Security question about Sandboxie

Discussion in 'sandboxing & virtualization' started by exus69, Sep 8, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hi everyone,

    I've setup my Sandboxie to only run Firefox.exe in Internet access and Start/Run access. Now suppose if I receive an email attachment should
    I allow the doc, xls, pdf, jpg programs to be added in start/run access
    so that the attachment can be opened directly rather than saving
    the files in a folder and then opening it??

    Is it more secure to first download the attachment and then open it(In this
    case, word, excel, pdf will be part of another Sandbox named office which will have its own Sandboxie settings).

    In case if the downloaded files open automatically, will this be a weaker Sandboxie setting??

    A similar analogy to the above situation is opening a link in an IM chat.
    If I've created an IM sandbox where I've allowed only the IM to run in Internet access and Start/Run access then I'll have to copy paste the link by opening the browser separately.

    Do you guys feel that creating a different Sandbox for different applications
    provide enhanced security?? If yes, then I guess it'll create alot of inconvenience as far as interaction between the different Sandboxed program goes.

    Awaiting your replies....
     
  2. d0t

    d0t Registered Member

    Joined:
    Apr 23, 2011
    Posts:
    181
    @Off topic

    If I make a sandbox and install a software like Nod, Kaspersky, w/e and delete it's content, will it be completly removed from my system?
     
  3. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Yes it will be removed.
     
  4. d0t

    d0t Registered Member

    Joined:
    Apr 23, 2011
    Posts:
    181
    But is this safe or can damage the OS?
     
  5. Jose_Lisbon

    Jose_Lisbon Registered Member

    Joined:
    Feb 5, 2010
    Posts:
    245
    Location:
    Portugal
  6. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Please dont forget the original question lol
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Your browser sandbox is restricted to only allowing the browser to run. If you want to open a file that will be displayed by the browser, you need to do nothing. If you open a file like .pdf and use a browser extension, you might need to do nothing or make an exception for the browser extension itself, depending. If you open a .pdf file with a separate viewer, like foxit or sumatra, and you want the file to open when you click on the link in the browser, then you must make an exception for your viewing program.

    If the file type is .rtf, and you use word, then you must make an exception for word.exe. And so on.

    If you trust your pdf viewer to not mess with your sandbox, then make the exception. If not, then make a directory where you donwload things to, and force this directory into a sandbox. You may then download files, and execute them in your downloads sandbox, and keep it separate from the browser sandbox.

    If I were you though, I would just allow your .pdf viewer or word processor etc programs to run in the sandbox. Things are contained within the sandbox, so you only have to worry that the file you allow would somehow get a keygen etc into your sandbox. If you delete the sandbox on exit, then you have even less worries. Regardless, your only worry is the integrity of your sandbox, not the system.

    Sul.
     
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    @exus69
    You need to find your own balance between security and usability. I would
    ask myself if I was you, What files are the ones that I open all the time
    while browsing?,and allow the programs that open those files.

    For me, my browsing sandbox runs well enough by only allowing Firefox to
    do anything or by also allowing Foxit and Flash to be able to start/run but
    if I was opening Word documents often because that's what I get when
    I open my Web mail, then I would also allow Word on my browsing sandbox.
    Its still inside the sandbox, you are protected.

    Make your browsing sandbox as tight as possible without loosing usability.
    I know it can be done.

    Bo
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Anything that you run under Sandboxie, will be gone when you delete
    the contents of the sandbox but installing real time antiviruses in a
    sandbox wont do nothing for you when you are browsing.

    Installing a scanner like MBAM, I think its a better idea as it can be
    installed and deleted after running the scan. If you are using SBIE
    100% of the time, the scan wont find anything but its fine just for
    fun.

    Keep in mind that antiviruses that install drivers, wont install in a
    sandbox as SBIE dont allow drivers to be installed.

    Bo
     
  10. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Assuming that I only have firefox.exe allowed in Internet access and the following in Start/Run access:

    1)Firefox.exe
    2)pdfviewer.exe
    3)word.exe
    4)excel.exe

    With the above settings in Sandboxie, I can click on "Open with" to directly download and open a pdf document instead of downloading it in a folder first and then opening it from there manually.

    Now my question is suppose that pdf document which I just opened contains a dangerous malware which my desktop internet security suite fails to detect. At this juncture, all those items listed in start/run access will be in deep trouble right?? So what will happen to them?? Will they be deleted or modified??

    Even if they do get deleted or modified that will all happen in the Sandbox which will be deleted on exit so the new session of all those programs will be clean right??

    Assuming that the malware doesnt delete/modify anything its only built for data theft will it be able to access any sensitive data on other drives or do I need to give a read access to those drives (all drives except C: ) ??

    Please help
     
  11. Jose_Lisbon

    Jose_Lisbon Registered Member

    Joined:
    Feb 5, 2010
    Posts:
    245
    Location:
    Portugal
    Anything wrong (or right) that happens is contained in the sandbox. If Adobe Reader is modified/corrupted while sandboxed, the modifications will be deleted along all other contents.
    For ex. if you update Firefox 6.0 to 6.0.1 while sandboxed, that update will only last until the next time you delete contents. After that you'll have 6.0 back.

    Right.

    Something like a keylogger won't have access to anything outside the sandbox. If some types of Keyloggers may manage to read some data inside the sandbox (I think it's possible) that won't be a problem as long as internet access is allowed only to the browser. And, as always, when the box contents are deleted the malware will be gone.
    http://www.sandboxie.com/index.php?DetectingKeyLoggers
     
  12. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    In the above case is it possible that the malware which is inside the sandbox tries to hide itself under firefox.exe process and then send out the data coz firefox.exe is allowed internet access from within Sandboxie in the above settings?? I mean is it possible theoretically if not practically...?
     
  13. Jose_Lisbon

    Jose_Lisbon Registered Member

    Joined:
    Feb 5, 2010
    Posts:
    245
    Location:
    Portugal
    According to Tzuk (see the link in my previous post)
    Considering that Sandboxie asked permission for Firefox's plugin-container after I restricted internet access to FF only, I presume it would do the same for any other plugin.
    theoretically, as you said, there may be other scenarios.
    I think I'll post this particular issue at Sandboxie's forums; you made me curious.

    Edit http://www.sandboxie.com/phpbb/viewtopic.php?t=11443
     
    Last edited: Sep 9, 2011
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    The items listed in start/run might suffer some changes but those changes
    only happen in the sandbox. Your real system is untouched. When you
    delete the sandbox all changes that are in the sandbox will be gone.
    You should know that on default, your real system is read only to anything
    in the sandbox unless you allow file access. Malware inside the sandbox
    can not make changes to the system.
    They will open as they were the last time they were opened out of the sandbox. Clean.
    I think you meant "Blocked access". Remember your hard drives are Read
    only already so if you want to block some file or folder from being read by
    something inside the sandbox, you need to use Blocked access.

    To protect against keyloggers using SBIE, just read guess10 response to
    Jose. That how I understand it works. Basically, be careful about addons
    that you install and start/Run/Internet restrictions will take care of the
    rest. Deleting the sandbox is the end of the keylogger.

    That looks like a nice, well restricted sandbox, perfect for you.

    Bo
     
  15. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Actually, I just realised that limited user accounts CAN install
    firefox addons without any issues!!! Isn't that a security breach??

    Is there a workaround??
     
  16. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Does the above setting automatically block access to other drives since explorer.exe is not part of Start/Run access settings?? or the malware can access other drives even without explorer.exe so I need to explicitly mention the drives or folders in the Block access settings in Sandboxie??
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    @exus69
    Blocking access to whole drives is too much, blocking access to files
    and folders that contain sensitive, personal information is enough.




    About the addons. I don't worry about them as I only use 3 of them
    and they are well known. Don't install addons that don't get many
    downloads or are not known. If you want to be extra careful, do your
    sensitive browsing on a browser without addons.

    Bo
     
  18. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Hi, do you mean installing MBAM in the sandbox ? I know people who do this, although, I fail to see the reason. Is it such a big deal to install it on the real system ? :)
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Hi Mick92z, I was only giving him something that I(we)know that installs
    well and runs fine sandboxed. Nod, Kaspersky, I don't know if they do. I
    once tried to run Kaspersky scanner and it failed.

    The only scanner that I am using on my computer is HMP, I don't want to
    have any other scanner. I only ran MBAM a couple of times this year, once
    under SBIE and the other time using Time Freeze.

    You said that you fail to see the reason for using scanners sandboxed,
    I ll take that farther and say,"I fail to see the reason to use scanners
    when we use SBIE almost 100% of the time".;)

    Bo
     
Loading...
Thread Status:
Not open for further replies.