- May 11, 2014
- 1,639
Hi Everyone (I sound like Melih)
How do you configure Sandboxie for maximum protection?
Thanks, Tony.
How do you configure Sandboxie for maximum protection?
Thanks, Tony.
How to Configure Sandboxie for Maximum Protection
- Thread starter Tony Cole
- Start date
- Status
- Jun 16, 2014
- 781
Good question and one I'm not best placed to answer, but here's a couple of things to start.
Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/
Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment
Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).
There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.
One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.
Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert!
Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/
Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment
Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).
There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.
One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.
Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert!
- May 11, 2014
- 1,639
- Dec 4, 2013
- 2,800
Good question and one I'm not best placed to answer, but here's a couple of things to start.
Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/
Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment
Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).
There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.
One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.
Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert!
Not bad, Cowpipe, especially for a non-expert of Sandboxie.
I shall therefore believe everything you've said here..except for the very last sentence!
I thank you as well.
Thanks Cowpipe, I've just started using Sandboxie and you've answered some questions that I didn't think to ask.
- Sep 5, 2013
- 152
I would also suggest ticking Automatically delete contents of sandboxie so as to ensure maximum protection
- May 11, 2014
- 1,639
I have automatically delete contents ticked.
Thank-you for all your advice/help!
Thank-you for all your advice/help!
- Feb 15, 2012
- 2,128
Sandboxie at default is very secure, but I like to tweak things...
For example, my chrome sandbox
Delete Invocation>>>Ticked
Restrictions>Internet/start-run access>>>Chrome only
Dropped rights ticked
I force Chrome to run sandboxed and allow bookmarks
I have tested this against tons of malware and nothing is able to run
For example, my chrome sandbox
Delete Invocation>>>Ticked
Restrictions>Internet/start-run access>>>Chrome only
Dropped rights ticked
I force Chrome to run sandboxed and allow bookmarks
I have tested this against tons of malware and nothing is able to run
yes if you can don't use sandboxie default settings, the malware will still run and makes you freak out (even if it will be still contained and can't infect you)
- Nov 4, 2013
- 468
I use Sandboxie(free) and Qihoo 360 IS's sandbox.Qihoo 360 IS's sandbox has an option to quarantine/delete a virus found in any app.............
- Dec 4, 2013
- 2,800
- Status
