ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Sandboxie configurations

5 posters

Page 2 of 2 Previous  1, 2

Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by ssj100 27/1/2011, 03:43

Rico, not much else to add - you summed it up well.

The configuration of "ReadFilePath=C:" seems to work well with IE (which happens to be my "banking" browser). To be honest, it's a nice idea (I guess it has to be since I came up with it haha), but I really don't see much point for it personally. For example, if I wanted to do online banking:
1. Open IE 8 in its sandbox (which is definitely "clean", given step 5 below).
2. Go to banking site.
3. Perform banking.
4. Quit IE 8.
5. Delete sandbox.

With the above approach, I can't really see how a Read Only C:\ will help. Thoughts?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by Rico 27/1/2011, 04:01

I think it only helps in quite opposite of the situation you mentioned. This setup would be ideal for the general/unsafe browsing box, especially when used on x64 windows. All the mentioned drawbacks for Sandboxie on that platform would be a complete non-issue then. You have figured out how to coverup the potential Patchguard imposed weaknesses on Sandboxie.

A bank-only box wouldnt need much tightening up as it is only used for 1 thing only, on 1 type of sites only, which are secure.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by ssj100 27/1/2011, 04:49

I see what you mean. However, it's not going to be very practical for most people. I don't know about you (or most people), but I regularly download files with my general browsing box. Obviously by making C:\ Read Only, this would not be possible.

Furthermore, for those who like creating new favourites, maintaining browser history etc, this would also be a nuisance.

Considering the fact that none of us have seen in-the-wild malware which doesn't utilise a .EXE file, is this configuration really worth-while? In general, I think I would have to agree with p2u that this configuration is not "workable" (or convenient), with regards to general everyday browsing. Perhaps if certain exceptions were made (eg. allow writing access to a specific folder), then this would become more "workable". However, I don't think it's possible to do this with Sandboxie at present - there's no way to specifically exempt a folder once you've configured ReadFilePath=C:\. That is, there's no way to exempt sub-folders. Perhaps a Feature Request is warranted? I'll post it on the Sandboxie forums and see what others think.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by Rico 28/1/2011, 05:56

Actually, I think and readfilepath exclusions would defeat the purpose, even if they were possible. The best course of action is to allow start/run access to a trusted download manager on your computer -- in another sandbox besides the the read-only browsing one.

Then you could copy/paste you link from your read-only browser sandbox, into the download manager sandbox which should fetch the file for you. With favorites links, users can copy paste them in a text file on the desktop for future reference. Now it may not be the most convenient thing in the world, but I am the type of person who would make concessions to achieve ultimate security. Its a fact that convenience and security are inversely related. Color me paranoid, haha Smile

This workflow would be possible for registered users only, because its a could run sandboxes simultaneously. I know that this isn't exactly for everyone but I thought I'd share the latest config I have reached.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by Rico 29/1/2011, 05:18

Or better yet, one could apply the read only setting to only the browser executable, yet have everything else in the sandbox able to write to disk. That way a download manager could run in the same sandbox and do its job. That way its much more practical

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by ssj100 30/1/2011, 03:15

By the way guys, who here removes the following default template from their sandbox configurations?:
[Template_Firefox_Phishing_DirectAccess]
Tmpl.Title=#4337,Firefox
Tmpl.Class=WebBrowser
OpenFilePath=firefox.exe,*\urlclassifier*.sqlite*
Some further information here:
http://www.sandboxie.com/phpbb/viewtopic.php?t=7655
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by ssj100 30/1/2011, 16:02

Moved some posts here as per request.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Sandboxie configurations - Page 2 Empty Re: Sandboxie configurations

Post by Sponsored content


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum