Mini Spy

Loading...

Latest Threads

Loading...
 

[How To] Use Sandboxie

Discussion in 'Sandboxie (Invincea) Software' started by Nathan Wootton, Oct 29, 2011.

  1. Nathan Wootton

    Nathan Wootton Regular Member

    Joined:
    May 25, 2011
    Messages:
    284
    Likes Received:
    2
    Trophy Points:
    47
    Ino many of you know how to use Sandboxie so this is aimed for the people who are new to it :biggrin:

    What is Sandboxie?

    Sandboxie is very useful to check whether or not a program is infected, you can also use it to test out your botnet. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.



    1. Download
    HTML:
    http://www.sandboxie.com/index.php?DownloadSandboxie
    (Proceed through the installation)

    2. Using Sandboxie
    Open Sandboxie : Start > All Programs > Sandboxie > Sandboxie Control


    Run File : Right-Click Suspected File > Run Sandboxed


    Change Display : View > Files and Folders


    Observe Folders : Sandbox DefaultBox > All files and Folders

    3. Analysing Output

    Now that you've ran your program you're probably wondering What does this all this mean? Now is when you analyze Sandboxie to check if the program has dropped any files. In the All files and Folder sub-menu you can observe the exact location of dropped files.

    How do I know if my program's infected?

    To decide whether or not a program is infected you have to think. Should this program drop files? For example : I've downloaded a crypter and decided to check it out in Sandboxie. Now immediately after I run it, I get a file dropped :


    Settings :
    To prevent against stealers acquiring your firefox passwords while using Sandboxie go to :
    Sandbox>Default Box>Sandbox settings> Resource Access>File Access>Blocked Access>Edit/Add
    and copy paste the following lines : (one by one)

    %Local AppData%\Mozilla\
    %AppData%\Mozilla\
    \Device\Mup\


    The same for Chrome and Opera

    You can also disable the program from accessing the internet, this option is also found in Sandbox settings.

    NEW! To bypass the Anti-Sandboxie that some malware uses, you need to disable the Sandboxie indicator that is in the titles of windows running in Sandboxie "#".

    To do this go to Sandboxie>Rick-click on your sandbox>Sandbox Settings>Appearance>check "Don't show Sandboxie indicator...". (This method of detecting sandboxie isn't used by all malware however.)
    Extra Info.

    Keep in mind that if you receive an error, and your program is unable to run in Sandboxie, it is most likely that it's a virus and has implemented Anti-Sandboxie. DO NOT RUN IT OUTSIDE SANDBOXIE! (see 'Settings' spoiler to know how to bypass anti-sandboxie)

    Once you are done with Sandboxie, Right-Click on the Sandbox and chose Terminate Programs. Also, remember to empty your SandBox after every use by Right-clicking>Delete Contents.

    When you see [#] [#] around the title on the window, you know it's Sandboxed. Unless you have these indicators disabled (see 'Settings')

    Well i hope this helps new people to sanboxie :angel:
    Koroke San and yigido like this.
  2. AyeAyeCaptain

    AyeAyeCaptain Regular Member

    Joined:
    Feb 24, 2011
    Messages:
    558
    Likes Received:
    0
    Trophy Points:
    60
    Not a bad effort at all, nice one for taking the time to create it... About the whole password stealing though, using Lastpass or other variations would also combat this. I think you have explained it well enough though for all users to understand so top marks for that.

    Don't use Sandboxie myself even though it's one of a few things that is worth paying for, but currently stick to CIS Bundled effort (cannot wait for v6 with full virtual... ).

    Would rep + but thumbs up/down does not seem to be visible for me still?? Jack?? lol.
  3. McLovin

    McLovin Well-Known Member

    Joined:
    Apr 17, 2011
    Messages:
    8,318
    Likes Received:
    132
    Trophy Points:
    203
    Thanks for the guide Nathan. I don't really use SandBoxie because when I had Avast I used their one.
  4. Exorcizm

    Exorcizm Regular Member

    Joined:
    Oct 27, 2011
    Messages:
    496
    Likes Received:
    1
    Trophy Points:
    47
    Good Guide Nathan! I'm sure many people using that sandbox will find it useful! :)
  5. Overkill

    Overkill Active Member

    Joined:
    Feb 15, 2012
    Messages:
    1,959
    Likes Received:
    178
    Trophy Points:
    178
    If I allow direct access to everything within my browser can malicious content slip through the sandbox?

    In the browser settings what is NOT recommended to tick for direct access?
  6. McLovin

    McLovin Well-Known Member

    Joined:
    Apr 17, 2011
    Messages:
    8,318
    Likes Received:
    132
    Trophy Points:
    203
    Your reply to a topic that was started in October last year.
  7. Littlebits

    Littlebits Super Moderator MalwareTips Staff

    Joined:
    May 3, 2011
    Messages:
    4,004
    Media:
    1
    Likes Received:
    3,058
    Trophy Points:
    1,117
    Nice guide, I don't use Sandboxie on a daily basis, only when I want to run a suspicious program. I see no need to run trusted programs inside of a sandbox.

    Thanks.:D
  8. Ramblin

    Ramblin Active Member

    Joined:
    May 14, 2011
    Messages:
    976
    Likes Received:
    123
    Trophy Points:
    127
    Ramblin
    Last edited: Mar 21, 2014
  9. HeffeD

    HeffeD Super Moderator

    Joined:
    Feb 28, 2011
    Messages:
    1,666
    Likes Received:
    3
    Trophy Points:
    80
    This is what I do as well.

    I also gave direct access to AdBlock Plus' extension folder so it is able to update the subscription blocklist databases. Otherwise you'll be downloading a new one each browsing session. Not a big deal bandwidth-wise because they are a small .txt file, but it puts unnecessary strain on the subscription servers.

    I don't allow access to cookies, because it's nice to have those wiped along with everything else when I close the browser. (Yes, I'm aware you can set the browser to do this as well) If there is a persistent cookie I'd like to keep, I just start the browser outside the sandbox, set the cookie, then close the browser and restart in the sandbox.
  10. Ramblin

    Ramblin Active Member

    Joined:
    May 14, 2011
    Messages:
    976
    Likes Received:
    123
    Trophy Points:
    127
    Ramblin
    Last edited: Mar 21, 2014
  11. HeffeD

    HeffeD Super Moderator

    Joined:
    Feb 28, 2011
    Messages:
    1,666
    Likes Received:
    3
    Trophy Points:
    80
    I didn't know that. Thanks for the tip!

    Changes made accordingly. :)
  12. Overkill

    Overkill Active Member

    Joined:
    Feb 15, 2012
    Messages:
    1,959
    Likes Received:
    178
    Trophy Points:
    178
    Ok, I'd love for someone to make a tut either written or video that explains the best settings for sandboxie.
  13. Ramblin

    Ramblin Active Member

    Joined:
    May 14, 2011
    Messages:
    976
    Likes Received:
    123
    Trophy Points:
    127
    Ramblin
    Last edited: Mar 21, 2014
  14. Ramblin

    Ramblin Active Member

    Joined:
    May 14, 2011
    Messages:
    976
    Likes Received:
    123
    Trophy Points:
    127
    Ramblin
    Last edited: Mar 21, 2014
  15. Overkill

    Overkill Active Member

    Joined:
    Feb 15, 2012
    Messages:
    1,959
    Likes Received:
    178
    Trophy Points:
    178
    In opera it doesn't give as many options, so if I allow all 3 do you think that is wise?
    Basically bookmarks and preferences are pretty safe to allow but nothing else including the entire folder to whichever browser?

    Something interesting happened to me the other day...

    I had everything enabled in the chrome options while I was testing against malware and my av caught a cache file that was in my chrome user data folder after I had close sbie, so that is partially why i'm asking because evidentally it escaped because it was a file from my testing.
  16. Ramblin

    Ramblin Active Member

    Joined:
    May 14, 2011
    Messages:
    976
    Likes Received:
    123
    Trophy Points:
    127
    Ramblin
    Last edited: Mar 21, 2014
  17. Littlebits

    Littlebits Super Moderator MalwareTips Staff

    Joined:
    May 3, 2011
    Messages:
    4,004
    Media:
    1
    Likes Received:
    3,058
    Trophy Points:
    1,117
    Of coarse it is possible to click on infected documents but if you stay within trusted websites, this is very rare to encounter. It has never happened to myself since I've been using the web. If I get careless and visit an infected site then yes this could happen. If you use Google Chrome as your main browser the likelihood of this happening is even more remote since Google Chrome opens all documents by default with Google Documents online with limited rights, files are not saved locally. Just one of the security features of Google Chrome that puts it ahead of other browsers. Installing external reader however can overwrite Google Chrome default actions when opening documents. Google's own pdf reader is a good example. These Google security features only exists within Google Chrome, other Chromium browsers use external readers. You can however install add-ons to allow you to open files with Google Documents with Firefox, Microsoft Office, Google Toolbar for IE, Firefox, Opera, IE, Chromium and others online services besides Google Documents.

    Thanks.:D
  18. Umbra Polaris

    Umbra Polaris Testing And Review Expert MalwareTips Staff

    Joined:
    May 16, 2011
    Messages:
    10,665
    Likes Received:
    4,069
    Trophy Points:
    1,597
    ok i have some questions,

    I created a sandbox forcing all contents of an especially created "Download" folder to run in it (that was the easy part)

    now when i download a .torrent file from my browsers (Icedragon/Dragon) , in normal situation, they open the torrent file automatically after the end of the download in µtorrent.

    But now when i download the torrent from my sandboxed browsers in the forced folder above, the torrent can't be open by µtorrent, i didn't find the workaround yet.

    my goal is to download a torrent from my sandboxed browser then opening it in a sandboxed µtorrent then run automatically the downloaded file into a sandbox.

    any ideas?
  19. jasonX

    jasonX Regular Member

    Joined:
    Apr 13, 2012
    Messages:
    226
    Likes Received:
    23
    Trophy Points:
    37
    Is someone using SBIE for online banking....? I seem to think that this can be used as a tool for such but do not know how-to..? Any ideas...? What config should be used with that...?
  20. Umbra Polaris

    Umbra Polaris Testing And Review Expert MalwareTips Staff

    Joined:
    May 16, 2011
    Messages:
    10,665
    Likes Received:
    4,069
    Trophy Points:
    1,597
    You can create a sandbox with your secondary browser forced, set as only program allowed to run and access internet, with dropped rights, set as leader.

    it is what i did. i don't know if it is the best settings for that.

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: [How Sandboxie
Forum Title Date
Operating Systems [How To] add Kali Linux repositories in Ubuntu Aug 6, 2014
Operating Systems [How to] add Linux Mint Repository to Ubuntu Jul 31, 2014
How-To Articles, Tips and Guides [How to] Remove "App of the Day" browser injected text Jul 22, 2014
Operating Systems [How-To] Dual-Boot WinXP & Linux Mint Jul 4, 2014
Operating Systems [How-To] Fix a Broadcom wireless card Wifi connection with Linux Jun 18, 2014

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.