[How To] Use Sandboxie

[Nathan Wootton]

Ino many of you know how to use Sandboxie so this is aimed for the people who are new to it

What is Sandboxie?

Sandboxie is very useful to check whether or not a program is infected, you can also use it to test out your botnet. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.



1. Download
HTML:
http://www.sandboxie.com/index.php?DownloadSandboxie
(Proceed through the installation)

2. Using Sandboxie
Open Sandboxie : Start > All Programs > Sandboxie > Sandboxie Control


Run File : Right-Click Suspected File > Run Sandboxed


Change Display : View > Files and Folders


Observe Folders : Sandbox DefaultBox > All files and Folders

3. Analysing Output

Now that you've ran your program you're probably wondering What does this all this mean? Now is when you analyze Sandboxie to check if the program has dropped any files. In the All files and Folder sub-menu you can observe the exact location of dropped files.

How do I know if my program's infected?

To decide whether or not a program is infected you have to think. Should this program drop files? For example : I've downloaded a crypter and decided to check it out in Sandboxie. Now immediately after I run it, I get a file dropped :


Settings :
To prevent against stealers acquiring your firefox passwords while using Sandboxie go to :
Sandbox>Default Box>Sandbox settings> Resource Access>File Access>Blocked Access>Edit/Add
and copy paste the following lines : (one by one)

%Local AppData%\Mozilla\
%AppData%\Mozilla\
\Device\Mup\


The same for Chrome and Opera

You can also disable the program from accessing the internet, this option is also found in Sandbox settings.

NEW! To bypass the Anti-Sandboxie that some malware uses, you need to disable the Sandboxie indicator that is in the titles of windows running in Sandboxie "#".

To do this go to Sandboxie>Rick-click on your sandbox>Sandbox Settings>Appearance>check "Don't show Sandboxie indicator...". (This method of detecting sandboxie isn't used by all malware however.)
Extra Info.

Keep in mind that if you receive an error, and your program is unable to run in Sandboxie, it is most likely that it's a virus and has implemented Anti-Sandboxie. DO NOT RUN IT OUTSIDE SANDBOXIE! (see 'Settings' spoiler to know how to bypass anti-sandboxie)

Once you are done with Sandboxie, Right-Click on the Sandbox and chose Terminate Programs. Also, remember to empty your SandBox after every use by Right-clicking>Delete Contents.

When you see [#] [#] around the title on the window, you know it's Sandboxed. Unless you have these indicators disabled (see 'Settings')

Well i hope this helps new people to sanboxie

[AyeAyeCaptain]

Not a bad effort at all, nice one for taking the time to create it... About the whole password stealing though, using Lastpass or other variations would also combat this. I think you have explained it well enough though for all users to understand so top marks for that.

Don't use Sandboxie myself even though it's one of a few things that is worth paying for, but currently stick to CIS Bundled effort (cannot wait for v6 with full virtual... ).

Would rep + but thumbs up/down does not seem to be visible for me still?? Jack?? lol.

[McLovin]

Thanks for the guide Nathan. I don't really use SandBoxie because when I had Avast I used their one.

[Exorcizm]

Good Guide Nathan! I'm sure many people using that sandbox will find it useful!

[Overkill]

If I allow direct access to everything within my browser can malicious content slip through the sandbox?

In the browser settings what is NOT recommended to tick for direct access?

[McLovin]

(04-26-2012 02:41 PM)MRF71 wrote:  If I allow direct access to everything within my browser can malicious content slip through the sandbox?

In the browser settings what is NOT recommended to tick for direct access?

Your reply to a topic that was started in October last year.

[Littlebits]

Nice guide, I don't use Sandboxie on a daily basis, only when I want to run a suspicious program. I see no need to run trusted programs inside of a sandbox.

Thanks.

[bo.elam]

(04-26-2012 02:41 PM)MRF71 wrote:  If I allow direct access to everything within my browser can malicious content slip through the sandbox?

In the browser settings what is NOT recommended to tick for direct access?

Every time that you allow direct access to something, you are opening a hole. That increases the chances that something could infect your machine. Personally, I only allow direct access to the phishing database and bookmarks. I allow that because it would be extremely inconvenient not to be able to save bookmarks and updating the phishing database would take a long time if direct access was not allowed. I do this on Firefox, on IE I only allow favorites.

I wont allow nothing else but most likely you would be OK allowing cookies, passwords or something like that but there is always a chance that something can hurt you when you allow direct access to something or if you recover a file and execute it.

Those are the only times that you can get hurt when you use Sandboxie and it is why I ALWAYS open up all my files in a sandbox, the only exceptions are when I install something or update a program.

Bo

[HeffeD]

(04-27-2012 01:49 AM)bo.elam wrote:  I only allow direct access to the phishing database and bookmarks.

This is what I do as well.

I also gave direct access to AdBlock Plus' extension folder so it is able to update the subscription blocklist databases. Otherwise you'll be downloading a new one each browsing session. Not a big deal bandwidth-wise because they are a small .txt file, but it puts unnecessary strain on the subscription servers.

I don't allow access to cookies, because it's nice to have those wiped along with everything else when I close the browser. (Yes, I'm aware you can set the browser to do this as well) If there is a persistent cookie I'd like to keep, I just start the browser outside the sandbox, set the cookie, then close the browser and restart in the sandbox.

[bo.elam]

(04-27-2012 02:17 AM)HeffeD wrote:  I also gave direct access to AdBlock Plus' extension folder so it is able to update the subscription blocklist databases.

You don't need to allow the whole Adblock folder in order for ABP updates to remain after deleting the sandbox, allowing the file "patterns" found inside the ABP folder is enough.

Bo