Sandboxie Configuration Recommendations

Discussion in 'sandboxing & virtualization' started by TheKid7, Apr 21, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    Yes, anything that is executed by a sandboxed program will always inherit the same sandboxed settings too.
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    No need to apologize :). Some of the settings are hard to describe and I probably wasn't clear enough. And yes, you are correct about foxit inheriting the sandbox setting unless it runs into restrictions.
     
  3. ssj100

    ssj100 Guest

    Yes, it can be very hard to describe in words, just like it can be very hard to make full use of the power Sandboxie provides. I think a lot of people don't quite fully understand how to harness this power haha! Thus, I suspect a lot of these people dismiss Sandboxie (without realising the extent of protection it provides) and miss out on using quite an incredible security application!
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    I'm aware of that because I only have 1 sandbox for Firefox, Foxit Reader, Winamp, ScreamerRadio and Java.exe. All have them setup with start/run access restrictions and I'm working on 'tightening up' the internet access settings for those programs. I guess I could separate ScreamerRadio but I wonder why would I need to?

    Why would you combine your chat program with Firefox? And how do you read .pdfs, listen to media, etc. that your browser calls up? I'm confused... I guess you could download them to a 'forced folder' and then look at them with a forced sandboxed program. Sounds like a pain but it could work (I think) but I'm not sure as to if it would open in the needed restricted sandbox (foxit/adobe, winamp, etc.).

    By the way, I'm not picking on you. Everybody has their preferences but I'm not sure any are more secure than others. FWIW I delete my sandbox manually because I basically do everything (updates) manually. Automatically deleting the contents is no safer than manually deleting. If anyone is afraid there is malware in the sandbox then right-click the tray icon and click Terminate All Programs. Plus we can look in Sandboxie Control to see if anything is running. I also use Eraser to delete my contents but that is due to a conflict I have with another proggy. If one needs to they can use Eraser or whatever to totally shred the sandbox contents.

    Actually, I think most people find it hard to wrap their heads around what Sandboxie does. I think some may be put off because they think they need to configure it. In reality they are much safer running a default configured sandbox than with their old setups.

    Sandboxie is much easier to use and the help/faq section is much improved from when I first started using it. When it comes to new users it's best to keep it simple so they know exactly what each setting does. That way when something doesn't work, they know what is causing the problem.
     
  5. ssj100

    ssj100 Guest

    I combine my chat messenger program and firefox in the same sandbox because of the following scenario:
    1. I only have my chat program running. Firefox is not running.
    2. Chat buddy sends me a link to a site
    2. I click on the link and firefox opens.

    Because my chat program is in the same sandbox as firefox, firefox will open in that same sandbox too. Therefore for Firefox's consistency's sake, I let my chat program and Firefox share the same sandbox. If I used separate sandboxes instead, Firefox would not be consistent and potentially a lot of browser history/bookmarks etc would go missing. By the way, I don't use OpenFilePaths (I think this theoretically increases the chances of a browser exploit being successful) and don't delete firefox/chat program's sandbox contents (for usability and convenience's sake). This is very hard to describe fully, so I hope that made sense to you haha. Anyway, there's always a reason for everything mate. As I said, I've found my "100%" approach with Sandboxie without sacrificing much in the way of usability and convenience.

    You are exactly right in saying "people find it hard to wrap their heads around what Sandboxie does." That's why user education (which leads to user knowledge) is actually the greatest security program of them all haha.

    EDIT: It is very much worth-while spending time playing with Sandboxie and understand what it can really do for you. Some people simply call it a "virtualisation product", but as you know, that's just scratching the surface of what Sandboxie does - it does far, far more than that.
    EDIT2: just to address your question: "...And how do you read .pdfs, listen to media, etc. that your browser calls up?"
    Well, I've never come across any problems so far mate. I can read .pdfs fine within the Firefox browser and media streams fine. Maybe you're visiting different web-sites to me. Please feel free to PM me any sites so I can test whether they run fine. As I said, I've never had trouble with streaming youtube etc with my setup.
     
    Last edited by a moderator: Jun 1, 2009
  6. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Hi,

    I run my browsers (Opera and IE) and download manager (Free Download Manager) sandboxed. I use that default sandbox only for browsing, and these are the only programs that have Internet Access and Start/Run Access.

    Shoud i also allow Java to have Internet Access and Start/Run Access? If yes, what´s the name of the file (or files) i should add? "Java", "Javaw", "Javaws", others? I simply dont know o_O
     
  7. ssj100

    ssj100 Guest

    Sandboxie will tell you that "process.exe" failed to run due to restrictions. If so, just add that "process.exe" to be allowed to run and/or access the internet. If you don't get any messages, then all is well.
     
  8. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Thanks!:thumb:
     
  9. reinwald

    reinwald Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    54
    Location:
    Philippines
    Would you guys recommend sandboxing utorrent or limewire? i've a habit downloading large files >1gig.. is that compatible for sandboxie to recover? i'm scared that it might cause problems to my downloading
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    As an example, I use one sandbox for Firefox, and I force firefox to run sandbox. Since I don't want to give blank it permission for everything to run, I restrict that sandbox to just running Firefox, Foxit pdf reader, and Windows Media player. I also restrict the sandbox so that only Firefox can access the internet. Finally the sandbox is restrict so My Documents, and the D: drive can't be accessed.

    Pete
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I can only speak for myself but I've run Frostwire exclusively sandboxed for a long time and never had any problems.
     
  12. wat0114

    wat0114 Guest

    One thing I found and is not readily apparent (at least not to me :) ) and that is under: Sandbox settings-> Delete-> Command, if you choose Eraserl it will default to the Gutmann erasing level, which will erase with a time-consuming 35 passes! You may want to edit this entry by choosing a method using fewer passes, such as DoD_E which will erase using only 3 passes - maybe less secure but certainly a lot faster.

    Some screenshots for illustration. The second screenshot shows the window when opening Eraserl.exe
     

    Attached Files:

  13. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    Pete,

    Doesn't windows media player need internet access in order to play video or streaming radio? (Or is there another way to set this up?)

    Thanks in advance. :thumb:
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What I've found is the browsers actually download, but need the Windows Media Player to actually play it. So if I give the browser internet access, but just allow the WMP to run it works fine. But this prevents WMP from trying to do it's own thing which it does try and do.

    Pete
     
  15. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    Thank you, Pete. I'll amend my configuration back to restricting wmp (and apple's quicktime player) from accessing the net.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Test it. I am pretty sure it will work.
     
  17. Gaeko

    Gaeko Guest

    This thread is really helpful. :thumb:
     
  18. ypestis

    ypestis Guest


    Yes! It is!
    This has been needed for awhile.
     
  19. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Ok, what I'm confused about is how you run .pdfs, .wav, .avi, etc. in your sandbox when only Firefox and your chat messenger have Start/Run access? Are you relying on plugins or add-ons?

    If I don't allow FoxitReader and Winamp start/run access with my browser I can't view these files. An example of sites would be av-comparatives.org to read a .pdf and perhaps a site to view video clips :eek: or music. Basically I'm talking about files you download and then play or view. I'm not talking about youtube or a music store that preview tunes in the browser using java or flash.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    lol, as with everything else that involves a computer, some peeps just like to play. Imagine, a program like SB being used out of the box, with apparent success in most every case, to those much more sophisticated configurations. It speaks well of SB. It both pleases the basic and advanced in terms of how much you can tweak it, and also achieves a level of protection for it's intended purpose at both ends of that spectrum.

    I align more with Peter, where I use it but don't want to really know I'm using it.

    This is what I do. Registered version please.

    Create a group of programs with internet access, like this
    Code:
    ProcessGroup=<InternetAccess_BROWSERS>,opera.exe,k-meleon.exe,iexplore.exe,firefox.exe,winget.exe
    Next, I create 3 boxes. Default, Downloads and Browsers. Idea, my net facing apps start (forced) into the browsers box. So I make it's settings
    Code:
    First, force a few programs
    
    ForceProcess=iexplore.exe
    ForceProcess=firefox.exe
    ForceProcess=opera.exe
    
    Next, ensure only programs in the Browsers process group are allowed ip access
    
    ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\RawIp
    ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Ip*
    ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Tcp*
    ClosedFilePath=!<InternetAccess_BROWSERS>,\Device\Afd*
    
    I want to protect a few areas within the sandbox, so I will close some paths and reg keys
    
    ClosedFilePath=C:\AUTOEXEC.BAT
    ClosedFilePath=C:\boot.ini
    ClosedFilePath=C:\ntldr
    ClosedFilePath=C:\NTDETECT.COM
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
    ClosedKeyPath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
    ClosedKeyPath=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\
    
    I don't want to bookmark something and have to restore it to keep from losing it, so I open a hole to the REAL bookmarks files. This allows the sandbox browser to make a bookmark and it writes for REAL.
    
    OpenFilePath=k-meleon.exe,c:\Program Files\k-meleon\profiles\*\*\bookmarks.html
    OpenFilePath=opera.exe,C:\Program Files\Opera\profile\opera6.adr
    OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark*
    OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places*
    
    And finally, when I download something, I don't want to restore it. I want it to go directly to the REAL directory of my choise. Like this.
    
    OpenFilePath=C:\Documents and Settings\Sully\My Documents\My Downloads
    
    So, my browsers group is the only thing that can access the net from the sandbox, and I have a few holes to ease the restoring of files in the sandbox to the real OS.

    I force 3 browsers, but my primary is Kmeleon. I have 2 shortcuts on my desktop. One starts it in the browsers sandbox, the other not. It is still forced if I use SB, so that protection is there, but not always do I want it.

    Next we have to consider the downloads folder. What I do is force anything in that folder to start in the downloads sandbox. This sandbox has everything blocked from any net access. So if I start some .exe in that folder, it is contained.

    Finally I have a default box left, where I may test something in if I desire.

    I also couple this of course with a healthy dose of SRP to a restricted Basic User level. It traps either in SRP or SB. The nice part of this equation, is that if I start an app and SRP demotes it to a user, once it gets inside the sandbox, it no longer acts as a user, but as admin. Because the directory structure of sandbox is not actually c:\windows or c:\program files. So for me it strikes a nice balance of not having to think much about it as well as not having to maintain it for my ordinary uses.

    Sul.
     
  21. ssj100

    ssj100 Guest

    Yes, I can view av-comparatives.org to read a .pdf file no problem. That's because I do rely on a plugin. I don't see any problems at all with any site that I surf to. Also if you do run into problems, it's no big deal allowing eg. winamp.exe or wmplayer.exe to run in the sandbox.

    I now see what you're saying though. You are talking about downloading actual eg. .mp3 files into the sandbox and then playing them with eg. Winamp in the sandbox. In that case, you will need to allow winamp.exe. Usually when I download files, I do it from a trusted site, thus I can recover these files to my real system with no hesitation. Besides, I have Avira AntiVir set on "Scan when writing" and also Comodo Firewall/Defense+ running to pick up any malicious processes.

    I actually wrote a short article on the lightest way (and cheapest way) you can achieve near-100% security without sacrificing usability and convenience. It involved Sandboxie, Comodo Firewall/Defense+ and Avira. It obviously doesn't take into account human error: for example, I could download a malicious .exe file and save it on to my real system. From there, I'd execute it and allow to run everything my HIPS (Defense+) warns me about. But then again, there's no way you can protect from this type of human error!

    If people want a copy of my short article, please feel free to PM me. I've avoided posting it publically, as I'm sure there will be lots of arguments etc. haha. Anyway, most of the article actually comprises of that previous post on how I configure my Sandboxie.
     
  22. ssj100

    ssj100 Guest

    A very nice way of using Sandboxie! Combining it with SRP sounds like an excellent idea! I'm glad you've found your balance between usability and near 100% security (and all at a very low cost too haha).
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That's why you allow them to run with start/run access but don't give them access to the internet. That way they can run, but can't just do their own thing.
     
  24. wat0114

    wat0114 Guest

    Sully, it looks like you've got things locked down like Fort Knox :) Thanks for the post!

    Did you do all that editing the configuration and is it possible to do all that from within the GUI? I'm a little afraid to go in and edit things manually because it caused me to screw things up pretty badly once, though I was able to bail myself out of it with the backup. Still, I'd prefer to do things from the GUI.

    Thanks again!
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I initially did it from the GUI, just using the default box. Then I would look at the config file and see what the GUI options related to in the config. The GUI works, but I like to also know behind the scenes. It is easier for me to understand things like the process group if I see how they 'term' them. But yes, you can do all that from the GUI I believe.

    Don't worry about messing up. Just save your config file somewhere and then play. All you do then is replace your messed up config with the original and you are back in business.

    I don't know if it is locked down as well as it could be, but the way I look at it is that the intent of a sandbox is to contrain things to a private area, and that private area can be raked smooth. So I don't get too worried about what happens inside the sandbox. Besides, using SRP on my browsers, even if it did escape the sandbox, it would still be restricted to a user.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.