Virtual PC in XP Mode with Sandboxie

Discussion in 'sandboxing & virtualization' started by Windows_Security, Sep 22, 2014.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Anyone tips on integration settings of Virtual PC or Sandbox settings?

    Combo launches surprisingly fast on a dual core pentium with 3GB RAM, after the trial period SBIE will problably wait for a few seconds.
     
    Last edited: Sep 23, 2014
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    After a reboot, five seconds, only the first time you run something sandboxed.

    Bo
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Disabled as much standard components as possible (IE, WMP, OutlookExpress, etc)

    Intergration settings: Hibernate, not using the "undo virtual disk option" to purge changes (sandboxie does this faster/easier), not alloweing access to data drives, assigned 768 MB to virtual RAM

    Sandboxie settings:
    - Drop rights
    - allow only Chrome to start
    - allow only Chrome internet access
    - Block access to (other) virtual (data) disks

    Sandboxie Control (Remote) is visual as icon on the host

    First launch of XP Mode launches the Virtual PC and (thx Bo) in future five seconds SBIE free delay, consequtive launches from hibernated Virtual PC take less than 2 seconds.
     
    Last edited: Sep 23, 2014
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Run of multiple programs with the free ver of SBIE:

    Immagine.JPG
     
    Last edited: Sep 23, 2014
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Sampei, you might not know, the free version allows you to use separate sandboxes for your programs. You just cant use more than one at the same time. If I was you, I would create a new sandbox, name it Thunderbird and allow Firefox, Thunderbird and perhaps your PDF reader to run in that sandbox. And the DefaultBox, use it for browsing, not email. Remember, isolation works better when you separate programs in their own sandbox. You ll be safer if you do that.:cool:

    Sandboxie control>Sandbox>Create new sandbox

    Bo
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Edit: disabled integration settings to increase colours from 16 bit to 32 bit (apparently this only works when disabling integration settings).
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Edit replaced Chrome for K-Meleon. Due to hardware virtualization, chrome does not display text as crispy as K-Meleon.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    dudes - you talk about security in same sentence with XP? expecting what?
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    No we are talking XP-mode, meaning the guest will be vulnerable due to end of life of XP, but

    Windows 7 host should be protected from guest OS:
    a) no integration (on data level)
    b) changed NAT shared to Bridge mode (selecting the name of the adaptor)

    Precautions on Guest
    a) hardened it with gpedit, XP-mode is a XP Professional (SRP default deny, etc)
    b) adding Sandboxie Free (running the application in XP as anonymous User)
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Nice thing about XP-mode is that it runs within a virtual machine and it is very easy to make a backup of your Virtual PC XP-mode image by killing vpc and copying all files to a sage location. So decided to play with it again.

    Installed Gupzilla and flashplayer, deinstalled/disabled all other programs/services to reduce size of the XP-Mode VM image. Added Software Restriction control (default deny) and run Gupzilla and Flash as basic user. Next added the registry tweak to get embedded updates until 2019. Seems to work, I would not do this on main XP, but in VM trashing the guest is part of the fun and without consequences.
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Gupzilla 14/17 on security, total score 86/100

    Settings altered
    - open startpage as home page, startpage as search engine
    - disabled all address bar options
    - disabled Java
    - enabled XSS
    - disable saving history
    - disabled downloads by selecting an alternative download manager without specifying one
    - enabled use defined location for download
    - allow storing cookies/delete them on close/vlock 3rd party cookies
    - javascript, don't allow access clipboard, open/close windows
    - disabled send referrer header, enabled do not track
    - enable tracking protection/ad-block/flash click to play
    - disables application extensions

    The default setting look rather odd.

    Running without SBIE, flash & gupzilla run as basic user with default deny as SRP and enabled the EPSMode trick through registry to get updates of embedded. Since Embedded is XP Pro without WFP, I disabled WFP (I thrash the VM when ready playing with it anyway).

    GesWall ruleset for GupZilla in XP-mode (should work for XP also)

    Untitled.png
     
    Last edited: Oct 29, 2014
Loading...