Setting for bypassing SBIE's sandbox?

I have a question for you SBIE users (who I'm sure are far more knowledgeable than me)...

I always save software downloads in my D-partition, so I would like to allow those downloads to bypass SBIE's sandbox entirely. I can't seem to find the SBIE settings to enable that. Isn't that doable?

Wendi

 

It is under Resource Access > File Access > Direct Access.

 

Thank you very much!!! I knew it must be there (somewhere).

Wendi

 

Or, you can add your download folder under Recovery > Quick Recovery.

Best regards,

 

Another way is not to sandbox your download manager, but giving it direct access under Applications > All Applications.

Best regards,

 

No, what Wendi wanted was to have her downloads go to her downloads folders "bypassing" Sandboxing. In other words, using Immediate or Quick recovery is not necessary.

Bo

 

Exactly ...0strodamus' suggestion allows my downloads to bypass SBIE's sandbox and go directly into my Downloads folder inside D:

Wendi

 

Hi Wendi,

I do the same thing but, for additional security, I also made the downloads folder a forced folder within SBIE. This puts the downloads folder under SBIE protection and ensures that downloaded files can't escape the sandboxed environment without deliberate user action to release them. This is just an extra precaution in case a drive-by download has occurred where the download wasn't deliberately initiated by the user.

Software that has been downloaded to a forced folder can be run outside of the sandbox in one of two ways: Either by copying or moving it out of the downloads folder prior to running it OR by right-clicking the SBIE tray icon and choosing the option to temporarily Disable Forced Programs.

I have to do it this way as my sandbox container folder is located on a RAM disk for improved performance and I need to be able to download files that are larger than the size of the RAM disk, but I didn't want to lose SBIE downloads folder protection. Immediate or Quick Recovery is therefore not an option for me.

It wasn't clear to me when you said you want to bypass the sandbox whether you meant just the sandbox container folder or the whole sandbox environment. By making a downloads folder a forced folder, it becomes part of the sandbox environment. But, unlike the sandbox container folder, its contents are permanent and remain when the sandbox is emptied without the need for file recovery.

Kind regards
pegr

 

You're welcome. Glad I was able to help.

 

Hi pegr, how are you?

While I understand why you do what you do, the size of my D-partition is ample and since I don't believe downloading software into that partition poses an immediate security risk, I prefer to download directly into D: (bypassing SBIE as instructed by 0strodamus).

Even though my downloads are automatically scanned by Panda Cloud AV, before installing any download I will manually scan it (with MBAM) so as not to allow any of them to infect my C-partition.

Best regards,
Wendi

 

Hi Wendi,

I'm fine. Hope you're keeping well too.

Even if I weren't using a RAM disk, I'd still download direct to a download folder. It feels more natural to me than using the Immediate or Quick recovery options to move stuff out of the sandbox - purely a personal preference.

I agree that it's not necessary to make the download folder a forced folder. Again, just a personal preference on my part not to create a potential hole in the sandbox, although the likelihood of an exploit is negligible as any drive-by download from a sandboxed browser should automatically run sandboxed if launched from within the virtual session, no matter where it is downloaded to.

Kind regards
pegr

 

@pegr

You forgot to mention another nice effect of forcing the downloads directory into a sandbox - testing. Download now. Execute later. If you don't like whatever it was, delete the downloads sandbox and the physical file. If you forget to scan, no problem. If it is a new virii/etc, and scanner fails to pick it up, no problem. If you forget what it was (ie. file was setup_jh_v1.exe) you downloaded, run it and see. No problems.

All in all, no problems LOL

Sul.

 

Agreed. But for those of us with Windows 8 x64. We don't really know what'll happen as of yet. No serious tests have been provided to the Wilders community. We cannot trust Sandboxie to the full extent yet. The new Sandboxie (beta) versions function in an entirely different way.

 

Dearest Bo,

As I am not very good and experienced in Sandboxie, therefore for my learning process, what is better (security wise and other wise):

Either to put the Download Manager under Sandboxie and then "bypassing" Sandboxing as suggest to Wendi to exclude the download folder under Resource Access > File Access > Direct Access.

OR

As I suggest in my above post #5, to give direct access to Download Manager under Applications > All Applications.

Best regards,

 

I prefer not to give Direct access to my download folder, so I use Quick recovery. In your case, I would keep doing as you are now. But force your download folder if you are not doing it. I think being able to do that is one of the nice benefits of using Sandboxie.

Bo

 

Hi Aladdin,

Here are some points to consider: -

Applications>All Applications provides templates to achieve certain objectives for the applications listed. Using these can make life easier as the set of exceptions needed to achieve each listed objective has already been worked out in advance. But a caveat: The templates do not always work if the application folders have been moved from their default locations.

Resource Access>File Access is the more general method. The menu options under this heading can be used to link ANY program to ANY set of files and folders, irrespective of their locations. The NOT program operator (!) can also be used when specifying the program that the list of files and folders applies to.

If the GUI isn't proving flexible enough, the configuration editor can be used to manually add entries; or the GUI can be used as a starting point to add entries to the configuration file then the configuration editor used to manually amend the entries. From a security perspective, it makes no difference how entries are added to the configuration file.

Kind regards
pegr

 

Good thread

Because I want NoScript and AdBlock+ plug-ins to update immediately such as when I whitelist a domain, I applied the following to Resource Access->File Access->Direct Access-> Firefox.exe:

Code:

OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xi2vemjy.default\prefs.js

Does this make sense or is there there a more secure - yet just as convenient - way of doing this?

 

Hi Bo,

Thanks a lot for the explanation.

Best regards,

Mohamed

 

Dearest Pegr,

As usual an excellent and though provoking post.

Best regards,

Mohamed

 

Hi Mohamed,

We haven't spoken for a while. How are you? Keeping well I hope.

Kind regards
pegr