Sandboxie and Malware

[DanM]

I had Sandboxie on my Windows 10 computer for quite some time but it never worked. I finally reinstalled and it works great. So now I have a few questions. They might have been asked before but things change and questions vary.

For now, I am using the free version and everything is default settings which I believe is restricted from the internet. On rare occasions, I download untrusted software because sometimes newcomers make good software. I know there is a risk since virus software normally warns about it. Anyhow:

1. If I permanently leave my software in Sandboxie indefinitely (not cleared after reboot), am I still protected from almost all malware including keyloggers?

2. Please correct me I am wrong but someone said if you do allow the internet on, malware can communicate data for ONLY what is in the sandbox. However, If I create separate sandboxes, are they all self-contained? For example, only my browser sandbox is allowed the internet while all other boxes are restricted. Can malware from the restricted box spread to my browser box and communicate to the hacker?

3. If I already installed software outside the Sandbox but then run inside the sandbox, will that still contain all of the programs as If I ran it inside the sandbox (if not damage was done already)?

Thank you very much for taking the time. Please answer all questions as a layman, please.

[Barb@Invincea]

Hey there DanM,


We have several threads that cover your questions, please have a look at these:

viewtopic.php?f=17&t=24305
viewtopic.php?f=17&t=24231
viewtopic.php?f=17&t=24378


After you have reviewed them, let me know if there's anything requiring further clarification and we will be happy to help.

To clarify:
Each Sandbox works separately.
We recommend installing/updating software on the host and then running it Sandboxed. Any changes made by a program running in the Sandbox will not modify your host, unless configured otherwise.

Regards,
Barb.-

[DanM]

Barb,

It was very hard to follow as your links lead to threads with more links etc. Some users then were very advanced which got me lost.

So to clarify. I am assuming the answer to question 1 is yes. Did I assume right? Sandbox is self-contained and does not allow access to outside files. The malware will remain in Sandbox and not get any outside information.

---------------------------------------------

Question two you said "Each Sandbox works separately", however, the first link in your post a guy said he installed a keylogger in Sandbox A but it was able to read Sandbox B and C. Please clarify if they are self-contained or not, please.

_____________________________________________________________________________

I am also slightly confused about the response to 3 "We recommend installing/updating software on the host and then running it Sandboxed". Do you mean run the .exe on my PC first and then sandbox it or run the .exe in the sandbox? If I ran the .exe already outside the sandbox, will running it afterward contain everything that it installed?

---------------------------------------------MERGED POST---------------------------------------------
I was going to edit my post but all posts need mod approval. If you can please answer each question as 1,2,3 as directly as possible (Yes, No) and explain like I am 5, I would appreciate it.

I am brand new to this just using your trial version while I test the waters. This is just for a regular PC with Windows 10.

[Barb@Invincea]

Hello DanM,

1. If I permanently leave my software in Sandboxie indefinitely (not cleared after reboot), am I still protected from almost all malware including keyloggers?

Anything running inside the Sandbox, stays inside the sandbox. However, Sandboxie does not typically stop Sandboxed programs from reading your sensitive data.
Regarding keyloggers: (as long as the keylogger is inside the Sandbox and not outside of it)
The most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox.
When you stop all sandboxed activity (in all sandboxes), then proceed to delete the sandbox you're about to use, you can be fairly certain that all key-loggers are dead.
Regarding Malware in general:
Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions. These solutions can let you know if your system does become infected in any way (in the very rare case a Sandbox vulnerability is found).

2. Please correct me I am wrong but someone said if you do allow the internet on, malware can communicate data for ONLY what is in the sandbox. However, If I create separate sandboxes, are they all self-contained? For example, only my browser sandbox is allowed the internet while all other boxes are restricted. Can malware from the restricted box spread to my browser box and communicate to the hacker?

The purpose of Sandboxie, to isolate programs.Each Sandbox isolates its contents. In the links I provided before you will find examples on how to configure several Sandboxes for different purposes in order to increase security (some users have a specific Sandbox they use for banking , other to navigate the web, and so on).

3. If I already installed software outside the Sandbox but then run inside the sandbox, will that still contain all of the programs as If I ran it inside the sandbox (if not damage was done already)?

If the host is not infected, you can safely run and contain already installed applications inside a Sandbox. You will need to update the software outside the Sandbox, however.
For example, if you install a Web Browser on your host and run it Sandboxed, its contents will be Sandboxed by default (such as downloaded pictures, cookies, profiles, etc... ). If a new version of the browser comes out, you will have to apply the update outside the Sandbox, and then (most likely) delete the contents of the Sandbox to use the updated version.

I recommend you take a look at these:
https://www.sandboxie.com/index.php?Fre ... HowItWorks
https://www.sandboxie.com/index.php?GettingStarted

Regards,
Barb.-

[bo.elam]

Did I assume right? Sandbox is self-contained and does not allow access to outside files. The malware will remain in Sandbox and not get any outside information.

Hi DanM . You should read this link (also posted by Barb). It should be your first reading. And dont worry if you dont understand most of it .
https://www.sandboxie.com/index.php?GettingStarted

But let me try to answer what I am quoting, perhaps it helps you understand Sandboxie a little better.

Sandboxie is self contained in the sense that what you do in the sandbox, stays in the sandbox. In other words, when you run programs and files they create changes, by running programs and files in the sandbox changes remain in the sandbox. Sandboxies role is to capture this changes so they dont affect the system outside the sandbox. Sandboxie captures/isolate all changes, good or bad.

This is key, here. One characteristic that I love about Sandboxie is that for the most part when programs and files run sandboxed, it feels pretty much the same as if you are not using Sandboxie. That because sandboxed programs have access to files outside the sandbox. Without this interaction, we wouldnt be able to do much when you sandbox your PDF fies, videos, Office files, etc.

So, if you get hit by malware, if it runs and infects, the damage stays in the sandbox. Its very very rare for Malware to run in the sandboxed environment but if it does, just like your browser or other benign programs, it does have read ONLY access to all files in the PC.

The way to protect yourself from having your personal and sensitive files and folders from getting stolen is to block sandboxed programs from having access to this files. You do this via Sandbox settings>Resource access>File access. Read here.
https://www.sandboxie.com/index.php?Res ... tings#file

Bo

[DanM]

The most important tool Sandboxie offers you for protection against key-loggers, is to delete the sandbox. Sandboxie may be your first line of defense, but it should certainly be complemented by the more traditional anti-virus and anti-malware solutions.

My main reason for my interest in a sandbox is that I like to download new software. I like to find that hidden gem. I am sure some of them have unwanted hidden surprises too. I have other malware protection but normally new untrusted software is immediately flagged for removal.

So I was thinking if I can't detect it I could detain it. As of now, I have separate sandboxes for each program.

typically stop Sandboxed programs from reading your sensitive data.

This is where I am a little confused. If Sandboxie by default disables read and write access and nothing leaves the sandbox, how can it read files outside of the sandbox? So does that mean a Trojan can see what is in my word documents, excel files and my searches and PW outside of the sandbox? Currently, to prevent keylogging, I never type anything sensitive when a sandbox is active and I have sandbox disable the internet (Both things as per the FAQ) but if a trojan can just snoop....uhoh

If the host is not infected, you can safely run and contain already installed applications inside a Sandbox. You will need to update the software outside the Sandbox, however.

So If I download a virus that say hasn't wrecked havoc yet, Sandboxie will surround the program as If I ran it in the sandbox originally and contain it?

[DanM]

Bo.eleam

Sandboxies role is to capture this changes so they dont affect the system outside the sandbox. Sandboxie captures/isolate all changes, good or bad.

So, if you get hit by malware, if it runs and infects, the damage stays in the sandbox.

This is what I want but I keep seeing mixed answers on the forum. Even Barb said "Sandboxie does not typically stop Sandboxed programs from reading your sensitive data". See my full response above but correct me if I am wrong if malware can read all my external files even when Sandboxie default is set to not read, write, that is not isolation is it? The damage is not really staying in the sandbox.

As I said above, I like to run programs from new developers. I know every now and then, some will probably be malicious. I want to make sure if they are, they can only get the data in that Sandbox. Since I keep one program per Sandbox, I would assume, I should be safe but again, mixed responses from experts on here.

So far the defaults are set to no read or write access. Since I only have one program installed in Sandbox, once I x it out, Sandbox shows inactive. So Trojan or keylogger should be shutdown. I also have disabled internet.

Even the FAQ says:

Defending Against Key-Logger

Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows,

However, it insinuates also:

Then carry out all untrusted activity -- such as browsing the Web, reading email, and testing unknown programs -- only in the restricted area of the sandbox. This doesn't mean you won't be infected by key-loggers, but it does mean you can get rid of them

This seems contradictory to me because unless you are a computer Ace, I wouldn't know which program is trustworthy in a few hours. Keyloggers and Trojans are meant to be stealth. So it trojan or keylogger that I put in Sandbox A can read all other files in my PC and other Sandboxes, the damage can be done before I can even clear it. Emails and surfing are not the only things private many of us keep on a computer.


So this is why I am confused. Is the Software "staying in the Sandbox" or is it leaking all over the place until I empty all the sand?

Sorry for all the response but I keep getting more confused as I read.

[Barb@Invincea]

Hi DanM,

Sandboxie does not disable read access by default. It isolates programs so that they cannot modify (write) your machine, unless explicitly told to do so. If Sandboxed programs were not able to read some of the things on the computer, they would not work at all . However, you can restrict their access as Bo explained in his last post.

If you want to experiment with downloading "hidden gems", you can create a separate Sandbox with restrictions, so you can test what the apps do. The advantage is, if the file does contain malware, it will not be able to reach your computer, nor your files (if you have set up restrictions properly). You can then use a different Sandbox to check your emails, do banking, etc etc... If you control what you do inside each Sandbox, chances of getting infected by malware are very very low.

Below you will find examples of how to configure your Sandboxes to be as secure as possible: (based on user experience)
Example of online banking restricted Sandbox viewtopic.php?f=11&t=22893&hilit=most+secure+sandbox
Example of "bullet proof" setups: viewtopic.php?f=11&t=6174&p=40329&hilit ... ity#p40298
Examples of Anti-Ransomware setups: viewtopic.php?f=5&t=22736&hilit=sandbox ... y+settings

Regarding Key Loggers, we have another section that explains more in-depth how can they attack you, and what can Sandboxie do about them: (Scroll down to the end to see the "Defending Against Key-Logger section)
https://www.sandboxie.com/index.php?DetectingKeyLoggers

Regards,
Barb.-

[bo.elam]

This is where I am a little confused. If Sandboxie by default disables read and write access and nothing leaves the sandbox, how can it read files outside of the sandbox? So does that mean a Trojan can see what is in my word documents, excel files and my searches and PW outside of the sandbox? Currently, to prevent keylogging, I never type anything sensitive when a sandbox is active and I have sandbox disable the internet (Both things as per the FAQ) but if a trojan can just snoop....uhoh

By default, Sandboxie disables write access but not read access. Remember, without the read access, we wouldn't be able to do much in the sandbox. Programs in the sandbox have to nteract with files outside the sandbox in order to work properly.

If malware runs in a "default settings sandbox", it can read files outside the sandbox, just like any clean program can. So, to protect our sensitive files from getting stolen and keep malware from running in the sandbox, we go to Sandbox settings>Restrictions, to restrict the programs that can run in the sandbox and to restrict the programs that can access the internet.

Also, as mentioned before, you go to Sandbox settings>Resource access>File access, to restrict sandboxed program from accessing/reading your sensitive files.

If you block access to your important files, they cant be read or stolen.

If you restrict programs so only a few programs can run, when all of the sudden malware gets downloaded into the sandbox, if it attempts to run, it wont, it canrt do nothing.

Keylogging. I don't use anything for security but Sandboxie and NoScript. And believe me when I tell you, I am a dummy user. What I do to protect myself from keylogging is very simple but it works.

First of all, I dont mix sensitive browsing with regular browsing all in the same browsing session. Thats something you don't want to do. So, when doing banking, mail, purchases, anything sensitive, I open a fresh browsing session, do the sensitive stuff, and immediately after I finish, I close the browser and delete the sandbox. You should never use a sandbox with regular browsing content to do sensitive browsing. Another thing that's important for extra security, is not to have anything running in other sandboxes when doing sensitive browsing.

If your system is clean to begin with, that above is basically all you need to protect yourself from keyloggers. If you are infected now, Sandboxie cant help, your system has to be clean. Eventually, as you learn Sandboxie, you ll restrict the sandbox, and the security within the sandbox gets even better.

Bo

[DanM]

Sandboxie does not disable read access by default. It isolates programs so that they cannot modify (write) your machine, unless explicitly told to do so. If Sandboxed programs were not able to read some of the things on the computer, they would not work at all . However, you can restrict their access as Bo explained in his last post.

Sorry for all the questions.

Maybe I am reading it wrong but my default sandbox says "Read Only File Access" "The Following Files and Folders will not be modifiable to program running in the sandbox". It says the "list below applies to all programs". That list is blank. Does that not mean it can't read any files? It is blank just like my "write access folder".

[bo.elam]

Maybe I am reading it wrong but my default sandbox says "Read Only File Access" "The Following Files and Folders will not be modifiable to program running in the sandbox". It says the "list below applies to all programs". That list is blank. Does that not mean it can't read any files? It is blank just like my "write access folder".

By default settings, programs in the sandbox can read files outside the sandbox, and make changes (captured by Sandboxie) afterward inside the sandbox.That particular window you looking at now (sandbox settings>Resource access>File access>Read only access), is for files you might want to allow programs in the sandbox to read, but you prefer the sandboxed programs not to be allowed to make changes to them even within the sandbox.

If you dont add nothing there, what you read there it means nothing to you.

Myself, in all the years I used Sandboxie, never added nothing there. Some people use that setting but I rather use Blocked files for sensitive files and folder. Clear cut.

Bo

[DanM]

Bo,

Hi DanM . You should read this link (also posted by Barb). It should be your first reading. And dont worry if you dont understand most of it .
https://www.sandboxie.com/index.php?GettingStarted

I read so much including that but it is all about browsing. I actually browse outside the sandbox. Never had any issues with viruses and all my other malware software will detect it. However, I normally have to disable or whitelist untrusted new programs since they are always seen as malicious hence my reason for a Sandbox.

By default, Sandboxie disables write access but not read access. Remember, without the read access, we wouldn't be able to do much in the sandbox. Programs in the sandbox have to nteract with files outside the sandbox in order to work properly.

Please read my other response above to Barb about read access cause maybe I am a misunderstanding. It seems like my list for reading access is blank by default meaning it should not be able to read anything.

Pardon my ignorance but I was also under the assumption that when I install an .exe in the sandbox it will write in my reg hive but as per Sandboxie will "appear empty to programs running in the sandbox". So shouldn't the program be reading emptiness like my computer is a fresh install?

This is where I am getting confused. I thought a sandbox would make any virus think it is in a blank virtual machine and get nothing.





I

[DanM]

Bo,

You responded real quick when I was typing again

By default settings, programs in the sandbox can read files outside the sandbox, and make changes (captured by Sandboxie) afterward inside the sandbox.That particular window you looking at now (sandbox settings>Resource access>File access>Read only access), is for files you might want to allow programs in the sandbox to read, but you prefer the sandboxed programs not to be allowed to make changes to them even within the sandbox.

I installed the .exe file program right into the Sandbox. I did not install it outside and then Sandbox it, so wouldn't the (sandbox settings>Resource access>File access>Read only access) being blank mean no read access. I want the programs in the sandbox to read nothing but whatever it needed to install itself. So I have none on the list for "files you might want to allow programs in the sandbox to read".

Basically as said above to condense the post:

I was under the assumption that when I install an .exe in the sandbox it will write in my reg hive but as per Sandboxie will "appear empty to programs running in the sandbox". So shouldn't the program be reading emptiness like my computer is a fresh install?

This is where I am getting confused. I thought a sandbox would make any virus think it is in a blank virtual machine and get nothing.

[bo.elam]

Please read my other response above to Barb about read access cause maybe I am a misunderstanding. It seems like my list for reading access is blank by default meaning it should not be able to read anything.

Pardon my ignorance but I was also under the assumption that when I install an .exe in the sandbox it will write in my reg hive but as per Sandboxie will "appear empty to programs running in the sandbox". So shouldn't the program be reading emptiness like my computer is a fresh install?

This is where I am getting confused. I thought a sandbox would make any virus think it is in a blank virtual machine and get nothing.

I think I answered this question at the same time you were posting it.

Perhaps you are getting confused because you are trying to understand too much new stuff at the same time. Take it easy, you dont have to understand everything in 2 days or one week. When I started with Sandboxie all I "had" to know the first day was how to delete the sandbox, how to recover files, how to save bookmarks and how my antivirus interacted with Sandboxie. That was it.

Eventually, step by step, I started to understand how isolation works, and after time goes on, I started restricting and making things tighter. All started to make sense on its own.

I tell you, Sandboxie really works. My last infection happened before I started using Sandboxie. Nothing in 9 years. And that is despite not using antiviruses real time since 2010 or scanners since 2011.

Bo

[DanM]

Perhaps you are getting confused because you are trying to understand too much new stuff at the same time. Take it easy, you dont have to understand everything in 2 days or one week. When I started with Sandboxie all I "had" to know the first day was how to delete the sandbox, how to recover files, how to save bookmarks and how my antivirus interacted with Sandboxie. That was it.

I was hoping for once in my life, something would come defaulted perfectly.

So what can a layman like myself do to make Sandboxie think a virus or keylogger is in an empty OS. So far I only have 3 questionable programs, in three separate Sandboxes and internet disabled via sandboxie and my Firewall.

My understanding was a Sandbox was like Sandboxie says in write tab "Sandboxie will appear empty to programs running in the sandbox".

So I want to run the "questionable installer" directly inside sandboxie, allow it to do whatever it needs to do to install and work and then make my OS "appear empty".

That is what I thought a Sandbox was supposed to do. I thought while a Virtual Machine is separate a Sandbox makes the malware think it is separate. Was I wrong because so many experts say different things?