Setting for bypassing SBIE's sandbox?

Discussion in 'sandboxing & virtualization' started by Wendi, Mar 9, 2013.

Thread Status:
Not open for further replies.
  1. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    522
    Location:
    NY, USA
    I have a question for you SBIE users (who I'm sure are far more knowledgeable than me)...

    I always save software downloads in my D-partition, so I would like to allow those downloads to bypass SBIE's sandbox entirely. I can't seem to find the SBIE settings to enable that. Isn't that doable?

    Wendi
     
  2. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
  3. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    522
    Location:
    NY, USA
  4. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Or, you can add your download folder under Recovery > Quick Recovery.

    Best regards,
     
  5. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Another way is not to sandbox your download manager, but giving it direct access under Applications > All Applications.

    Best regards,
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    No, what Wendi wanted was to have her downloads go to her downloads folders "bypassing" Sandboxing. In other words, using Immediate or Quick recovery is not necessary.

    Bo
     
  7. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    522
    Location:
    NY, USA
    Exactly ...0strodamus' suggestion allows my downloads to bypass SBIE's sandbox and go directly into my Downloads folder inside D: :thumb:

    Wendi
     
  8. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Wendi,

    I do the same thing but, for additional security, I also made the downloads folder a forced folder within SBIE. This puts the downloads folder under SBIE protection and ensures that downloaded files can't escape the sandboxed environment without deliberate user action to release them. This is just an extra precaution in case a drive-by download has occurred where the download wasn't deliberately initiated by the user.

    Software that has been downloaded to a forced folder can be run outside of the sandbox in one of two ways: Either by copying or moving it out of the downloads folder prior to running it OR by right-clicking the SBIE tray icon and choosing the option to temporarily Disable Forced Programs.

    I have to do it this way as my sandbox container folder is located on a RAM disk for improved performance and I need to be able to download files that are larger than the size of the RAM disk, but I didn't want to lose SBIE downloads folder protection. Immediate or Quick Recovery is therefore not an option for me.

    It wasn't clear to me when you said you want to bypass the sandbox whether you meant just the sandbox container folder or the whole sandbox environment. By making a downloads folder a forced folder, it becomes part of the sandbox environment. But, unlike the sandbox container folder, its contents are permanent and remain when the sandbox is emptied without the need for file recovery.

    Kind regards
    pegr
     
    Last edited: Mar 10, 2013
  9. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    You're welcome. Glad I was able to help. :)
     
  10. Wendi

    Wendi Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    522
    Location:
    NY, USA
    Hi pegr, how are you?

    While I understand why you do what you do, the size of my D-partition is ample and since I don't believe downloading software into that partition poses an immediate security risk, I prefer to download directly into D: (bypassing SBIE as instructed by 0strodamus).

    Even though my downloads are automatically scanned by Panda Cloud AV, before installing any download I will manually scan it (with MBAM) so as not to allow any of them to infect my C-partition.

    Best regards,
    Wendi
     
    Last edited: Mar 11, 2013
  11. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Wendi,

    I'm fine. Hope you're keeping well too.

    Even if I weren't using a RAM disk, I'd still download direct to a download folder. It feels more natural to me than using the Immediate or Quick recovery options to move stuff out of the sandbox - purely a personal preference.

    I agree that it's not necessary to make the download folder a forced folder. Again, just a personal preference on my part not to create a potential hole in the sandbox, although the likelihood of an exploit is negligible as any drive-by download from a sandboxed browser should automatically run sandboxed if launched from within the virtual session, no matter where it is downloaded to.

    Kind regards
    pegr
     
    Last edited: Mar 11, 2013
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @pegr

    You forgot to mention another nice effect of forcing the downloads directory into a sandbox - testing. Download now. Execute later. If you don't like whatever it was, delete the downloads sandbox and the physical file. If you forget to scan, no problem. If it is a new virii/etc, and scanner fails to pick it up, no problem. If you forget what it was (ie. file was setup_jh_v1.exe) you downloaded, run it and see. No problems.

    All in all, no problems LOL :D

    Sul.
     
  13. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Agreed. But for those of us with Windows 8 x64. We don't really know what'll happen as of yet. No serious tests have been provided to the Wilders community. We cannot trust Sandboxie to the full extent yet. The new Sandboxie (beta) versions function in an entirely different way.
     
  14. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Dearest Bo,

    As I am not very good and experienced in Sandboxie, therefore for my learning process, what is better (security wise and other wise):

    Either to put the Download Manager under Sandboxie and then "bypassing" Sandboxing as suggest to Wendi to exclude the download folder under Resource Access > File Access > Direct Access.

    OR

    As I suggest in my above post #5, to give direct access to Download Manager under Applications > All Applications.

    Best regards,
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I prefer not to give Direct access to my download folder, so I use Quick recovery. In your case, I would keep doing as you are now. But force your download folder if you are not doing it. I think being able to do that is one of the nice benefits of using Sandboxie.

    Bo
     
  16. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Aladdin,

    Here are some points to consider: -

    Applications>All Applications provides templates to achieve certain objectives for the applications listed. Using these can make life easier as the set of exceptions needed to achieve each listed objective has already been worked out in advance. But a caveat: The templates do not always work if the application folders have been moved from their default locations.

    Resource Access>File Access is the more general method. The menu options under this heading can be used to link ANY program to ANY set of files and folders, irrespective of their locations. The NOT program operator (!) can also be used when specifying the program that the list of files and folders applies to.

    If the GUI isn't proving flexible enough, the configuration editor can be used to manually add entries; or the GUI can be used as a starting point to add entries to the configuration file then the configuration editor used to manually amend the entries. From a security perspective, it makes no difference how entries are added to the configuration file.

    Kind regards
    pegr
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Good thread :thumb:

    Because I want NoScript and AdBlock+ plug-ins to update immediately such as when I whitelist a domain, I applied the following to Resource Access->File Access->Direct Access-> Firefox.exe:

    Code:
    OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xi2vemjy.default\prefs.js
    Does this make sense or is there there a more secure - yet just as convenient - way of doing this?
     
  18. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Hi Bo,

    Thanks a lot for the explanation.

    Best regards,

    Mohamed
     
  19. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Dearest Pegr,

    As usual an excellent and though provoking post.

    Best regards,

    Mohamed
     
  20. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi Mohamed,

    We haven't spoken for a while. How are you? Keeping well I hope.

    Kind regards
    pegr
     
Loading...
Thread Status:
Not open for further replies.