New Feature Request

[MitchE323]

This question may make no sense so please dont laugh ... lol.

Your computer has interaction with the web - there is a back and forth type of thing. So it's like a back door, front door situation. We currently have the ability to "force" programs to open in the sandbox, but there is really nothing in place once programs are in the sandbox.

A virus or bug could get in the sandbox, but it can not leave anything behind once you delete the sandbox. And if it tries to do anything, it will only be to sandboxed files anyway. But keyloggers could start recording and sending right away.

I'm thinking of an "Only Allow" setting in addition to the forced setting. The "Only Allow" of course concerns the web.

Example: Internet Explorer would be on my "Forced List" and it would also be on my "Only Allow" list.

so BadKeylogger.exe could record keystrokes but could not access the web because it would not be on my "Only Allow" list.

Possible? I would think that sense we have it contained within the sandbox, and it is your program doing the containment, it might be possible to "govern" behavior.

mitch

[SnDPhoenix]

So basically you'd like the ability to have sandboxie act sorta as a firewall for sandboxed processes? Well, it is a good idea imo, but im not sure what others would think, most ppl would probably just say "install a firewall!", lol. I guess one way it could be done is to have Sandboxie block access to the internet for all sandboxed programs except what you add to the "Whitelist", but im not sure how hard it'd be to do, (thats if tzuk even considers the idea in the first place )

[MitchE323]

Well it was my understanding that it is very hard to detect all classes of key-loggers, and a firewall could be a hit or miss thing. Also, there must be some reason that one would consider so and so firewall to be better than another firewall. Like yourself, you must feel that Comodo firewall is better than other firewalls for some reason.

So, simply saying get a firewall doesn't cut it. Also in terms of eliminating another class of software (firewalls), because you are using Sandboxie is for me at least - the whole point.

I guess one way it could be done is to have Sandboxie block access to the internet for all sandboxed programs except what you add to the "Whitelist"

That's exactly it - you are always so good at one sentence what it takes me three paragraphs - lol sry

mitch

[MitchE323]

ps; I am asking for this for a reason - throughout this forum is back and forth on what should be used with Sandboxie for protection. Opinions on this, opinions on that.

It seems universally agreed upon that you need a firewall with Sandboxie. This invokes the question; "Is my firewall catching everything?" ....... well the answer has to be "No" or "I don't know"

Can we make that answer be "Yes"? A normal firewall monitors your whole computer and maybe misses something. The Sandboxie "Firewall" would only concern itself with one folder - your default sandbox.

mitch

[street011]

if you install a decent firewall it will ask you the instant any unknown application or service or whatever is trying to access the internet...

the problem with your technique is that a lot of programms that "send" something use internet explorer to do the job for them...

so if you allow only iexplore access to the web, the keylogger would just send a form or report through a iexplore session...

[MitchE323]

Oh, Ok then Street, that kind of kills it then. Thanx for the reply and explanation.

This is not a Sandboxie related comment but it just makes me go in circles cause my common sense then has to ask - "a firewall is helping me.....how?"

no need to answer - just rhetorical

mitch

[MikeJ]

Mitch, I`m pretty much with you, and not because I want to see SBIE end up doing everything for everybody. I do see the idea as kind-of firewall, but not really. From what I understand, simply make SBIE stop everything outgoing by default, period. Unless I allow that particular program access. To me it makes sense as following;

Running several sandboxes as I do, say I allow IE access in ONE box I browse with, and only that one, at least not every other box is susceptible. Yes, that one box can still run loggers and send via IE, but the point is, when I`m running a "throw-away" box I use just to install software, that box would not be able to pass anything.

One could say (and has I`m sure ), well, why have the sandbox do this, why not a dedicated firewall? Well, its a

SANDBOX !!! Isn't that the point? Why sandbox some behaviour but not others? I cant think of why not sandbox the connection, because to me the very definition of sandbox should just naturally sandbox every way a program can compromise a system, to include sending information from that system to another. Trust no program, except when it comes to a gaping hole in the internet connection, then we can trust it all?

I think this may strike at a deeper question which could be discussed, What IS a sandbox?

I`m just glad there are some good people here, who think rather alike, take in opinions and whether agree or not the conversations are always courteous. Let me know if my logic is flawed, as it may well be!

[SnDPhoenix]

if you install a decent firewall it will ask you the instant any unknown application or service or whatever is trying to access the internet...

the problem with your technique is that a lot of programms that "send" something use internet explorer to do the job for them...

so if you allow only iexplore access to the web, the keylogger would just send a form or report through a iexplore session...

Not exactly, your right, some keyloggers do the dirty work through IE, but about half the keyloggers ive seen use there own little SMTP server built inside the keylogger to send the keystrokes, the way those keyloggers work is by recording your keystrokes, then they save the keystrokes to a logfile on your pc, then they send those logfiles through the builtin SMTP server over to the email address of the person who built the keylogger. So if you come across one of those "SMTP Keyloggers" then you'd be able to allow or deny the action when you see some suspicious file trying to send a logfile to a remote email address.

[MikeJ]

The "What is a sandbox" question got me thinking, so I looked it up on Wikipedia and found that it may be of interest. I`ll include none of my own comments here

"In computer security, a sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users.

The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices is usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization."

[Unknown_User_868]

i took the first post to mean something completely different than sandboxing the connection. i took it to mean only allowing that one process to run. for example if i put:

forceprocess=iexplore.exe
allowonly=iexplore.exe

then that would force ie into that sandbox, and would allow only that procees to run. so if another process tried to run, no dice, can't run. now of course you should be able to specify more than one processes that can run, such as iexplre.exe, flash.exe (or whatever the process to run flash is) etc. this way you could custom tailor the sandbox so that it only runs what you say is ok, and nothing else. this to my mind is far better than making sbie a firewall as well, and seems to keep it more inline with what it actually is. it seems to me that if you can force a process to run in the sandbox, you could just as easily stop it from running all together. you could even run it as a blacklist (in another sandbox of course) to allow even greater flexibility

denyprocess=iexplore.exe

to stop specific programs from running, though if you did this you would have to massively increase the length allowed for the ini file, as i'm sure there would be some that would blacklist all know bad processes. . .

[tzuk]

I just wanted to remind everyone that ClosedPipePath can be used to block Internet access, and the the "process name prefix" can be negated in an everything-but form. Or in other words,

Code: Select all

ClosedFilePath=!iexplore.exe,\Device\Afd*

Blocks Internet access for anything sandboxed that is not iexplore.exe.

[Unknown_User_868]

that, sir, is a good thing to know, thank you very much. is there anything existing that would stop a process from running at all?

[tzuk]

Yes, a similar trick:

Code: Select all

ClosedIpcPath=!iexplore.exe,*

If the process can't access anything, it will not work. But take note that this exclusion (and the previous example too) will apply to everything that isn't iexplore.exe, and you can't "turn it off" for, say, notepad.exe. Not even for required Sandboxie support programs like SandboxieRpcss.exe!

I should probably extend it to accept a set of processes, as in "ClosedFilePath=!(iexplore.exe,notepad.exe),*", but that will have to wait.

[Unknown_User_868]

we await, with baited breath, the power we will yet wield over our tiny domains, and much thanks given to its creator, the writer of the code, whose sacrifice has given us the ability to fight the forces of chaos. hail to thee, he who gives us power to control our dominions

(sorry, too much robert jordan)

[MitchE323]

Rereading my first post, I can see the confusion. I didnt mean to only allow one process, such as IE. I meant that as the first of an example.

I was looking for "only allow" as a header, with a drop-down check list of probable items. Like the forced process page has 6-7 items you can check.

so you could "only allow" : IE, Firefox, Outlook, and GameX as a better example.

as it is currently - we are really only sandboxing the "Front Door", I'm looking to sandbox the "Back Door" as well - if that helps.

sry all - mitch