Hi Tzuk, I tested 4.01.02 on my XP SP3 32 bits computer, this is what I found. All programs run sandboxed by right clicking on a file or as a forced program as long as Drop Rights is not enabled. If Drop Rights is ticked, I get message 2203.
The only programs that I have as Forced that did not work for me were Excel and Word (Microsoft Office Professional Edition 2003). This programs run fine sandboxed if I right click on a file but the file wont open if I attempt to run it forced.
Bo
Version 4.01 - Major changes to underlying architecture
Any chance we could get this added for extra privacy on shared computers? http://www.sandboxie.com/phpbb/viewtopi ... 9973#79973
I think the fact that any user can open any persons sandbox-folder is a terrible privacy hole. Only person X should be able to open person X's folder.
I think the fact that any user can open any persons sandbox-folder is a terrible privacy hole. Only person X should be able to open person X's folder.
I just got a chance to read this. It sounds like the new implementation in v4 is more secure by impleneting a default deny philosophy.
My concern, and I think part of the problems I've already experienced, is that I'm not always using Sandboxie as a protection against malware, or for security. Some times my goal is to simply virtualize the writes to the file system/registry/etc, while not being concerned about what it does from a security perspective. In other words, to use it as a way to do something without having permanent changes applied to the disk. For instance, my flight simulator often has updates that are half baked. I typically use Sandboxie to update the software and see if that update is worth keeping. If not, I just delete the contents of the Sandbox. I don't really care about being "breached" or about system security in this case. My main concern is really that the software is able to run and function.
The way I see it is that the two different uses seem to have very different ideologies, and sometimes they are opposed to one another... and to be honest, I'm pretty amazed at the level of support you've been able to provide so that the use of Sandboxie can be so flexible... It sounds though like the new implementation might make it harder for the latter of the two uses.
I guess my concern is the that new approach might harm usability in some instances where the extra security is not really wanted.
Have you ever considered implementing a "compatibility mode" option in the Sandbox settings, that is more along the lines of "default allow" rather than "default deny"?
My concern, and I think part of the problems I've already experienced, is that I'm not always using Sandboxie as a protection against malware, or for security. Some times my goal is to simply virtualize the writes to the file system/registry/etc, while not being concerned about what it does from a security perspective. In other words, to use it as a way to do something without having permanent changes applied to the disk. For instance, my flight simulator often has updates that are half baked. I typically use Sandboxie to update the software and see if that update is worth keeping. If not, I just delete the contents of the Sandbox. I don't really care about being "breached" or about system security in this case. My main concern is really that the software is able to run and function.
The way I see it is that the two different uses seem to have very different ideologies, and sometimes they are opposed to one another... and to be honest, I'm pretty amazed at the level of support you've been able to provide so that the use of Sandboxie can be so flexible... It sounds though like the new implementation might make it harder for the latter of the two uses.
I guess my concern is the that new approach might harm usability in some instances where the extra security is not really wanted.
Have you ever considered implementing a "compatibility mode" option in the Sandbox settings, that is more along the lines of "default allow" rather than "default deny"?
Well it's really just the DDE thing that is getting in your way, I think. And I may be able to figure out some way to make it work, at least for some use cases, later on. If not, perhaps I will consider this compatibility mode that you're suggesting here. In any case, it wouldn't be a small change, and right now I want to move towards releasing a stable version v4 so I don't want to make any risky changes.
tzuk
Well, I've had a few other problems too that I posted, but all in all I can't knock your approach. From a security standpoint, I want the restrictions to be heavy. The harder the sandbox is to bypass, the better it is for everyone... Like I said though, some times I don't mind liberal access if it means the program just doesn't write to disk.tzuk wrote:Well it's really just the DDE thing that is getting in your way, I think. And I may be able to figure out some way to make it work, at least for some use cases, later on. If not, perhaps I will consider this compatibility mode that you're suggesting here. In any case, it wouldn't be a small change, and right now I want to move towards releasing a stable version v4 so I don't want to make any risky changes.
I wasn't sure if this was a big change or not, but from your response I guess it is. I know you have a lot on your plate trying to get 4.01 ready for release, and that is definitely where your time should be spent. I was just throwing the idea out there...
Either way, I can't really complain. Sandboxie has to be the most useful security software I've ever used, so I'm definitely happy that you are still actively developing this product.. Thanks for all your work..
-
Jake
Hi,
I have to partially agree with nicknomo: Sandboxie is an insanely useful tool in that you can shield your real system (files®istry) by installing updates to apps inside a sandbox and rolling it back at will with absolutely no consequence whatsoever on the real system. Many other tools that are not perfect in this area, in my experience.
You can also install an app in a sandbox and move that sandbox from computer to computer, effectively turning the app into a portable app. It's pretty cool when you are restoring the system regularly; you don't lose the registry keys and C: files that were added in between because they are nicely stored within a sandbox. You don't have to waste disk space imaging incrementally, not to mention that it's a modular approach whereas incremental imaging is linear and so, much less flexible.
Unfortunately not all apps can be successfully installed in a sandbox, but that's still pretty awesome.
So I agree with Nicknomo, these ways to use Sandboxie are half of its awesomeness. However I still DO care about security when using Sandboxie this way, so I'm not too fond of the default allow idea.
But then again I don't understand why it poses a problem with v4...if anyone cares to explain that would be super nice
Either way, looking forward to v4 ! Though now I'll be careful and do some research before installing it, see if it supports my use cases.
I have to partially agree with nicknomo: Sandboxie is an insanely useful tool in that you can shield your real system (files®istry) by installing updates to apps inside a sandbox and rolling it back at will with absolutely no consequence whatsoever on the real system. Many other tools that are not perfect in this area, in my experience.
You can also install an app in a sandbox and move that sandbox from computer to computer, effectively turning the app into a portable app. It's pretty cool when you are restoring the system regularly; you don't lose the registry keys and C: files that were added in between because they are nicely stored within a sandbox. You don't have to waste disk space imaging incrementally, not to mention that it's a modular approach whereas incremental imaging is linear and so, much less flexible.
Unfortunately not all apps can be successfully installed in a sandbox, but that's still pretty awesome.
So I agree with Nicknomo, these ways to use Sandboxie are half of its awesomeness. However I still DO care about security when using Sandboxie this way, so I'm not too fond of the default allow idea.
But then again I don't understand why it poses a problem with v4...if anyone cares to explain that would be super nice
Either way, looking forward to v4 ! Though now I'll be careful and do some research before installing it, see if it supports my use cases.
Could we please get an answer to this? I've had Sandboxie for so long, this new update made me think of finally buying it, but I'd like to know a bit more on how it works.PiwPi wrote:But how does Sandboxie decide what kind of permissions to grant to a program ? (i.e. whitelist or heuristics ?)
What kind of permissions will the default configuration grant ? (i.e. disk operations and everything else that can be allowed or blocked)
Can a malicious program within a sandbox take control of a more trusted program in the same box and abuse of its permissions ?
Perhaps you should install it in some sort of *sandboxed* mode to try it out .Jake wrote:Though now I'll be careful and do some research before installing it, see if it supports my use cases.
Who is online
Users browsing this forum: No registered users and 1 guest
