Sandboxie Configuration Discussion Thread

will you use my Tweaks


  • Total voters
    44

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#1
Hi guys since many members asked me how to tweak Sandboxie for better protection , i will show you my "personal" settings.

IMPORTANT NOTE: those are MY settings, i don't claim that they are the strongest or better tweaks you can do , but they just works fine with me.

I could tighten it some more but you will loose some comfort and it doesnt guarantee you that it will works on your machine. So better stick to those i will describe below ;)

You have to know that those settings will generate more user interactions than default settings.

Some settings are only available in the paid version.


0- default sandbox (rarely used)

Restrictions: Drop rights > tick "drop Right from administrators and power users group."

1- Chrome x64 (always used while browsing)

Delete > Delete invocations > tick "automatically delete contents of sandbox" (this will ensure that any suspicious files are deleted when you close the browser)

Program Start > Forced Programs > add programs > select Chrome.exe

Program Stop > Leader Program > add program > select Chrome.exe

Restrictions :

- Internet Access > add program > select Chrome.exe ( this will only allow chrome to connect and nothing else)

- Start/Run Access > add program > select Chrome.exe ( this will insure that nothing except chrome is allowed to run)

- Drop rights > tick "drop Right from administrators and power users group."

Resources Access

- File Access > Blocked Access > add > (i personally add my other partitions)

Applications

- Web Browsers > Google Chrome >



i could untick more settings but my comfort will drastically be lowered , and i like some comfort :D

2- Download Folders' Sandbox profile

(for better convenience and safety, i highly suggest you to put your download folders on an other partition than your system.)

so there is how to sandbox your downloads folder(s), first ,we create thee sandbox:

go to : Sandbox tab (on top) > Create New Sandbox > name it as you want.

now go to your newly created sandbox settings:

Delete > Delete invocations > tick "automatically delete contents of sandbox"

(this will ensure that any suspicious files are deleted when you close the browser)

Program Start > Forced Folder > Add Folder> select your download folder(s)

beware that from now on, you have to click on "disable forced programs" (sandboxie tray icon) every time before running any files located in those folders.


Restrictions :

- Internet Access > click "Block all programs"
- Drop rights > tick "drop Right from administrators and power users group."

Resources Access

- File Access > Blocked Access > add > C: (or your system partition letter)

(so anything you download cant reach your system partition)


that's it for the Download Folder profile, the goal here , is to disallow any files you download to access the system partition, connect to internet or run without your consent.

-----------------------------------------------------------------------------------------------------------------
Now you have a general idea of how to set your browsers , i have other sandbox profiles (for Download folders, File Explorer, etc...) , listing each of them now will be too long.

So i will add some other profiles later so stay tuned.

Hope i helped you.

Update: Download Folder sandbox profile





 
Last edited:
Joined
May 6, 2014
Messages
331
#4
Almost the same as my setup, except that I disabled far more direct access modules. For blocked access I put my personal file locations and other critical locations.

However, I am not currently running Chrome under Sandboxie, and will not do so until I can fully verify that SBie is not interfering with Chrome's own exploit mitigations and other security features.
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#5
Almost the same as my setup, except that I disabled far more direct access modules. For blocked access I put my personal file locations and other critical locations.
of course,but those are more personal settings , that may not fit to everybody systems and setup. ;)

However, I am not currently running Chrome under Sandboxie, and will not do so until I can fully verify that SBie is not interfering with Chrome's own exploit mitigations and other security features.
i can understand that :)

the same concerns about Edge & sandboxie appears.
 
Likes: Moose

Overkill

Level 31
Trusted
Joined
Feb 15, 2012
Messages
2,115
OS
Windows 7
Antivirus
Default-Deny
#6
Program Stop > Leader Program > add program > select Chrome.exe
I never thought to use this setting, my IE always lingers after closing so this should fix that!

Just finished doing some tweaks to further protect my important files on my D drive (any suggestions are always welcomed)
These are examples. I have made the same changes to other sandboxes

My p2p client (download folder is on D so I made it read only)
Well that didn't work, when I started a torrent it said access is denied, so I had to forget that part of tweaking:mad:



chrome

 
Last edited:

Online_Sword

New Member
Trusted
Joined
Mar 23, 2015
Messages
575
#12
Sandboxie's tray icon > Disable Forced Program > then run chrome unsandboxed > update it
Thank you for your reply.

As far as I know, firefox has an update notification, but chrome does not: the update process of it will be done silently.
I think this makes it difficult to immediately disable the forced programs when a new update of chrome is available.
I worry that I may miss some important updates in such case.
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#13
i just run chome unsandboxed once every 2-3 days to do some cleanup of chrome so i dont miss any updates.
 
Likes: Online_Sword

CMLew

Level 23
Joined
Oct 30, 2015
Messages
1,212
OS
Windows 10
Antivirus
Default-Deny
#14
@Umbra, does the settings here applicable to all browsers too? Planning to make one for firefox and edge. Or would it be better to pile all 3 into a single settings.

PS: the ERR2203 is still noisying when i start chrome sandboxed. Will it get fixed?
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#15
@Umbra, does the settings here applicable to all browsers too? Planning to make one for firefox and edge. Or would it be better to pile all 3 into a single settings.
Edge isn't supported yet.
and no, my settings works mostly for chrome, however tweaks could also work for FF. You have to try.

PS: the ERR2203 is still noisying when i start chrome sandboxed. Will it get fixed?
GuiProxy error?
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#17
i have to do it too but not everytime.
 
Joined
Aug 30, 2015
Messages
187
#18
Is it possible to run photoshop inside of sandboxie yet I know several years ago it wasn't possible at all? Was j/w if anyone had any insight on running adobe software in sandboxie?
 
Joined
May 6, 2014
Messages
331
#19
Is it possible to run photoshop inside of sandboxie yet I know several years ago it wasn't possible at all? Was j/w if anyone had any insight on running adobe software in sandboxie?
I wouldn't suggest doing that. In order to run Photoshop, sandboxie needs to copy all the files photoshop needs into its sandbox, which wastes a lot of space unless you installed Photoshop within Sandboxie itself in the first place.
 

Aya Salah

New Member
Joined
Feb 11, 2016
Messages
30
#20
My sandboxie doesn't allow me to open chrome sandboxed while KTS 2016 is on, Any ideas how can I fix this issue?! However other applications apart from chrome work normally
 

Similar Threads

Similar Threads