Forced Folders - file extension exceptions?

[Tridens]

Hello, Bo gave me a tip of creating a Sandbox for my Downloads directory (so that anything that gets run that I've downloaded to that directory it will run Sandboxed. I think this is a great idea, but unless I'm missing something, it limits every type of file, including non-executables. For instance, I double clicked a Microsoft Office file (.docx extension), and it tried to launch Microsoft Word 2016 sandboxed (which doesn't presently run under SBIE, as we know). Two questions:

1) Is there a way I'm missing to make exceptions to file types/extensions in Forced Folders, so that I can exclude MS Office files so that they'll run un-sandboxed?

2) If not, can this feature of permitting exclusions by file extension/type in Forced Folders be added? This seems like a very logical feature to implement and would increase the convenience of SBIE. As it is now I have to either save my Office files in a directory other than the Downloads file (something my less tech-savvy family members will struggle with) or not running the Downloads folder sandboxed at all (which is a major reason I bought this program for my family).

Thanks so much!

Craig

[Craig@Invincea]

You should set Office as the Forced Program to open in a SB. Then open each file individually from there.
More about forced folders:
http://www.sandboxie.com/index.php?ForceFolder

Folder means like your Downloads folder, USB drives, CD and DVD drives, that is considered a folder. You want the Program to open in a SB and then you want to open that file from within that sandboxed program.. Just double clicking a docx file may not work correctly.

[Tridens]

Thank you, but perhaps I wasn't clear. Given Office 2016 won't run sandboxed at all, I want to have Office files I open from a Forced Folder NOT run sandboxed. Being more specific, I have my Downloads directory in Forced Folders. However, I want to make an exception to that rule and tell SBIE to NOT open Office documents sandboxed. In this way, I can protect my download folder by sandboxing other programs like EXE, COM, DLL, etc., but ignore MS Office documents.

On a related note, I think some of the instructions on Sandboxie introduce some confusing terminology. Take this germane example, from the Forced Folders help page:

"The first example specifies that programs started from the C:\Download folder (or any folders below contained in those folders) will be forced to run sandboxed in the sandbox DefaultBox."

I assumed "Programs" meant executables, like winword.exe. However, in fact, opening a Word document (.docx) in a Forced Folder will cause the Word program to execute sandboxed, even though the Word program/executable is not located in the Forced Folder. Conventional terminology would say a .docx file is not a program, it's a file/document that runs in the Word program. I think the terminology breeds some confusion. Does that make sense?

So, if it's possible to make exceptions by file extension to Forced Folders, in order to give us more granularity, that would be fantastic. I think this is especially important given Forced Folders can evidently force programs not installed in the Forced Folder to run sandboxed if there is a document type linked to the executable within the Forced Folder.

Craig

[Craig@Invincea]

I assumed "Programs" meant executables, like winword.exe. However, in fact, opening a Word document (.docx) in a Forced Folder will cause the Word program to execute sandboxed, even though the Word program/executable is not located in the Forced Folder. Conventional terminology would say a .docx file is not a program, it's a file/document that runs in the Word program. I think the terminology breeds some confusion. Does that make sense?

That works just as it would in any folder in Windows. If the docx file is set to be opened by Word in Windows by default (unless you change the default behavior of that file type), how else would SBIE be able to render that file? SBIE doesn't have a file renderer built into it, it's going to open the program Windows is instructed to open. SBIE is going to do just that...however under the supervision of SBIE.

If you double click on a docx file in downloads/documents in Windows, and the default program in Windows is Word....Word will open. the same applies in SBIE. SBIE is going to do what Windows is instructed to do. SBIE however is going to supervise that since A.) the Program is sandboxed B. That file is sandboxed.

Otherwise, you would have a serious escape of a sandbox.

So, if it's possible to make exceptions by file extension to Forced Folders, in order to give us more granularity, that would be fantastic. I think this is especially important given Forced Folders can evidently force programs not installed in the Forced Folder to run sandboxed if there is a document type linked to the executable within the Forced Folder.

Forcing folders is just that. A folder. Typically this applies to removable media. USB/DVD etc. Since malware can hide you want to isolate all of that USB, etc. and this way you can force that entire folder (yes, that's considered a folder.) By definition, a folder contains one or more files...& sub folders.

If you have a downloaded Docx file from a browser while sandboxed, you can "Recover" it to your host machine outside of the sandbox. You can add any folder to this recovery....recover to the same folder as on your host, or to a folder on your host you specify. You can then open docx in Word without SBIE supervision.

[bo.elam]

However, in fact, opening a Word document (.docx) in a Forced Folder will cause the Word program to execute sandboxed, even though the Word program/executable is not located in the Forced Folder.

Tridens, what I do to get most files, programs and drives to run sandboxed automatically in my computers is I combine using both features, Forced programs and Forced folders. To sandbox specific exes like winword.exe, I force the exe with forced programs. And from then after, all Word files that I run will run sandboxed, the only question afterward is in which sandbox they are gonna run. If the file is located inside a Forced folder, winword runs in the sandbox I created for the forced folder. If the word file is in my Desktop which I don't force, then winword runs in my dedicated Office sandbox. I cover most programs that I use everyday that way.

I use Forced folders when I want to make sure files that are located inside a particular folder, run sandboxed automatically when executed. That really is the reason for forcing folders. If you want files that are inside a particular folder to run sandboxed all the time, then you force that folder.

Given Office 2016 won't run sandboxed at all, I want to have Office files I open from a Forced Folder NOT run sandboxed.

By the way, I can run Office sandboxed because I use it in XP, and it works fine sandboxed in XP. But I treat most programs in my XP and W7 same as Office in XP. Programs and systems are different but the idea is the same.

If you like to run an Office file unsandboxed out of a Forced folder, you can right click the file, select Run sandboxed, at the bottom of the window.....Click Run outside sandbox, OK.

Bo

[Tridens]

Craig,

Thanks for your detailed reply, and I apologize for not clearly communicating my question. Some of it is that I'm trying to get up to speed on how to leverage SBIE, and I'm getting acquainted with terminology, concepts, etc. Like anything there is a learning curve, and that is certainly true of SBIE.

That works just as it would in any folder in Windows. If the docx file is set to be opened by Word in Windows by default (unless you change the default behavior of that file type), how else would SBIE be able to render that file?

That's just it...I didn't want SBIE to render the file.

...SBIE is going to do what Windows is instructed to do. SBIE however is going to supervise that since A.) the Program is sandboxed B. That file is sandboxed.

I think I'll plan to revisit this issue after I have become more proficient in SBIE, the terminology, etc. But for now I'm still not sure I understand why you're saying the Program is sandboxed:

1) I understand that the file resides in a sandboxed folder.
2) I understand that SBIE will launch Winword.exe sandboxed when a .Docx is double-clicked from within a forced folder (by design choice)

But equating this to saying that the Program itself is sandboxed is confusing to me. Unless I misunderstand something, technically the Program is not sandboxed. Please bear with me here. I have not placed Winword.exe in the Forced Programs folder, nor put the Office installation location with its associated executables in the Forced Folders list.

To me, to say the Program is sandboxed would mean this: winword.exe is placed in the Forced Programs list, or the Office install directory is placed in the Forced Folder list, so that every .docx file that is opened, no matter in which directory, will open with Word sandboxed. These are two very different things, and I think the distinction is very important. I don't think you want people getting the impression that when you say a program is sandboxed, it may or may not run sandboxed based on whether or not the double-clicked document is located in a forced folder or not.

Otherwise, you would have a serious escape of a sandbox.

Yes, by design choice, when a Forced Folder contains a file for which the extension is associated with a program that resides outside the sandbox is opened, said program will run sandboxed. And this makes good design sense for default behavior. But I was inquiring about the ability to make exceptions by file type for the sake of convenience, acknowledging that there's a trade-off in security (a malicious .docx file could do some damage if I exempted the .docx files within a Forced Folder). However, I don't see this as much different from the convenience you offer by allowing web browsers to directly access history, or cookies, etc. It's a tradeoff...some security for convenience. In my situation, it would mean my family would be more protected than they are now, because the download directory would be protected by sandboxing (ensuring EXEs, MSIs etc. run sandboxed), but they would still have the convenience of downloading a Word doc from a friend or associated to the default download directory and being able to run/open it (something they can't do so long as Office Click to Run is not compatible with SBIE). For now I have to choose not to sandbox the download folder, and that's a bummer to me.

You may decide that this feature is not worth implementing because of demand, and that's fine, but unless I'm missing something, I see no technical reason why it's an illogical request (any more than the browser/cookies feature I mentioned above is). And in any case, I think the argument I'm making on winword.exe being a forced program or not is valid and worth considering to maintain clarity.

If you have a downloaded Docx file from a browser while sandboxed, you can "Recover" it to your host machine outside of the sandbox. You can add any folder to this recovery....recover to the same folder as on your host, or to a folder on your host you specify. You can then open docx in Word without SBIE supervision.

Yes, that feature is very handy, but I was trying to solve the problem of my family members having files in the Download directory that were created/downloaded before the Downloads directory was added to the Forced Folders.

Thanks for bearing with my long explanation, my SBIE newbie status, and my request. I hope to be a SBIE power user and singing it's praises to my colleagues (in fact, it's one of the reasons I'm requesting this feature...it would make it easier to recommend this software to some of my former IT colleagues who might want to benefit from employing SBIE on employee workstations).

--Craig

[Tridens]

Bo, thank you very much (again) for taking so much time to respond to one of my "newbie" questions. I really appreciate it!

In this case, I'm looking to do the opposite of what you're suggesting. I would like to allow .docx files located within a forced folder to run un-sandboxed. Right now there doesn't seem to be a way to do it (although I think it's a valid feature). My goal would be to allow others in my family to download a Word document from someone they trust to the default download folder but be able to run it unsandboxed. I realize they can right-click the file, choose Run Sandboxed, and choose Un-Sandboxed, but that's a lot of user involvement for people who are less tech savvy (the main reason I purchased SandboxIE was so that my "Father/Husband tech support" caseload would decrease!

Thanks for any ideas.

Craig

[bo.elam]

Tridens, let me give you an idea of something you might want to try. Add the Desktop to your Quick recovery folders, and get the members of your family used to recovering docx files to the desktop. And then, they can run those files unsandboxed from there.

I use Quick recovery, don't tick Immediate recovery and don't allow direct access to my downloads folder. So, after downloading something, I open Quick recovery manually, then I get an screen like the picture on top. If I want to recover to my Downloads folder (Forced), I click Recover to same folder. If I want to recover to my Desktop (Not forced), I click Recover to any folder. Afterward, the second screen opens up and I click Desktop at the bottom.

Depending on how you got recovering files setup, what I describe changes a little but what I wrote can give you ideas on how to make things easier for your family to get used to SBIE and be comfortable with it.

Bo

[Tridens]

Depending on how you got recovering files setup, what I describe changes a little but what I wrote can give you ideas on how to make things easier for your family to get used to SBIE and be comfortable with it.

Thanks, Bo. That's a good workaround. I'll give that a go. I still think my suggestion of allowing exceptions to Forced Folders by file extension is a good one, but one can always dream.

Thanks again for being so generous with your time!

Craig

[bo.elam]

I still think my suggestion of allowing exceptions to Forced Folders by file extension is a good one, but one can always dream.

I am glad to help when I can, Tridens. I probably wouldn't use the option you are suggesting but I think its a good option to be available.

I think for your family, getting used to doing things the same way all the time would help them get comfortable with Sandboxie. I have another idea, if they use Firefox, you could set up Firefox to ask where to download, and then get the family used to choosing the Desktop for DOCX files and choosing the forced folder for everything else. After a couple of days, they ll probably get in the routine of downloading like that.

Bo

[Tridens]

I have another idea, if they use Firefox, you could set up Firefox to ask where to download, and then get the family used to choosing the Desktop for DOCX files and choosing the forced folder for everything else. After a couple of days, they ll probably get in the routine of downloading like that.

Thanks, Bo. We're Chrome users since about a year ago, switching over from FF, but we could use the same principle with Chrome. We'll get a system worked out eventually. As a former network adminstrator and help desk guy for a large company, I know that minimizing extra steps and maximizing transparency is a key factor in compliance / happy employees. The same principles work at home!

Have a great weekend!

Craig (Tridens)