMP, I don't want to
have any other scanner. I only ran MBAM a couple of times this year, once
under SBIE and the other time using Time Freeze.

You said that you fail to see the reason for using scanners sandboxed,
I ll take that farther and say,"I fail to see the reason to use scanners
when we use SBIE almost 100% of the time".

Bo