# Setting for bypassing SBIE's sandbox?

Discussion in 'sandboxing & virtualization' started by Wendi, Mar 9, 2013.

Not open for further replies.
1. ### WendiRegistered Member

Joined:
Aug 8, 2008
Posts:
542
Location:
NY, USA
I have a question for you SBIE users (who I'm sure are far more knowledgeable than me)...

I always save software downloads in my D-partition, so I would like to allow those downloads to bypass SBIE's sandbox entirely. I can't seem to find the SBIE settings to enable that. Isn't that doable?

Wendi

2. ### 0strodamusRegistered Member

Joined:
Aug 23, 2009
Posts:
1,048
Location:
United Surveillance States
3. ### WendiRegistered Member

Joined:
Aug 8, 2008
Posts:
542
Location:
NY, USA

Joined:
Jan 9, 2006
Posts:
2,986
Location:
Oman

Best regards,

Joined:
Jan 9, 2006
Posts:
2,986
Location:
Oman
Another way is not to sandbox your download manager, but giving it direct access under Applications > All Applications.

Best regards,

6. ### bo elamRegistered Member

Joined:
Jun 15, 2010
Posts:
3,915
Location:
Nicaragua
No, what Wendi wanted was to have her downloads go to her downloads folders "bypassing" Sandboxing. In other words, using Immediate or Quick recovery is not necessary.

Bo

Joined:
Aug 8, 2008
Posts:
542
Location:
NY, USA

Wendi

8. ### pegrRegistered Member

Joined:
Apr 8, 2008
Posts:
2,281
Location:
UK
Hi Wendi,

Software that has been downloaded to a forced folder can be run outside of the sandbox in one of two ways: Either by copying or moving it out of the downloads folder prior to running it OR by right-clicking the SBIE tray icon and choosing the option to temporarily Disable Forced Programs.

I have to do it this way as my sandbox container folder is located on a RAM disk for improved performance and I need to be able to download files that are larger than the size of the RAM disk, but I didn't want to lose SBIE downloads folder protection. Immediate or Quick Recovery is therefore not an option for me.

It wasn't clear to me when you said you want to bypass the sandbox whether you meant just the sandbox container folder or the whole sandbox environment. By making a downloads folder a forced folder, it becomes part of the sandbox environment. But, unlike the sandbox container folder, its contents are permanent and remain when the sandbox is emptied without the need for file recovery.

Kind regards
pegr

Last edited: Mar 10, 2013
9. ### 0strodamusRegistered Member

Joined:
Aug 23, 2009
Posts:
1,048
Location:
United Surveillance States
You're welcome. Glad I was able to help.

10. ### WendiRegistered Member

Joined:
Aug 8, 2008
Posts:
542
Location:
NY, USA
Hi pegr, how are you?

While I understand why you do what you do, the size of my D-partition is ample and since I don't believe downloading software into that partition poses an immediate security risk, I prefer to download directly into D: (bypassing SBIE as instructed by 0strodamus).

Even though my downloads are automatically scanned by Panda Cloud AV, before installing any download I will manually scan it (with MBAM) so as not to allow any of them to infect my C-partition.

Best regards,
Wendi

Last edited: Mar 11, 2013
11. ### pegrRegistered Member

Joined:
Apr 8, 2008
Posts:
2,281
Location:
UK
Hi Wendi,

I'm fine. Hope you're keeping well too.

Even if I weren't using a RAM disk, I'd still download direct to a download folder. It feels more natural to me than using the Immediate or Quick recovery options to move stuff out of the sandbox - purely a personal preference.

I agree that it's not necessary to make the download folder a forced folder. Again, just a personal preference on my part not to create a potential hole in the sandbox, although the likelihood of an exploit is negligible as any drive-by download from a sandboxed browser should automatically run sandboxed if launched from within the virtual session, no matter where it is downloaded to.

Kind regards
pegr

Last edited: Mar 11, 2013
12. ### SullyRegistered Member

Joined:
Dec 23, 2005
Posts:
3,719
@pegr

You forgot to mention another nice effect of forcing the downloads directory into a sandbox - testing. Download now. Execute later. If you don't like whatever it was, delete the downloads sandbox and the physical file. If you forget to scan, no problem. If it is a new virii/etc, and scanner fails to pick it up, no problem. If you forget what it was (ie. file was setup_jh_v1.exe) you downloaded, run it and see. No problems.

All in all, no problems LOL

Sul.

Joined:
Feb 26, 2008
Posts:
2,375
Location:
Sweden
Agreed. But for those of us with Windows 8 x64. We don't really know what'll happen as of yet. No serious tests have been provided to the Wilders community. We cannot trust Sandboxie to the full extent yet. The new Sandboxie (beta) versions function in an entirely different way.

Joined:
Jan 9, 2006
Posts:
2,986
Location:
Oman
Dearest Bo,

As I am not very good and experienced in Sandboxie, therefore for my learning process, what is better (security wise and other wise):

Either to put the Download Manager under Sandboxie and then "bypassing" Sandboxing as suggest to Wendi to exclude the download folder under Resource Access > File Access > Direct Access.

OR

Best regards,

15. ### bo elamRegistered Member

Joined:
Jun 15, 2010
Posts:
3,915
Location:
Nicaragua
I prefer not to give Direct access to my download folder, so I use Quick recovery. In your case, I would keep doing as you are now. But force your download folder if you are not doing it. I think being able to do that is one of the nice benefits of using Sandboxie.

Bo

16. ### pegrRegistered Member

Joined:
Apr 8, 2008
Posts:
2,281
Location:
UK

Here are some points to consider: -

Applications>All Applications provides templates to achieve certain objectives for the applications listed. Using these can make life easier as the set of exceptions needed to achieve each listed objective has already been worked out in advance. But a caveat: The templates do not always work if the application folders have been moved from their default locations.

Resource Access>File Access is the more general method. The menu options under this heading can be used to link ANY program to ANY set of files and folders, irrespective of their locations. The NOT program operator (!) can also be used when specifying the program that the list of files and folders applies to.

If the GUI isn't proving flexible enough, the configuration editor can be used to manually add entries; or the GUI can be used as a starting point to add entries to the configuration file then the configuration editor used to manually amend the entries. From a security perspective, it makes no difference how entries are added to the configuration file.

Kind regards
pegr

17. ### wat0114Registered Member

Joined:
Aug 5, 2012
Posts:
2,041
Location:

Because I want NoScript and AdBlock+ plug-ins to update immediately such as when I whitelist a domain, I applied the following to Resource Access->File Access->Direct Access-> Firefox.exe:

Code:
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xi2vemjy.default\prefs.js
Does this make sense or is there there a more secure - yet just as convenient - way of doing this?

Joined:
Jan 9, 2006
Posts:
2,986
Location:
Oman
Hi Bo,

Thanks a lot for the explanation.

Best regards,

Mohamed

Joined:
Jan 9, 2006
Posts:
2,986
Location:
Oman
Dearest Pegr,

As usual an excellent and though provoking post.

Best regards,

Mohamed

20. ### pegrRegistered Member

Joined:
Apr 8, 2008
Posts:
2,281
Location:
UK
Hi Mohamed,

We haven't spoken for a while. How are you? Keeping well I hope.

Kind regards
pegr