some questions about sbie!

Discussion in 'sandboxing & virtualization' started by ams963, Apr 29, 2012.

Thread Status:
Not open for further replies.
  1. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Hi,

    If I add entries to blocked access in file access do I need to add entries to blocked access in registry access?

    What is IPC? And what entries should I add in blocked access in IPC access?

    Best Wishes,
    ams963
     
    Last edited: Apr 30, 2012
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    I block personal files not system files but got some system files as read only, they are not the same than what I have under read only registry access. Never experienced a problem in the sandbox or a message from SBIE by using the setting that way. I think blocking system files/registry might be too strong but I have never set it that way.

    HTH

    Bo
     
  3. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    oh! I see......but I want to tighten up sbie.....I did as much as I could understand....but to fully take advantage of the sbie settings I have to get my answers to first post.....
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    Based on how I use the Read only file and registry setting and how I use the block file setting to block specific personal files, the answer to your question is NO. The answer was on my previous post, you just did not read between the lines.

    Anyway, I known of people that when blocking a bunch of system files, experience trouble when the sandbox malfunctions. I always avoid trouble and prefer to use the read only file and registry setting on files and keys that, over a period of time, I have learned that don't need to be modified by sandboxed programs. Doing it like this works perfectly as the sandbox gets restricted a little more and at the same time, programs in the sandbox work fine.

    I might be wrong but I believe the blocked file setting was created to block personal files. I use it to block software licenses, files with my name or files with information on myself, my company or that are personal.

    Bo
     
  5. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    yeah you're absolutely right....blocked file setting was indeed created to clock personal files.....I just got sandbox malfunctions and and got message from sbie that firefox could not get access to some windows dll file and also sandboxie dll files.......thank you very much for explaining to me so clearly.....otherwise I would think I tightened up sbie and when I would get those messages and ff would not start I would all banana........
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    In addition to what's been said, I'd only block access in those sandboxes meant for apps that have network access. There's no need to block such access to apps that will run in sandboxes without network access, in my opinion. Then again, maybe I'm wrong. :D

    Regarding the IPC, that's Inter-Process Communication, which basically means what it means, processes will have to communicate with one another.

    For instance, Sandboxie creates IPC rules for Microsoft EMET, which should be left in the global settings, which makes it easier for any other future application you may protect with EMET.

    Besides that, there are some Full File Access default rules for Adobe Reader, for example, which you may want to remove from the global settings and add it to its own sandbox or other sandboxes that may need Adobe Reader, such as your web browser sandbox. If you do have Adobe Reader, of course. Just an example.

    There's another one, in my case, for 7-zip. I don't need it to exist in all sandboxes, so I removed it from the global settings and add it to 7-zip's sandbox configuration instead. I think this were for IPC... don't recall.

    There's also some Microsoft Office Licensing IPC rules, I think. You may want to add it to the individual sandboxes that need it, rather than globally. Why give more than they need, right? :D
     
    Last edited: May 2, 2012
  7. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Thank you very much. Things are clearer now. I can tighten up sbie more confidently.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I should have added that there's a catch, though. There's always a catch... :D And, that's what mentioned before is related to software compatibility. So, unless you want to have Sandboxie checking for compatible software all the time, then you should enable the option not to check for software compatibility in the future. Or, just click Cancel everytime it happens. :D

    If you click OK, then it will add those entries back in Global Settings. Maybe Sandboxie's developer will change this in the future. It would be nice to be able to configure Software Compatibility per sandbox, and not globally.

    I always enable this option, so I don't recall how recurrent those alerts would be. Maybe you'd get them on each reboot... not sure, though.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    You can do that now.

    Go to applications in the sandbox where you want to apply software compatibility and enable/disable it there. PDF/Printing all the way down to All applications, that's where you ll get it done. I believe that's what you want.

    Bo
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, that's it. It's been there for a long time. I just never associated it with software compatibility. :oops: Damn... :D

    :thumb:
     
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    ah a catch.....there is always a catch isn't there.........well, thx a lot :thumb:
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, not so much of a catch, if we take under consideration what user bo elam mentioned in post #9. :) A more elegant approach, and the approach to follow, considering Sandboxie does allow to disable software compatibility for individual sandboxes. I just never associated the two. :argh:

    :thumb:
     
  13. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Uh oh.....Got a problem. I've created a sandbox for USB stick. And want to restrict internet access and start/run access. But I must add a program in each to restrict any other programs from accessing internet or running, right? Otherwise all programs will access the internet and run/start. Which program should I add? I mean I cannot just add iexplorer.exe or firefox.exe, right? I don't want any program from my USB stick to access the internet.....maybe start/run.
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,195
    Location:
    Nicaragua
    I rarely use USBs. On my USB sandbox all programs can run and none can connect to the Internet. Maybe you like to use 2 sandboxes, one like mine and another one where only the browsers are allowed Internet access.

    Bo
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    I don't know which you should add, but you are correct in that you must add at least one in order to prevent all from accessing. When I first realized that, I was of course very impressed by the strength of the program (and very glad that I understood this configuration fact). But as I ponder it a bit more, I wonder why in the heck Tzuk made SBIE in this fashion? Why, for example, aren't all programs denied access by default and only allowed as they are added? I guess because then Sandboxie would not run out of the box.
     
  16. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Yes but I'm asking how did you restrict all programs from accessing to the internet.
     
  17. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Right on my good friend. This is exactly what I'm asking. I do not want any program inside the sandbox for USB sticks to access internet. But if I keep the space in the internet access blank then it says , 'All programs can access the internet'.

    And I also sometimes would want no program to run/start from the sandbox for USB stick.

    But I must add a program in both internet access and start/run access. But I do not know which one to add.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    By doing precisely as you have noted, entering at least one.
    I am not sure which one you should select, but at least be certain to also select Drop Rights.
     
  19. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Maybe someone else would like to give a program to add. And I always select DropRights.

    At least can you say which program to add in start/run access in my 'USB Sandbox'?
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    When you first set up a new Sandbox and go to "restrictions" > "internet access" - it is as in my screen shot. Simply click "Block all programs" and nothing will be able to connect out. I have separate sandboxes for my PDF reader and also for all my downloads, both are set up this way and in addition the downloads Sandbox has the "Drop rights" option ticked. I have deliberately tried starting malware in that box and it has never even managed to get started :D Sandboxie restrictions stop it dead :thumb:
    When I first tried Sandboxie a few years ago I simply could not get my head round it and left it, but I kept coming back to it and gradually learned how it worked and how to set it up. It is now the bedrock of my security and if anything doesn't work with Sandboxie it's gone. That and Shadow Defender are the only indispensable security apps on my machine.
     

    Attached Files:

  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    Wow. How long has that option been present?
    I seriously don't recall seeing that button. Could I be that blind?
    And I agree totally with your SBIE bedrock assessment. :thumb:
     
  22. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Holy smoke! I must have gone banana not to see that option. Thank you so much my good friend.

    And you are right. I also leave anything that won't play nice with sbie. I've made sbie a permanent in my setup.
     
  23. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    LOL. Guess we've become sloppy :D
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know for how long it has been there, but it has been there since I started using Sandboxie... which I truly don't recall when it was. :D
     
  25. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    But what about start/run access under 'Restrictions'? What if I want to block all programs from staring or running in the USB Sandbox? There is no option like Block all Programs in start/run access.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.