[How To] Use Sandboxie

[Nathan Wootton]

Ino many of you know how to use Sandboxie so this is aimed for the people who are new to it :biggrin:

What is Sandboxie?

Sandboxie is very useful to check whether or not a program is infected, you can also use it to test out your botnet. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.



1. Download
HTML:
http://www.sandboxie.com/index.php?DownloadSandboxie
(Proceed through the installation)

2. Using Sandboxie
Open Sandboxie : Start > All Programs > Sandboxie > Sandboxie Control


Run File : Right-Click Suspected File > Run Sandboxed


Change Display : View > Files and Folders


Observe Folders : Sandbox DefaultBox > All files and Folders

3. Analysing Output

Now that you've ran your program you're probably wondering What does this all this mean? Now is when you analyze Sandboxie to check if the program has dropped any files. In the All files and Folder sub-menu you can observe the exact location of dropped files.

How do I know if my program's infected?

To decide whether or not a program is infected you have to think. Should this program drop files? For example : I've downloaded a crypter and decided to check it out in Sandboxie. Now immediately after I run it, I get a file dropped :


Settings :
To prevent against stealers acquiring your firefox passwords while using Sandboxie go to :
Sandbox>Default Box>Sandbox settings> Resource Access>File Access>Blocked Access>Edit/Add
and copy paste the following lines : (one by one)

%Local AppData%\Mozilla\
%AppData%\Mozilla\
\Device\Mup\


The same for Chrome and Opera

You can also disable the program from accessing the internet, this option is also found in Sandbox settings.

NEW! To bypass the Anti-Sandboxie that some malware uses, you need to disable the Sandboxie indicator that is in the titles of windows running in Sandboxie "#".

To do this go to Sandboxie>Rick-click on your sandbox>Sandbox Settings>Appearance>check "Don't show Sandboxie indicator...". (This method of detecting sandboxie isn't used by all malware however.)
Extra Info.

Keep in mind that if you receive an error, and your program is unable to run in Sandboxie, it is most likely that it's a virus and has implemented Anti-Sandboxie. DO NOT RUN IT OUTSIDE SANDBOXIE! (see 'Settings' spoiler to know how to bypass anti-sandboxie)

Once you are done with Sandboxie, Right-Click on the Sandbox and chose Terminate Programs. Also, remember to empty your SandBox after every use by Right-clicking>Delete Contents.

When you see [#] [#] around the title on the window, you know it's Sandboxed. Unless you have these indicators disabled (see 'Settings')

Well i hope this helps new people to sanboxie :angel:

 

[AyeAyeCaptain]

Not a bad effort at all, nice one for taking the time to create it... About the whole password stealing though, using Lastpass or other variations would also combat this. I think you have explained it well enough though for all users to understand so top marks for that.

Don't use Sandboxie myself even though it's one of a few things that is worth paying for, but currently stick to CIS Bundled effort (cannot wait for v6 with full virtual... ).

Would rep + but thumbs up/down does not seem to be visible for me still?? Jack?? lol.

 

[McLovin]

Thanks for the guide Nathan. I don't really use SandBoxie because when I had Avast I used their one.

 

[Exorcizm]

Good Guide Nathan! I'm sure many people using that sandbox will find it useful!

 

[Overkill]

If I allow direct access to everything within my browser can malicious content slip through the sandbox?

In the browser settings what is NOT recommended to tick for direct access?

 

[McLovin]

If I allow direct access to everything within my browser can malicious content slip through the sandbox?

In the browser settings what is NOT recommended to tick for direct access?

Your reply to a topic that was started in October last year.

 

[Littlebits]

Nice guide, I don't use Sandboxie on a daily basis, only when I want to run a suspicious program. I see no need to run trusted programs inside of a sandbox.

Thanks.

 

[Ramblin]

Ramblin

 

[HeffeD]

I only allow direct access to the phishing database and bookmarks.

This is what I do as well.

I also gave direct access to AdBlock Plus' extension folder so it is able to update the subscription blocklist databases. Otherwise you'll be downloading a new one each browsing session. Not a big deal bandwidth-wise because they are a small .txt file, but it puts unnecessary strain on the subscription servers.

I don't allow access to cookies, because it's nice to have those wiped along with everything else when I close the browser. (Yes, I'm aware you can set the browser to do this as well) If there is a persistent cookie I'd like to keep, I just start the browser outside the sandbox, set the cookie, then close the browser and restart in the sandbox.

 

[Ramblin]

Ramblin

 

[HeffeD]

allowing the file "patterns" found inside the ABP folder is enough.

I didn't know that. Thanks for the tip!

Changes made accordingly.

 

[Overkill]

Ok, I'd love for someone to make a tut either written or video that explains the best settings for sandboxie.

 

[Ramblin]

Ramblin

 

[Ramblin]

Ramblin

 

[Overkill]

Ok, I'd love for someone to make a tut either written or video that explains the best settings for sandboxie.

Setting a sandbox, really, depends on what you are using it for. Allow as little as possible and use Start/Run and Internet restrictions and you will be fine. On top of that, enable Drop Rights if you run as an administrator.

Bo

In opera it doesn't give as many options, so if I allow all 3 do you think that is wise?
Basically bookmarks and preferences are pretty safe to allow but nothing else including the entire folder to whichever browser?

Something interesting happened to me the other day...

I had everything enabled in the chrome options while I was testing against malware and my av caught a cache file that was in my chrome user data folder after I had close sbie, so that is partially why i'm asking because evidentally it escaped because it was a file from my testing.

 

[Ramblin]

Ramblin

 

[Littlebits]

I see no need to run trusted programs inside of a sandbox.

Thanks.

Littlebits, I disagree, I ll tell you why. Foxit and Microsoft Word are trusted programs but if you click on a PDF file that's malicious, you will get infected if your real time antivirus misses it and "you are not running Foxit (a trusted program) under the supervision of Sandboxie". Same thing will happen if you click on a infected Word document. This are only two examples but this applies to EVERY program, thats why we should not trust any program and it is why I run just about everything in a sandbox.

Bo

Of coarse it is possible to click on infected documents but if you stay within trusted websites, this is very rare to encounter. It has never happened to myself since I've been using the web. If I get careless and visit an infected site then yes this could happen. If you use Google Chrome as your main browser the likelihood of this happening is even more remote since Google Chrome opens all documents by default with Google Documents online with limited rights, files are not saved locally. Just one of the security features of Google Chrome that puts it ahead of other browsers. Installing external reader however can overwrite Google Chrome default actions when opening documents. Google's own pdf reader is a good example. These Google security features only exists within Google Chrome, other Chromium browsers use external readers. You can however install add-ons to allow you to open files with Google Documents with Firefox, Microsoft Office, Google Toolbar for IE, Firefox, Opera, IE, Chromium and others online services besides Google Documents.

Thanks.

 

[Deleted member 178]

ok i have some questions,

I created a sandbox forcing all contents of an especially created "Download" folder to run in it (that was the easy part)

now when i download a .torrent file from my browsers (Icedragon/Dragon) , in normal situation, they open the torrent file automatically after the end of the download in µtorrent.

But now when i download the torrent from my sandboxed browsers in the forced folder above, the torrent can't be open by µtorrent, i didn't find the workaround yet.

my goal is to download a torrent from my sandboxed browser then opening it in a sandboxed µtorrent then run automatically the downloaded file into a sandbox.

any ideas?

 

[jasonX]

Is someone using SBIE for online banking....? I seem to think that this can be used as a tool for such but do not know how-to..? Any ideas...? What config should be used with that...?

 

[Deleted member 178]

You can create a sandbox with your secondary browser forced, set as only program allowed to run and access internet, with dropped rights, set as leader.

it is what i did. i don't know if it is the best settings for that.