How to Configure Sandboxie for Maximum Protection

Status
Not open for further replies.

Cowpipe

Level 16
Verified
Well-known
Jun 16, 2014
781
Good question and one I'm not best placed to answer, but here's a couple of things to start.

Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/

Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment ;)

Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).

There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.

One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.

Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert! :D:p
 

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Good question and one I'm not best placed to answer, but here's a couple of things to start.

Nice guide here on MalwareTips with some useful info, particularly about blocking sandboxie access to certain folders, anything that contains passwords or other sensitive information should be blocked (eg: Internet Files, App Data, My Documents etc). http://malwaretips.com/threads/how-to-use-sandboxie.4418/

Or safer still you can disable network access as well, I keep a separate ('No Internet') sandbox for testing Malware, where it is set to 'No programs can access the internet'. You should consider the fact that any C&C trojan that is executed in sandboxie might be isolated but you're still giving a server and potentially a hacker access to your computer or analysis environment ;)

Disable any low level access, importantly, don't allow hooking into the kernel, hooking into other processes (I'm not sure of the degree to which other processes outside of the sandbox are protected from DLL injection etc), and make sure the option to allow changing user password is off (I think this is the default).

There seems to be a general consensus that you should configure C:\Windows to be read-only as well, I'm not sure of the exact risks if you don't do this, perhaps someone more educated will be better placed to answer that.

One other tip is to have separate sandboxes for each application you test, configured so as only that application is allowed access to the internet. This prevents any dropped files from 'phoning home' but still allows them to be downloaded for analysis.

Hope that helps, if anyone notices anything critically wrong with what I've said here, please give me a shout and I'll edit it out, but I should point out once again, I'm no sandboxie expert! :D:p

Not bad, Cowpipe, especially for a non-expert of Sandboxie.o_O I shall therefore believe everything you've said here
..except for the very last sentence!:rolleyes:;)
I thank you as well.:D
 

Overkill

Level 31
Verified
Honorary Member
Feb 15, 2012
2,128
Sandboxie at default is very secure, but I like to tweak things...
For example, my chrome sandbox
Delete Invocation>>>Ticked
Restrictions>Internet/start-run access>>>Chrome only
Dropped rights ticked
I force Chrome to run sandboxed and allow bookmarks

I have tested this against tons of malware and nothing is able to run
 

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
An 'impressive' Eraser?
This looks like a job for our secret weapon educator (aka: Search!!).:D
 
  • Like
Reactions: Kent
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top