Advice Request New to Sandboxie-Tips and Input

AtlBo · Feb 7, 2019

This thread has spurred me to action with SB FINALLY lol:

Q&A - SANDBOXIE AND/OR OSA?

Been wanting to seriously test Sandboxie. Used the Qihoo 360 sandbox for a long time but switched to FortiClient recently. Any tips for using SB and also what is the latest free version? I am also interested on whether the free version offers any internet controls for applications. I can install Fort Knox or Binisoft if not. I'm a little bit concerned about the limitations of the free version I have to say. Haven't yet looked into licensing, but I think I would only really be interested in lifetime key.

Looked at SB a few months ago, but felt I would be a little bit overwhelmed at first. BTW, systems are on W764 and will have IE and Chrome, but I'd appreciate input on what to sandbox. Systems also have OSArmor.

shmu26 · Feb 7, 2019

On Win10, Chrome runs in appcontainer, so SBIE probably won't make it more isolated than it already is. But on Win7, you stand to gain.
If you use Internet Explorer, that is a good reason to use Sandboxie, no matter what version of Windows.

If you go into the settings for your particular sandbox (you start out with only one sandbox, unless you created others on your own) you will see that you can limit internet connection to specific applications running within that sandbox, namely, your browser. It is recommended to enable that setting.
You can also deny all internet to the sandbox, but you obviously don't want to do that for a browser.

shmu26 · Feb 7, 2019

But that said, the coolest thing about SBIE is forced programs and forced folders, and that's only in the paid version, and no more lifetime licenses.

AtlBo · Feb 7, 2019

shmu26 said:
But that said, the coolest thing about SBIE is forced programs and forced folders, and that's only in the paid version, and no more lifetime licenses.

OK thanks. Can I set up separate containers in the free version? Never have been clear on this one. Running office programs in SB seems like a good idea to me, but I'd like to contain all the apps separately. I suppose the protection scheme is the same for the most part for all of the sandbox security programs on the market (i.e.-contained exes don't run).

It's been discussed before why access to files outside of a container is a bad idea. If discussing say a macro capable file, is the problem that the macro does its business outside the container? By this I mean that it isn't monitored to see if it wants to make use of a command interpreter or if it say wants to edit files or whatever. Curious whether, for example, the SB sandbox is the same or less capable than the ReHIPs one in this way. Because RH monitors all command lines and can be set to do more, I haven't ever been able to quite grasp why opening files (say macro files) from Windows user main account is different than opening a file from the ReHIPs folder. RH has the backup protection in the command line monitoring to protect from any damage the macro might do no matter where the file is located physically. Also, anything downloaded will be a new file and alert too if the application happens to be granted internet access in RH.

Maybe RH is the better choice now that I look at it from a deeper perspective. However, I've been feeling kind of paralyzed about going back. Reasons are the lack in RH fast access to files in standard locations and also that the user doesn't have the option to name accounts created by RH for each application. Also, the dreaded 10 process instance means Chrome is not available. I suppose I could go to another browser, although I'm not sure which of the others other than Firefox use a small number of process instances. RH unlimited is just too pricey for me unfortunately.

shmu26 · Feb 7, 2019

AtlBo said:
OK thanks. Can I set up separate containers in the free version? Never have been clear on this one. Running office programs in SB seems like a good idea to me, but I'd like to contain all the apps separately. I suppose the protection scheme is the same for the most part for all of the sandbox security programs on the market (i.e.-contained exes don't run).

It's been discussed before why access to files outside of a container is a bad idea. If discussing say a macro capable file, is the problem that the macro does its business outside the container? By this I mean that it isn't monitored to see if it wants to make use of a command interpreter or if it say wants to edit files or whatever. Curious whether, for example, the SB sandbox is the same or less capable than the ReHIPs one in this way. Because RH monitors all command lines and can be set to do more, I haven't ever been able to quite grasp why opening files (say macro files) from Windows user main account is different than opening a file from the ReHIPs folder. RH has the backup protection in the command line monitoring to protect from any damage the macro might do no matter where the file is located physically. Also, anything downloaded will be a new file and alert too if the application happens to be granted internet access in RH.

Maybe RH is the better choice now that I look at it from a deeper perspective. However, I've been feeling kind of paralyzed about going back. Reasons are the lack in RH fast access to files in standard locations and also that the user doesn't have the option to name accounts created by RH for each application. Also, the dreaded 10 process instance means Chrome is not available. I suppose I could go to another browser, although I'm not sure which of the others other than Firefox use a small number of process instances. RH unlimited is just too pricey for me unfortunately.

The only limitations I know of the free version are forced folders and forced programs. You will also get a nag and a slight delay the first time you launch your sandboxed browser.

You can make as many sandboxes as you want, and design them with exactly the settings you want for that program or set of programs.

Access to files outside the sandbox has two aspects: read access and write access.
By default, a sandbox has read access to the rest of the system. What's the problem? Exfiltration of sensitive data. This can be more or less solved by denying internet to that particular sandbox. If you allow internet, you might want to consider blocking read access to your private stash of files.

Write access to a folder means it could potentially be encrypted. So try to limit write access as much as possible.

ReHIPS is much more limiting when it comes to this business of read and write access, because anything in real user space is automatically taboo, no read and no write, and you can't get around that. SBIE is very flexible in that way.

AtlBo · Feb 7, 2019

shmu26 said:
Access to files outside the sandbox has two aspects: read access and write access.
By default, a sandbox has read access to the rest of the system. What's the problem? Exfiltration of sensitive data. This can be more or less solved by denying internet to that particular sandbox. If you allow internet, you might want to consider blocking read access to your private stash of files.

Thanks for all of this @shmu26. Cleared things up for me.

So, if I move all of user files (documents folder files) over to the ReHIPs folder, I should be good to go from there? I can just add a shortcut on the Task bar and then add it to Favorites in Windows Explorer. This would be a fine enough solution for me.

shmu26 · Feb 7, 2019

AtlBo said:
Thanks for all of this @shmu26. Cleared things up for me.

So, if I move all of user files (documents folder files) over to the ReHIPs folder, I should be good to go from there? I can just add a shortcut on the Task bar and then add it to Favorites in Windows Explorer. This would be a fine enough solution for me.

If you put your docs in RehipsUser folder, and this is the Rehips user assigned to MS Office, then you can freely read and edit those documents. But, all those docs are exposed to any malware that attacks through MS Office, while protecting the rest of your system. So it is recommended to only put the doc you are presently editing in the rehips user folder, and leave everything else in real user space. You can minimize the risk by denying internet to that Isolated Environment. That will prevent exfiltration of data. But it will not protect from encryption.

But there is an easier way to do all this!!! At default settings, ReHIPS allows open file access. Meaning: if you double click on an Office doc, and edit it, the file will automatically be saved in the ReHIPS user folder, without you even realizing it. When you close the doc, it will be automatically copied back to its original location, with all your edits. And ReHIPS has its own recycle bin, which protects against any failure to recopy the file. If the recopy is not completed due to some glitch or sudden power failure or whatever, you will find your edited doc in the Rehips recycle bin.

By the way, Sandboxie does something very similar to this. If you edit a doc in a location without write access, it will be saved inside the Sandbox.

shmu26 · Feb 8, 2019

shmu26 said:
But, all those docs are exposed to any malware that attacks through MS Office

Allow me to clarify: malware that attacks through MS Office will almost always fail, because ReHIPS will prompt for Windows Script Host, Powershell, and the other lolbins commonly used in weaponized docs. Furthermore, any unknown exe file that tries to run will cause a prompt. But there is always the chance of an unpatched vulnerability that uses a new method.

AtlBo · Feb 8, 2019

shmu26 said:
But there is an easier way to do all this!!! At default settings, ReHIPS allows open file access. Meaning: if you double click on an Office doc, and edit it, the file will automatically be saved in the ReHIPS user folder, without you even realizing it. When you close the doc, it will be automatically copied back to its original location, with all your edits. And ReHIPS has its own recycle bin, which protects against any failure to recopy the file. If the recopy is not completed due to some glitch or sudden power failure or whatever, you will find your edited doc in the Rehips recycle bin.

@shmu26, is this new to the latest version? If I understand correctly, think this is exactly what I would like.

So ReHIPs copies the closed file to userspace once it is fully closed. That's perfect. Exactly what I was looking for and no chance a bug in a save dialog from an application/malware writer could wreak havoc on Windows/user areas and files. The save is totally on ReHIPs and the system is guaranteed safe. I don't recall this being the standard for documents in ReHIPs 2.2. Looking over the changelog for 2.4 I see this:

-files copy to user profile folder for Open File Access are autosaved now;

Maybe this is a reference to the ReHIPs writes to Documents in Windows native areas that you mention? Anyway, I will take a look.

Ink · Feb 8, 2019

I don't know if SBIE still relies on SDelete, but it can be downloaded for erasing the sandbox contents.
SDelete - Windows Sysinternals

Warning: Take caution using SDelete for other purposes.

shmu26 · Feb 9, 2019

AtlBo said:
@shmu26, is this new to the latest version? If I understand correctly, think this is exactly what I would like.

So ReHIPs copies the closed file to userspace once it is fully closed. That's perfect. Exactly what I was looking for and no chance a bug in a save dialog from an application/malware writer could wreak havoc on Windows/user areas and files. The save is totally on ReHIPs and the system is guaranteed safe. I don't recall this being the standard for documents in ReHIPs 2.2. Looking over the changelog for 2.4 I see this:

Maybe this is a reference to the ReHIPs writes to Documents in Windows native areas that you mention? Anyway, I will take a look.

The older versions of ReHIPS already had the copy back to original location feature, but the new version added the recycle bin feature, as a safety net. That's what I remember, but you can ask on the ReHIPS forum ReHIPS forum - Index for better and more accurate info. Either that, or PM Umbra on Wilders forum, if you have access.

shmu26 · Feb 9, 2019

SBIE will warn you, when you try to delete your sandbox, if there are files that you might want to recover to real user space.

SHvFl · Feb 10, 2019

AtlBo said:
@shmu26, is this new to the latest version? If I understand correctly, think this is exactly what I would like.

So ReHIPs copies the closed file to userspace once it is fully closed. That's perfect. Exactly what I was looking for and no chance a bug in a save dialog from an application/malware writer could wreak havoc on Windows/user areas and files. The save is totally on ReHIPs and the system is guaranteed safe. I don't recall this being the standard for documents in ReHIPs 2.2. Looking over the changelog for 2.4 I see this:

Maybe this is a reference to the ReHIPs writes to Documents in Windows native areas that you mention? Anyway, I will take a look.

It will copy the file back when you click save and then close word. If you close word without saving your file will not be copied back and will remain with rehips isolated environment if you didn't mess with any settings.

shmu26 · Feb 10, 2019

SHvFl said:
It will copy the file back when you click save and then close word. If you close word without saving your file will not be copied back and will remain with rehips isolated environment if you didn't mess with any settings.

Thanks for clarifications

Search

Advice Request New to Sandboxie-Tips and Input

AtlBo

Level 28

shmu26

Level 85

shmu26

Level 85

AtlBo

Level 28

shmu26

Level 85

AtlBo

Level 28

shmu26

Level 85

shmu26

Level 85

AtlBo

Level 28

Ink

Administrator

shmu26

Level 85

shmu26

Level 85

SHvFl

Level 35

shmu26

Level 85

Similar threads