Sandboxie configurations

Sandboxie is by far the most amazing security software program for Windows I've ever seen and used.

I've given a general description of how I've set it up in some detail here:
https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm#16

How do you people use your Sandboxie?

My normal browsing sandbox is configured the same way.
It has been since the ssj100 Wilders tutorial days.

In #4, "In each sandbox, configure Read-Only access to C:\WINDOWS",
I also add C:\Program Files.

I understand that some say this not needed,but what does it hurt?
Who can say some as yet unknown exploit may be stopped by it?
So,I added for myself, one more entry to the ssj100/Demoneye list!!

In both my IE8Box,and FireFox box,I allow only the IE.exe,and
the Firefox.exe to start/run/access the internet.

This is no hardship for me,but from time to time I will run into Java Rich sites,and the browser will lock up,requiring a shutdown from task manager.

I have found a cure,via disabling the Firefox plugin:Java (TM)
Platform SE 6 U190.4.

This is of course for ever instance of Firefox,not just sandboxed,but a few clicks restores it to service,if needed.

Of course you could also just allow Java in you Sandbox.

I also make sure that any exclusions in ShadowDefender,are protected in Sandboxie by means of "blocked access"

A lot of protection here in this program.

The reach and power of this thing is not something you can master overnight.
And like ssj100,I am also not affiliated with ANY software concern.

noor

i also found SB as the best security software out there to protect your browser from malware .

you need no other thing along side with it like zemana anti logger ot what ever hips u saw,

if a uer decide to run a software he remove all protection so all hips like are a waste of time and pc resources .

you can always empty your SB container each day , or add key scrambler (free also ) if your are parnoid

demoneye wrote:i also found SB as the best security software out there to protect your browser from malware .

you need no other thing along side with it like zemana anti logger ot what ever hips u saw,

if a uer decide to run a software he remove all protection so all hips like are a waste of time and pc resources .

you can always empty your SB container each day , or add key scrambler (free also ) if your are parnoid

demoneye was the one who introduced me to Sandboxie...and to be honest, I wasn't convinced initially. Now, I am beyond being convinced, and have probably taken it to another level haha. I guess I owe it all to demoneye ultimately.

Just a few points. Sandboxie doesn't just protect your browser - for me, it protects my CD/DVD drives, my USB drives, my online game (Starcraft), my chat messenger program, my P2P program, and even my Virtual Machine program at times. In other words, you can configure Sandboxie to protect all your "malware threat-gates" (that is, internet facing applications and external facing devices).

And yes, you make a good point about the advantages of containment - you can always empty it if you ever get infected (which is probably never, particularly if you configure start/run/internet access restrictions). With regards to keyloggers, it's highly unlikely you'll ever come across one that can bypass the start/run/internet access restrictions of Sandboxie. Regardless, that's why I practise steps 7-9 here (under Sandboxie):
https://ssj100.forumotion.com/free-for-all-f4/ssj100-s-security-setup-t4.htm#16

Moving on, you know what I personally think about anti-keylogger software? Total marketing scam! I think companies like Zemana and Spyshelter simply use scare tactics to lure users to purchase their software. I think the incidence of keylogger malware is incredibly rare these days (they're probably created by the anti-keylogger software companies!). Anyway, just my opinion haha. What do you guys think? How often have you come across a keylogger malware?

anti key logger is good for ppl that dont use SB method or paranoid to much

like i comment before , when user decide to run a software.exe he will approve any yes/no question ...so what are anti key logger / HIPS are good for?

my saying also supported thisway or another my NRG testing group

noorismail wrote:In #4, "In each sandbox, configure Read-Only access to C:\WINDOWS",
I also add C:\Program Files.

The easiest way is to create a template with both settings. This template can be included in every sandbox.
If you later decide to add more directories with read-only access you only have to edit the template and not every sandbox.

Thanks Ruhe,very nice information.

noor

I have a template that is used in several sandboxes, something like a shared folder.

sandboxie.ini

Code:

...
[Template_Local_SBShare]

Tmpl.Title=All: Allow write access to D:\SBShare\
Tmpl.Class=Local
OpenFilePath=D:\SBShare\
...
[Sandbox1]
Template=Local_SBShare
...
[Sandbox2]
Template=Local_SBShare
...


But, wait... I think you even don't need a template. If you really want it for every sandbox place the setting in the [GlobalSettings] section:

Code:

[GlobalSettings]
ReadFilePath=C:\WINDOWS
...

Templates are potentially very useful. And yes, I would think setting things in GlobalSettings would configure every sandbox to have that setting. However, with a template, you can control exactly which sandbox has what.

Back to topic: in general I try and recommend to create sandboxes for as many internet accessing apps and for apps that use foreign files: movie player, video player, PDF viewer, picture viewer... sometimes even big apps like OpenOffice.

Just to give an example for internet accessing apps, I use WebMon and this is forced to run in its own sandbox.

Ruhe wrote:Back to topic: in general I try and recommend to create sandboxes for as many internet accessing apps and for apps that use foreign files: movie player, video player, PDF viewer, picture viewer... sometimes even big apps like OpenOffice.

Just to give an example for internet accessing apps, I use WebMon and this is forced to run in its own sandbox.

That's interesting, and I've always considered having another sandbox for apps that use foreign files as you've stated above.

However, I came to the conclusion that I would use step 15 instead (see my setup/approach post). Since I always place newly introduced files on my desktop, I have created a shortcut to a sandboxed explorer.exe that goes straight to the desktop. In this way, all newly introduced files are guaranteed to open sandboxed, no matter what application they use.

But yes, one advantage of using your approach is that you can (happily) place those newly introduced files where you want. That is, you can potentially "store" those files away in other folders, knowing that they will open sandboxed wherever and whenever you double click on them. However, just the thought of having an infected file "tucked away" in my private folders is a bit unsettling.

Just verified it, to enable read-only access for c:\Windows and c:\Program Files in all sandboxes:

sandboxie.ini

Code:

[GlobalSettings]
ReadFilePath=%SystemRoot%
ReadFilePath=%ProgramFiles%
...

No further templates or settings in any sandbox necessary.

To test this setup: Start a cmd.exe sandboxed by a right-click and check to run it as admin. In the prompt enter

Code:

echo %TIME% >C:\windows\__test.txt

You will get a access denied message in the cmd window and there is also nothing you can find in sandbox container folder.

Inspired by this thread/post:
https://ssj100.forumotion.com/t341-question#2894

I've just realised something - in addition to the Sandboxie configuration steps I've described in my security setup/approach post, here are some further configurations to mull over:

1. ReadFilePath=C:\WINDOWS
2. ReadFilePath=C:\Program Files
3. ClosedFilePath=C:\Documents and Settings\*.*
or even just: ReadFilePath=C:\Documents and Settings\

1. is of course already stated in my security setup/approach post (Step 4.). However, I admitted several times in the past that I really didn't have any idea why anyone would do that haha. Now, I have a reason.

In combination with 2., we prevent the sandbox environment from writing to C:\Windows and C:\Program Files. However, this still means the sandbox environment can access and run anything from C:\Program Files and C:\Windows, which is what we want.

In combination with 3., we disallow the sandbox environment from even READING anything in C:\Documents and Settings. This folder of course includes the current user's folder, and includes the current user's desktop etc.

This would mean that no new file can be downloaded in the sandbox environment, no matter what the file type is. It could be a harmless .txt file and it would still fail to download. Recall that Faronics Anti-Executable prevented the downloading of .EXE and .DLL files - Sandboxie takes it one step further and can prevent the downloading of ALL files (in the sense that no new file can write anywhere).

This is a new Sandboxie "concept" for me, which is quite surprising! I thought I knew Sandboxie quite well haha. I think there is further tweaking that can be done to accommodate various desired environments. However, the above three settings could be used in the case of an internet banking session for example, or even to restrict others from downloading ANY file via the web browser.

I've only tested this with IE 6 on Windows XP. Clearly there will be issues with Firefox, as the user's profile is required to be loaded in order for Firefox to load properly (and the user's profile is in C:\Documents and Settings\).

EDIT: okay, ignore me haha. This configuration simplifies things much more and is probably more effective:
ReadFilePath=C:\

ssj100 wrote:EDIT: okay, ignore me haha. This configuration simplifies things much more and is probably more effective:
ReadFilePath=C:\

I've started to make use of this in some sandboxes, like the following one:

[Template_Local_LimitC]

Tmpl.Title=No write/delete access to C:\
Tmpl.Class=Local
ReadFilePath=C:\

...

[Warez]

ConfigLevel=7
Enabled=y
BoxNameTitle=y
BorderColor=#8000FF
AutoDelete=y
NeverDelete=n
NotifyInternetAccessDenied=y
DropAdminRights=y
ForceProcess=keymaker.exe
ForceProcess=keygen.exe
NotifyStartRunAccessDenied=y
Template=Local_LimitC
Template=BlockPorts
ClosedFilePath=InternetAccessDevices
ProcessGroup=<StartRunAccess>,keygen.exe,keymaker.exe
ClosedIpcPath=!<StartRunAccess>,*

Okay, I've got a question in regard to ssj's most recent post...

Realizing that Firefox needs access to "documents and settings" due to profile issues, would restricting "C:\Program Files" to "read only" prevent the installation of a logger (keyboard, clipboard, screen etc) into the browser itself since the Mozilla/Firefox folder is located within "Program Files"? I'm thinking of drive-by's or other unintended methods of hijacking the browser for these nefarious purposes.

If so, that is a huge accomplishment as that is probably my one area of greatest concern (currently) in regard to meeting threats. (I do use the Sandboxie GUI to restrict each of my individual sandboxes according to their usage. I am not yet knowledgeable enough to go the "template" route.)

Thanks for sharing your thoughts.

Maybe the logger isn't placed in "C:\Program Files" - it also can be installed in many other folders on C:\
So, restricting "C:\Program Files" to read-only is better than nothing but maybe not enough.


The benefit of templates is, you create 1 template with one or more special settings, like mine above, and can use it in one more sandboxes. If you change the template then its current (new) configuration will be active in all sandboxes that use this template. Before extending several sandboxes with the same settings create a template with these settings and include the template in the sandboxes. Much easier working.

Ruhe wrote:Maybe the logger isn't placed in "C:\Program Files" - it also can be installed in many other folders on C:\
So, restricting "C:\Program Files" to read-only is better than nothing but maybe not enough.

I agree with your assessment. However, I think I didn't make myself very clear. I already (via the GUI) restrict each of the sandboxes in terms of what is allowed to run, what is allowed to access the internet and what files/resources are blocked from being accessed.

My "main" worry was the possibility of the browser itself (in this case, Firefox) having the logger installed into it as I feel that my restrictions fairly well prevent such intrusion elsewhere. (And hopefully any such malware would be deleted along with the sandbox at the end of the session.)

So, assuming for the moment that Firefox (the browser itself) is the point of vulnerability, do you think that having the "program files" folder as "read only" would therefore prevent the malware from being able to attach itself to the Firefox browser? This, in my opinion, would be a major accomplishment.

And I totally agree with you regarding the templates, it's just my own shortcomings which keep me from being able to utilize them at this point in time.

In the case of a Firefox sandbox with "Start/Run Access" restrictions (only allow to run firefox.exe and so on) there should be no need to add something like ReadFilePath=C:\ or ReadFilePath=C:\Program Files ... or I don't understand the benefit of these additional settings

I guess I was thinking that if something like a drive-by or some other malware was able to install itself into the browser itself without the user's knowledge.

Since firefox.exe has permission to run and access the net this might be a problem.

But, if the firefox folder (which is contained in "program files") was off limits to changes, perhaps the installation of the malware would be unsuccessful?

Anyway, I guess I was thinking out loud and wanted to see what the smart guys think. LOL!

If you feel more secure, hey, just add ReadFilePath=C:\Program Files to your sandbox.

blues wrote:So, assuming for the moment that Firefox (the browser itself) is the point of vulnerability, do you think that having the "program files" folder as "read only" would therefore prevent the malware from being able to attach itself to the Firefox browser?

I think it's hard to define an answer for you here, as none of us are professional hackers. In my opinion, I think having the entire C:\ as read-only would be more secure than just the Program Files folder (for the reasons Ruhe has already mentioned).

In the case of a web browser, I don't think a specific file needs to be downloaded and written to the disk in order for a vulnerability to be exploited. Keep in mind that simply running as a Windows Limited User prevents anything from writing to C:\Program Files - this essentially serves exactly the same mechanism as Sandboxie's "ReadFilePath=C:\Program Files" (except of course with Sandboxie, everything takes place virtualised, and Sandboxie wouldn't be affected by a Windows Privilege Escalation exploit).

@ ruhe:

Well, I don't want to "feel" more secure by kidding myself. (I'm sure you can appreciate that.)

I'd actually like to know if it would make a difference.

Kind of gets back to an earlier discussion on the Sandboxie forum where ssj was talking with you about the utility or futility of anti-logger programs (which he characterized as hoax applications) and you mentioned that you were comfortable with using just KeyScrambler even though it didn't address clipboard and screen loggers etc.

I use KeyScrambler (and no other dedicated anti-logging programs) but would like to tighten up my defense against any and all logging threats as that is the area that concerns me the most. (However, I don't want to have to use another app like SpyShelter, Zemana or Prevx SOL to accomplish this. I want to use Sandboxie as my main line of defense.)

ssj100 wrote:I think it's hard to define an answer for you here, as none of us are professional hackers. In my opinion, I think having the entire C:\ as read-only would be more secure than just the Program Files folder (for the reasons Ruhe has already mentioned).

I tried earlier to run Firefox sandboxed with C:\ as "read only" but it didn't open the browser.
(I actually got a message that other instances of it were already running even though everything had already been closed/deleted. When I removed that restriction the sandboxed browser once again worked normally.)

Well you see Blues, turning a whole sandbox to read only C:\ drive is supposed to act as a master anti-executable, akin to what Faronics AE2 did. So that even if there is a hole in the browser, nothing could be written to disk. Not just exe files, but any other malicious file type for that matter. The reason being is that start/run covers only exe files.

Thats my take on the matter, maybe ssj has another point about the usefulness of this to share with us.

Regarding your setup, switch to Chrome and you should have greater protection from its sandbox and it can run under this setup. The only little annoying thing that happens is the error warning dialogue at browser initiation everytime. I am sure this could be handled if the right chrome files were excluded from read-only access but I havent tried that.

Thanks, Rico. I'll give that suggestion some thought. (Or perhaps incorporate Chrome as my "secure" browser for certain financial transactions and such.)