An easier 'Secure Delete' option

[Unknown_User_407]

"The contents are not securely wiped, merely deleted."

Being new to this Browser Protection Utility, can you explain what exactly is the difference between simply deleting objects in the Sandboxie and Securely deleting/wiping? Why not simply design it to securely delete objects in the first place if the point of this program is "Security" and "Protection" from surfing the Net?

Alternatively, would it be possible to configure an easy [Secure Delete] option/button in a future version? The SecureDeleteSandbox Wiki still confuses me.

[SBIE User]

Robin,

To give SandboxIE a native secure delete option would require Tzuk to either write code to do that (and perhaps assume some responsiblity/liability if it fails) or to license and integrate third party code into SandboxIE. Tzuk has said before that he wants to keep the program as simple and lean (my words, not his) as possible and avoids adding too many bells and whistles -- especially when the same features are available from external, free programs. None of us wants SandboxIE to get bloated.

Because it is very easy for users to select and use a freeware third-party secure delete program (like Eraser or SysInternal's SDelete), Tzuk has focused on other features of SandboxIE and left it to the users to handle secure deletion themselves.

The latest change allowing a registry entry to specify a third party secure deletion tool just makes it easier for users to use external secure deletion utilities from inside SandboxIE. I expect that is as far as Tzuk is willing to go on this issue.

If you want to use secure deletion and don't want to use the registry change approach, you can download SDelete from http://www.sysinternals.com/Utilities/SDelete.htmluse . Then you can use that program directly to securely erase the sandbox after you close SandboxIE. You can even set up a batch file to do that if you want.

Hope that helps.

SBIE (Happy) User

[Unknown_User_407]

Oh, I see. That helps alot. I'll look into those, thanks.

[Unknown_User_486]

Rearding the post SecureDeleteSandbox Wiki referred to above, I am still confused. What I fail to understand is how Sandboxie invokes a third party utility, such as SysInternal's SDelete. I don't see it as an option in the toolbar, and the registry string referred to in the post SecureDeleteSandbox Wiki doesn't seem to do this. What am I missing, please?

- Daisey

[Guest]

Because it is very easy for users to select and use a freeware third-party secure delete program (like Eraser or SysInternal's SDelete), Tzuk has focused on other features of SandboxIE and left it to the users to handle secure deletion themselves.



SBIE (Happy) User

It is very easy for experienced users to edit the registry, use command line tools etc.. everyone else can **$$ off apparently. Its a shame. Secure deletion is commonplace in all kinds of tools now, I wouldn't have thought it would add that much ( OMG! ':shock:' ) bloat, but if its such a problem why not a version for people who aren't bothered? If SB is going to move from an obscure utility to a Mom n' Pop (and me!) staple then secure deletion is going to have to be part of the tool. (Your link doen't work BTW)

[SBIE User]

It is very easy for experienced users to edit the registry, use command line tools etc.. everyone else can **$$ off apparently. Its a shame. Secure deletion is commonplace in all kinds of tools now, I wouldn't have thought it would add that much ( OMG! ':shock:' ) bloat, but if its such a problem why not a version for people who aren't bothered? If SB is going to move from an obscure utility to a Mom n' Pop (and me!) staple then secure deletion is going to have to be part of the tool. (Your link doen't work BTW)

The link contained an obvious error. The correct link for SDelete is:
http://www.sysinternals.com/Utilities/SDelete.html .

Actually, secure erasing is more complex than you may know. It is not simply a matter of just overwriting a file multiple times -- because Windows just would overwrite the buffer in memory (RAM) multiple times, providing no more security, and never touch the file until the last pass. Secure erasing requires flushing the buffer after each pass and then allowing users some choices about the overwriting patterns and numbers of overwrites.

SandboxIE is a very small program (about 240K), and there are dozens of features that could be added. Perhaps no one additional feature would bloat it beyond what is acceptable to Tzuk (and others of us who like its elegance), but I strongly support Tzuk resistence to add features that are otherwise easily achievable.

Yes, it is easy. I have written several posts here on exactly how to delete the sandbox securely using a batch file created with Notepad and no requiring any editing of the Windows registry. The Windows registry edit was offered by Tzuk for those of us who are comfortable with editing the registry, and it may not appeal to everyone. For others, there are good and easy alternatives.

SandboxIE is free for private use (although I encourage everyone to pay the modest fee and register it) and has been reviewed on lots of other sites. It is not "an obscure utility," but you are free not to use it if it does not meet your standards.

SBIE (Happy) User

[SBIE User]

Since this question comes up periodically, I want to add another observation on a very important factor related to the frequent suggestion to add native code in SandboxIE to perform secure erasing.

If one is concerned about security to the point of using a secure erasing program, then she or he would almost surely want to have the integrity and effectiveness of the program verified by the security community. That is standard practice for encryption and secure erasing programs, and most security experts recommend against using "proprietary" or "closed source" encryption or secure erasing code which cannot be reviewed by the security community.

If Tzuk were to add secure erasing code natively in SandboxIE, he would either have to open up his code for review or would have to endure suspicions that his code was not safe or effective. He can't include public domain code (that has already been reviewed by the security community) in his program without changing the license of his own code.

So, what alternatives does Tzuk have? First, he could just ignore this issue and let folks handle secure erasing on their own using free software outside of SandboxIE. (That was his strategy until fairly recently, and it worked fine.) Second, he could provide a means to link from SandboxIE to third party programs (free or commercial) that have already been accepted and tested as effective and safe. That is his current strategy, and it goes as far as he can go without focusing on writing new, proprietary secure erasing code and then either opening up his code or suffering the suspicions of others.

While I understand that people would like to just have a push-button or check-box solution to secure erasing, that is not easily or reasonably doable in this case.

I hope that adds some perspective to this continuing discussion.

SBIE (Happy) User

[Unknown_User_486]

Yes, it is easy. I have written several posts here on exactly how to delete the sandbox securely using a batch file created with Notepad and no requiring any editing of the Windows registry. The Windows registry edit was offered by Tzuk for those of us who are comfortable with editing the registry, and it may not appeal to everyone. For others, there are good and easy alternatives.

1. Where are these posts referred to above?
2. When I try to delete the folders created by SBIE, I get errors because they are locked by Explorer.

Thanks again, Daisey

[SBIE User]

1. Where are these posts referred to above?
2. When I try to delete the folders created by SBIE, I get errors because they are locked by Explorer.

For a batch file to erase the Sandbox, see my second post in the thread at http://sandboxie.com/phpbb/viewtopic.php?t=657 .

You can also download and install Eraser 5.8, free and available from http://www.heidi.ie/eraser/download.php. That will add an "Erase" item to the context menus in Windows Explorer. Then just use Explorer to select the sandbox folder, right cllick and choose "Erase" in the context menu. That will securely erase the Sandbox.

Another alternative is to use CCleaner, as suggested by Oneder in the thread mentioned above. You can get CCleaner for free at http://www.ccleaner.com.

If Explorer has locked the sandbox, you should first make sure all programs operating in the Sandbox have been terminated before you try to erase the sandbox.

Hope that helps.

SBIE (Happy) User

[Unknown_User_486]

If Explorer has locked the sandbox, you should first make sure all programs operating in the Sandbox have been terminated before you try to erase the sandbox.

OK. I am using Windows Washer. I have it set to wash the "C:\Documents and Settings\Owner\Application Data\Sandbox" folder (all sub-folders and files).

I first opened Firefox in Sandbox, navigated around a bit, and closed it. Then ran Windows Wahser. It did NOT delete any of the folders or files beneath Sandbox. So I opened Explorer and tried to manually delete folders. Got the error message that another process had it locked. Using DCS File and Folder Unlocker, I determined that Explorer still had it locked. NOTHING was operating in Sandbox, but Sandbox Control.exe was still running.

Any other ideas?

[SBIE User]

Daisy,

Sometimes there is a delay before a program actually releases a folder even after the program is closed. I can't say for sure, but I suspect that Window Washer locked the folder and that the lock had not been fully released even though your unlocking program indicated otherwise. When that happens, unlocking programs usually report that the folder is locked by Explorer rather than the program that set the lock. That's just a guess. I have this problem sometimes, and it usually just goes away after I check with an unlocker and before I can diagnose it.

If you want to use a batch file with SDelete instead of Eraser, you could create a batch file (perhaps named SDeleteSbox.bat) containing the following code:

@echo off
:: This uses SDelete to securely erase sandbox.
:: It assumes the SDelete.exe program is located in C:\SDelete.
cls
c:\SDelete\sdelete.exe -p 3 -s "C:\Documents and Settings\Owner\Application Data\Sandbox"
echo.
echo.
echo Press any key to close this window . . .
pause > nul
exit

You would need to change the number of passes if you want more than 3 and you should use the correct path to your SDelete.exe program (enclosing it in quotes if it includes embedded spaces).

Hope that helps. Please let us know your results, as many people use Windows Washer and will be interested in your success.

SBIE (Happy) User

[Unknown_User_486]

Thanks, SBIE User.

I've given up on WindowsWasher for this. Folders were still locked even now as I try to delete them manually.

I tried your batch file, and it worked pretty well. It apparently deleted all of the FILES beneath Sandobox folder, but it did not delete the sub folders themselves. Received error message saying folders were not empty (it contains sub-folders).

[SBIE User]

Daisy,

Perhaps you should try a different unlocking program.

I'd suggest Unlocker 1.8.5 at http://ccollomb.free.fr/unlocker .

Or you could reboot your machine and see if the problem continues. That's a mindless suggestion, but it is sometimes the quickest way to solve a stubborn problem in Windows.

SBIE (Happy) User

[Unknown_User_486]

Oh, my unlocking program works. I am just looking for a way to use Windows Washer without having to unlock the folders first.

Also, any way around SDelete not deleting the folders? Every time I run it, it deletes the lower-most folder in the tree. So if there are 10 nested folders, it would delete all of them, but only after 10 passes.

Edit: By the way, rebooting also unlocks folders. But that's a hassle, too.

[SBIE User]

Also, any way around SDelete not deleting the folders? Every time I run it, it deletes the lower-most folder in the tree. So if there are 10 nested folders, it would delete all of them, but only after 10

That's a puzzle to me. I just tried my batch file with SDelete (which I don't normally use) and it deleted the top-level sandbox folder and seven layers of subfolders and files without leaving any folders. So the code "should" delete the folder structure completely unless a file or folder is still locked.

I still think you were right in your first diagnosis that this is related to locking.

As a test, I'd suggest you leave your sandbox unerased and then reboot. Then before you do anything else, try the SDelete batch file again and see if it works. If so, then the problem is most likely an unlocking problem.

Another possibility is to specify a different top-level sandbox and see if that helps. I personally put the sandbox on another drive and use a short name: f:\sbox. You might try that and see if the problem continues.

SBIE (Happy) User