Sandboxie Configuration Discussion Thread

Discussion in 'Sandboxie (Invincea)' started by Umbra, Aug 8, 2015.

?

will you use my Tweaks

  1. Yes

    76.9%
  2. No

    7.7%
  3. No, i have my own

    7.7%
  4. No , but mine are similar

    7.7%
  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    #1 Umbra, Aug 8, 2015
    Last edited: Aug 12, 2015
    Hi guys since many members asked me how to tweak Sandboxie for better protection , i will show you my "personal" settings.

    IMPORTANT NOTE: those are MY settings, i don't claim that they are the strongest or better tweaks you can do , but they just works fine with me.

    I could tighten it some more but you will loose some comfort and it doesnt guarantee you that it will works on your machine. So better stick to those i will describe below ;)

    You have to know that those settings will generate more user interactions than default settings.

    Some settings are only available in the paid version.


    0- default sandbox (rarely used)

    Restrictions: Drop rights > tick "drop Right from administrators and power users group."

    1- Chrome x64 (always used while browsing)

    Delete > Delete invocations > tick "automatically delete contents of sandbox" (this will ensure that any suspicious files are deleted when you close the browser)

    Program Start > Forced Programs > add programs > select Chrome.exe

    Program Stop > Leader Program > add program > select Chrome.exe

    Restrictions :

    - Internet Access > add program > select Chrome.exe ( this will only allow chrome to connect and nothing else)

    - Start/Run Access > add program > select Chrome.exe ( this will insure that nothing except chrome is allowed to run)

    - Drop rights > tick "drop Right from administrators and power users group."

    Resources Access

    - File Access > Blocked Access > add > (i personally add my other partitions)

    Applications

    - Web Browsers > Google Chrome >

    [​IMG]

    i could untick more settings but my comfort will drastically be lowered , and i like some comfort :D

    2- Download Folders' Sandbox profile

    (for better convenience and safety, i highly suggest you to put your download folders on an other partition than your system.)

    so there is how to sandbox your downloads folder(s), first ,we create thee sandbox:

    go to : Sandbox tab (on top) > Create New Sandbox > name it as you want.

    now go to your newly created sandbox settings:

    Delete > Delete invocations > tick "automatically delete contents of sandbox"

    (this will ensure that any suspicious files are deleted when you close the browser)

    Program Start > Forced Folder > Add Folder> select your download folder(s)

    beware that from now on, you have to click on "disable forced programs" (sandboxie tray icon) every time before running any files located in those folders.


    Restrictions :

    - Internet Access > click "Block all programs"
    - Drop rights > tick "drop Right from administrators and power users group."

    Resources Access

    - File Access > Blocked Access > add > C: (or your system partition letter)

    (so anything you download cant reach your system partition)


    that's it for the Download Folder profile, the goal here , is to disallow any files you download to access the system partition, connect to internet or run without your consent.

    -----------------------------------------------------------------------------------------------------------------
    Now you have a general idea of how to set your browsers , i have other sandbox profiles (for Download folders, File Explorer, etc...) , listing each of them now will be too long.

    So i will add some other profiles later so stay tuned.

    Hope i helped you.

    Update: Download Folder sandbox profile





     
  2. Moose

    Moose Level 22

    Jun 14, 2011
    2,275
    1,185
    Av Gurus likes this.
  3. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    ok i will post some more later ;)
     
    Kent, Av Gurus and Moose like this.
  4. Cch123

    Cch123 Level 7

    May 6, 2014
    332
    815
    Almost the same as my setup, except that I disabled far more direct access modules. For blocked access I put my personal file locations and other critical locations.

    However, I am not currently running Chrome under Sandboxie, and will not do so until I can fully verify that SBie is not interfering with Chrome's own exploit mitigations and other security features.
     
    Moose, Umbra and Av Gurus like this.
  5. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    of course,but those are more personal settings , that may not fit to everybody systems and setup. ;)

    i can understand that :)

    the same concerns about Edge & sandboxie appears.
     
    Moose likes this.
  6. Overkill

    Overkill Level 30
    Trusted

    Feb 15, 2012
    2,106
    1,997
    USA
    Windows 7
    Default-Deny
    #6 Overkill, Aug 9, 2015
    Last edited: Aug 10, 2015
    I never thought to use this setting, my IE always lingers after closing so this should fix that!

    Just finished doing some tweaks to further protect my important files on my D drive (any suggestions are always welcomed)
    These are examples. I have made the same changes to other sandboxes

    My p2p client (download folder is on D so I made it read only)
    Well that didn't work, when I started a torrent it said access is denied, so I had to forget that part of tweaking:mad:

    [​IMG]

    chrome

    [​IMG]
     
    Moose and Umbra like this.
  7. Moose

    Moose Level 22

    Jun 14, 2011
    2,275
    1,185
    Thank you! Overkill and Umbra! Hope this going topic with different things that you can do with Sandboxie!;)
     
    Overkill likes this.
  8. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Download Folder sandbox profile added to the OP
     
    Overkill and Av Gurus like this.
  9. Online_Sword

    Online_Sword New Member
    Trusted

    Mar 23, 2015
    575
    1,807
    Hi, I have a problem: If I "force" chrome to run in sandbox, then how could I update it?
     
  10. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Sandboxie's tray icon > Disable Forced Program > then run chrome unsandboxed > update it
     
    Online_Sword likes this.
  11. Online_Sword

    Online_Sword New Member
    Trusted

    Mar 23, 2015
    575
    1,807
    Thank you for your reply.

    As far as I know, firefox has an update notification, but chrome does not: the update process of it will be done silently.
    I think this makes it difficult to immediately disable the forced programs when a new update of chrome is available.
    I worry that I may miss some important updates in such case.
     
  12. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    i just run chome unsandboxed once every 2-3 days to do some cleanup of chrome so i dont miss any updates.
     
    Online_Sword likes this.
  13. CMLew

    CMLew Level 22

    Oct 30, 2015
    1,149
    2,943
    Registered Safety Practitioner
    Singapore
    Windows 10
    Default-Deny
    @Umbra, does the settings here applicable to all browsers too? Planning to make one for firefox and edge. Or would it be better to pile all 3 into a single settings.

    PS: the ERR2203 is still noisying when i start chrome sandboxed. Will it get fixed?
     
  14. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Edge isn't supported yet.
    and no, my settings works mostly for chrome, however tweaks could also work for FF. You have to try.

    GuiProxy error?
     
  15. CMLew

    CMLew Level 22

    Oct 30, 2015
    1,149
    2,943
    Registered Safety Practitioner
    Singapore
    Windows 10
    Default-Deny
    Yup. I have to hide them all the time.
     
  16. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,656
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    i have to do it too but not everytime.
     
  17. pneuma1985

    pneuma1985 Level 4

    Aug 30, 2015
    187
    391
    Programmer, IT Professional
    USA
    Is it possible to run photoshop inside of sandboxie yet I know several years ago it wasn't possible at all? Was j/w if anyone had any insight on running adobe software in sandboxie?
     
  18. Cch123

    Cch123 Level 7

    May 6, 2014
    332
    815
    I wouldn't suggest doing that. In order to run Photoshop, sandboxie needs to copy all the files photoshop needs into its sandbox, which wastes a lot of space unless you installed Photoshop within Sandboxie itself in the first place.
     
  19. Aya Salah

    Aya Salah New Member

    Feb 11, 2016
    30
    319
    Suez
    My sandboxie doesn't allow me to open chrome sandboxed while KTS 2016 is on, Any ideas how can I fix this issue?! However other applications apart from chrome work normally
     
Loading...
Similar Threads Forum Date
Problems with IDM and Sandboxie Sandboxie (Invincea) Nov 26, 2017
Update Sandboxie 5.22 Released: Windows Creator's Fall Update is now supported Sandboxie (Invincea) Oct 31, 2017
Q&A Do I need browser extensions with Sandboxie? Sandboxie (Invincea) Oct 26, 2017