Page 1 of 2

Setting up Sandboxes [SOLVED]

Posted: Wed Mar 14, 2018 8:36 am
by AMD
Hi,

I have read on this and other forums about setting up various individual sandboxes and need a little help.

I have Chrome as a forced program in its own sandbox for day to day browsing and allowed Roboform access within the configuration. I also have Firefox in its own Sandbox with no extensions etc which will be used for banking etc.

I have seen comments about forcing the downloads folder and windows explorer - when forcing these, do I create a separate sandbox for each as forced folders/processes or do I force downloads in the Chrome and Firefox sandboxes and just have windows explorer as a separate sandbox ?

I am thinking that if i have downloads forced in the Chrome sandbox, how would I see the downloaded file if windows explorer is a totally separate sandbox ?

At the moment, I have created a separate windows explorer sandbox as forced and created a desktop shortcut using the sandboxie shortcut creator

Andy

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 11:25 am
by Barb@Invincea
Hello AMD,

Each Sandbox has its own container folder, thus, what you download inside Sandbox A, stays in Sandbox A.
If you download something via, say, sandboxed Chrome, it will be stored in the same Sandbox Chrome was running in. To see those files, you will need to open the downloads folder in that same sandbox.

If you do download files outside Sandboxie, or recover any sandboxed files to the Downloads folder, Forcing it to open in Sandboxie will ensure you do not accidentally click on a dangerous file while outside the Sandbox.

Have a look at these threads for ideas of how to set up your Sandboxes to make them more secure:
Example of online banking restricted Sandbox viewtopic.php?p=120818#p120818
Example of "bullet proof" setups: viewtopic.php?p=40298#p40298

Regarding using multiple Sandboxes, check out this Guru's answer to a previous post:
viewtopic.php?p=129256#p129256

Regards,
Barb.-

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 2:11 pm
by bo.elam
AMD wrote:
Wed Mar 14, 2018 8:36 am
I have seen comments about forcing the downloads folder and windows explorer - when forcing these, do I create a separate sandbox for each as forced folders/processes or do I force downloads in the Chrome and Firefox sandboxes and just have windows explorer as a separate sandbox ?

I am thinking that if i have downloads forced in the Chrome sandbox, how would I see the downloaded file if windows explorer is a totally separate sandbox ?

At the moment, I have created a separate windows explorer sandbox as forced and created a desktop shortcut using the sandboxie shortcut creator

Andy
Hi Andy. For your Downloads sandbox, use a separate sandbox. Use the Forced folder feature. Programs and files that get executed from within will run sandboxed automatically.

For sandboxing Windows explorer. You do not Force Windows explorer. If you do, you ll have problems. If you try to do it, Sandboxie warns you with a message telling you that there can be problems.

What you want to do with Explorer is to create a Sandboxed shortcut via Configure>Windows shell integration>Add shortcut icons. Set it up for Windows explorer to run in its own dedicated sandbox, that way, for example, you can configure it so no program that runs can access the internet. You can also do this with your Downloads sandbox. With the shortcut, whenever you want to run Explorer sandboxed, you click the shortcut.

Bo

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 4:28 pm
by AMD
Bo

Thanks for your response.

If I have a separate "downloads" sandbox, how does anything get downloaded into it - i think I am missing something here ?

When you say run explorer from a shortcut that’s fine but do you mean from a dedicated sandbox called say “explorer” without any forced programs/folders ?

Do i also have to force downloads in the Chrome sandbox settings too ?

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 5:18 pm
by bo.elam
AMD wrote:
Wed Mar 14, 2018 4:28 pm
Bo

Thanks for your response.

When you say run explorer from a shortcut that’s fine but do you mean from a dedicated sandbox called say “explorer” ?
You are welcome. You can call the sandbox whatever you want to call it. I named it WindowsExplorer, and placed a shortcut in the taskbar.

Bo

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 5:40 pm
by AMD
Bo,

Can you re-read my post as it crossed with your response while I was editing it.

By the way, you helped me quite a bit when I first acquired Sandboxie a few years ago but obviously then I was just using it for Browser sandboxing but I am looking to use it for more security on my PC

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 6:47 pm
by bo.elam
AMD wrote:
Wed Mar 14, 2018 4:28 pm

If I have a separate "downloads" sandbox, how does anything get downloaded into it - i think I am missing something here ?

........

Do i also have to force downloads in the Chrome sandbox settings too ?
I think whats above is what you added in your edit. To "Recover/Download" into your real downloads folder outside the sandbox, you must set up Recovery in Sandbox settings. This is what I do, I ll use Firefox in the example. First, you need to set Firefox to download to one specific folder. So, for Firefox, you do that in Firefox Options.

Then you go to Sandbox settings of your Firefox sandbox (Recovery>Quick recovery), and add the folder where you set Firefox to download to and any other folder where you might also want to download. I add Desktop. What you add there are the only folders that would be visible to Sandboxie when you recover.

I also untick, disable Immediate recovery. Immediate recovery gives you a prompt informing you when a download has finished. I dont like prompts so I disable it.

The way I set Recovery up, I manually recover after downloads are finished by right clicking the SBIE icon, hovering the browser over the name of the sandbox, and clicking Quick recovery. I recover when I am ready to. Also, if you forgot about recoveries, when you close the browser, Sandboxie prompts you reminding you that there are downloads available. Then you can choose, recover or delete.

Forcing your Downloads folder is totally separate than Chrome or Firefox. You Force your Downloads folder so when you navigate to that folder, files you downloaded and recovered run sandboxed automatically. This are files that you already pulled out of the browsers sandbox.

Bo

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 7:14 pm
by AMD
bo.elam wrote:
Wed Mar 14, 2018 6:47 pm
AMD wrote:
Wed Mar 14, 2018 4:28 pm

If I have a separate "downloads" sandbox, how does anything get downloaded into it - i think I am missing something here ?

........

Do i also have to force downloads in the Chrome sandbox settings too ?
I think whats above is what you added in your edit. To "Recover/Download" into your real downloads folder outside the sandbox, you must set up Recovery in Sandbox settings. This is what I do, I ll use Firefox in the example. First, you need to set Firefox to download to one specific folder. So, for Firefox, you do that in Firefox Options.

I am quite OK with recovering of sandboxed downloads to the real downloads (c\users\andy\downloads) but I am trying to configure downloading to the same location but sandboxed so I can scan it for viruses etc first before releasing it to the real downloads folder - to do this, do I force the folder

Then you go to Sandbox settings of your Firefox sandbox (Recovery>Quick recovery), and add the folder where you set Firefox to download to and any other folder where you might also want to download. I add Desktop. What you add there are the only folders that would be visible to Sandboxie when you recover.

I also untick, disable Immediate recovery. Immediate recovery gives you a prompt informing you when a download has finished. I dont like prompts so I disable it.

The way I set Recovery up, I manually recover after downloads are finished by right clicking the SBIE icon, hovering the browser over the name of the sandbox, and clicking Quick recovery. I recover when I am ready to. Also, if you forgot about recoveries, when you close the browser, Sandboxie prompts you reminding you that there are downloads available. Then you can choose, recover or delete.


Forcing your Downloads folder is totally separate than Chrome or Firefox. You Force your Downloads folder so when you navigate to that folder, files you downloaded and recovered run sandboxed automatically. This are files that you already pulled out of the browsers sandbox.
Bo
Bo, thanks.

I am quite OK with recovering of sandboxed downloads to the real downloads (c\users\andy\downloads) but what I am trying to configure is downloading to the same location but sandboxed so I can scan it for viruses etc first before releasing it to the real downloads folder - to do this, do I force the downloads folder in the Chrome sandbox and then create a desktop shortcut via windows shell integration, selecting the Chrome sandbox and then selecting the path to my normal downloads location ?

I think what I am trying to achieve is in your last paragraph but I seem to be struggling with this !

Re: Setting up Sandboxes

Posted: Wed Mar 14, 2018 7:57 pm
by bo.elam
AMD wrote:
Wed Mar 14, 2018 7:14 pm
I think what I am trying to achieve is in your last paragraph but I seem to be struggling with this !
Sounds like what you want is to scan files before recovering them out of the sandbox.

For that, you go to C:\Sandbox\, and navigate to the copy of your Downloads folder that you ll find in there. And scan the file. The file is there, thats where it goes before you recover it to your real Downloads folder.

In my case, if I was running Firefox in my DefaultBox and wanted to scan files before recovering, I would navigate here:

C:\Sandbox\Bo\DefaultBox\user\current\BoDownloads

BoDownloads is the folder I set Firefox to recover to and also add in Quick recovery.

I haven't used AV in 9 years but I know this: some antivirus cant scan within the sandbox folder. Some can, some cant. If they cant, you might get nothing from the AV, like 0 file scanned. So, you have to try and see hat happens.

In my opinion, its kind of unnecessary to scan files in C:\Sandbox as they were already scanned by your real time AV when the file is downloaded or written to the hard drive. So, no need for double scanning. Also, if you want to scan it with an OD scanner and it doesn't work, I wouldn't worry, just scan it after you recover it to your Downloads folder. Remember, if you set your Downloads folder as Forced and you execute the file by mistake before scanning it,the file would run sandboxed. So, there's no harm if is malicious.

Bo

Re: Setting up Sandboxes

Posted: Fri Mar 16, 2018 7:49 am
by AMD
Bo,

Many thanks for your patience and help.

Much appreciated.

Andy

Re: Setting up Sandboxes [SOLVED]

Posted: Fri Mar 16, 2018 12:35 pm
by AMD
Bo,

Can you have a look at my .ini file and see if its looks configured correctly:

Code: Select all

[GlobalSettings]

Template=WindowsRasMan
Template=WindowsLive
Template=Kaspersky
Template=OfficeLicensing
Template=OfficeClickToRun
TemplateReject=RoboForm

[DefaultBox]

ConfigLevel=7
AutoRecover=y
BlockNetworkFiles=y
Template=qWave
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Enabled=y

[UserSettings_082601AD]

SbieCtrl_UserName=andy
SbieCtrl_ShowWelcome=n
SbieCtrl_NextUpdateCheck=1521664350
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_AutoApplySettings=y
SbieCtrl_WindowCoords=494,271,1237,632
SbieCtrl_ActiveView=40021
SbieCtrl_EnableLogonStart=y
SbieCtrl_EnableAutoStart=y
SbieCtrl_AddDesktopIcon=y
SbieCtrl_AddQuickLaunchIcon=y
SbieCtrl_AddContextMenu=y
SbieCtrl_AddSendToMenu=y
SbieCtrl_BoxExpandedView=DefaultBox,Downloads,FileExplorer,FireFox

[Chrome]

Enabled=y
ConfigLevel=7
BlockNetworkFiles=y
Template=RoboForm
Template=Chrome_Preferences_DirectAccess
Template=Chrome_Force
Template=Chrome_Profile_DirectAccess
Template=Chrome_History_DirectAccess
Template=Chrome_Bookmarks_DirectAccess
Template=qWave
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#0000FF,ttl
BoxNameTitle=n
AutoDelete=y
NeverDelete=n
LeaderProcess=chrome.exe
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,chrome.exe,cmd.exe,rf-chrome-nm-host.exe,NativeMessagingEXE.exe,plugins-setup.exe,dllhost.exe,FoxitPhantomPDF.exe,rundll32.exe,GoogleUpdateOnDemand.exe,GoogleUpdate.exe,explorer.exe,WerFault.exe
ProcessGroup=<InternetAccess>,chrome.exe,FoxitPhantomPDF.exe
NotifyStartRunAccessDenied=y
ClosedFilePath=%Personal%\
ClosedFilePath=G:\
ClosedFilePath=E:\
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
AutoRecover=y
ClosedIpcPath=!<StartRunAccess>,*

[TemplateSettings]

Tmpl.RoboForm.andy=C:\Users\Andy\AppData\Local\RoboForm

[FireFox]

Enabled=y
ConfigLevel=7
AutoRecover=y
BlockNetworkFiles=y
Template=qWave
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FF00,ttl
AutoDelete=y
NeverDelete=n
ForceProcess=firefox.exe
LeaderProcess=firefox.exe
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,firefox.exe
ProcessGroup=<InternetAccess>,firefox.exe
ClosedFilePath=%Personal%\
ClosedFilePath=G:\
ClosedFilePath=E:\
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
NotifyStartRunAccessDenied=y
ClosedIpcPath=!<StartRunAccess>,*
DropAdminRights=y
BoxNameTitle=n

[FileExplorer]

Enabled=y
ConfigLevel=7
AutoRecover=y
BlockNetworkFiles=y
Template=qWave
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
CopyLimitKb=199682
AutoDelete=y
NeverDelete=n
LeaderProcess=explorer.exe
DropAdminRights=y
NotifyStartRunAccessDenied=y
ProcessGroup=<StartRunAccess>,explorer.exe,foxitphantompdf.exe,rundll32.exe,dllhost.exe,ZAM.exe
ClosedIpcPath=!<StartRunAccess>,*

[Downloads]

Enabled=y
ConfigLevel=7
AutoRecover=y
BlockNetworkFiles=y
Template=qWave
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
ForceFolder=C:\Users\Andy\Downloads
I have a shortcut on my desktop to run Downloads and the same for Windows explorer(file explorer as its now seems to be called)

I just want to be sure I am going about this as recommended.

NB There is a golbal setting for Roboform but I unchecked it from software compatibilty because I did not want it in Firefox as that will be my intended banking browser but Roboform is in my Chrome browser which I use daily for logging in.

Andy

Re: Setting up Sandboxes [SOLVED]

Posted: Fri Mar 16, 2018 3:07 pm
by bo.elam
AMD wrote:
Fri Mar 16, 2018 12:35 pm
Bo,

Can you have a look at my .ini file and see if its looks configured correctly:

The setting I would add to your Downloads and File Explorer sandboxes is: ClosedFilePath=InternetAccessDevices

Sandbox Settings>Restrictions>Internet access, Click "Block all programs", specially for the Downloads sandbox.

Bo

Re: Setting up Sandboxes [SOLVED]

Posted: Fri Mar 16, 2018 3:32 pm
by AMD
Bo

Thanks again.

I will add these.

Just on something else I have noticed, Foxit is a forced program in its own dedicated sandbox and although I have it set to delete automatically when the sandbox is closed, it is not doing so.

These are the processes that are still there after I close :



I have dllhost as a lingering program to stop and Foxit set as a program stop but something seems to keep it from auto deleting ?

Re: Setting up Sandboxes [SOLVED]

Posted: Fri Mar 16, 2018 3:45 pm
by bo.elam
I use Foxit Portable. This are the programs I allow to run: foxitreader.exe,dllhost.exe,foxitreaderportable.exe. And have foxitreader.exe as Leader program. I probably added it as Leader program because there were lingering programs when I first installed Foxit in my W10 (the computer I am using right this moment). My Foxit sandbox deletes properly. I am using Foxit version 8.3.2.25013.

I know I am not using the latest version of Foxit. Tell me the number of the one you are using , if its newer, I ll install it later (Portable), and see what happens.

Bo

Re: Setting up Sandboxes [SOLVED]

Posted: Fri Mar 16, 2018 3:48 pm
by AMD
Bo

The version I am on differs and is Version: 8.3.5.30351

No sure if that's the reason why its doesn't auto delete ?