Sandboxie Support

I would like to download a document and view it within SBIE.
What is the best way to do this? Thanks.

sanbox man wrote:I would like to download a document and view it within SBIE.
What is the best way to do this? Thanks.

The best way is to force programs to run sandboxed automatically. You can also force your Downloads folder so files that you recover there run sandboxed automatically when they are executed.

You can also right click files and select Run sandboxed or Send to>Sandboxie, and select the sandbox where you want to run the file.

Another way to run files sandboxed is to open View>Files and folders, Select the sandbox that you used to download the file, go to your Quick recovery folder, right click the download and select Run sandboxed. You can also go into the Sandbox folder in C Drive and click the download, it ll run sandboxed.

Bo

I would suggest that the "best" way would be to have a "Downloads" folder where you download all files into. Then simply create a shortcut (sandboxed explorer.exe) to that folder.

Everyone will have slightly different approaches and setups, but with this method, you can guarantee that every file downloaded will always run sandboxed, and it's arguably as convenient as any other approach.

The problem with relying on forcing folders sandboxed is that not all programs within that folder will run sandboxed. I discovered this several years ago with images and videos that are opened with Windows software by default - Windows Photo Viewer (Win 7) for images and Windows Media Player for videos. A workaround is to not have those programs as default and use third party software instead. But after discovering this "bypass" of Forced Folders, I lost confidence in the feature.

And the problem with relying on forcing programs sandboxed is that you can't actually force Windows Photo Viewer to run sandboxed. Again, the workaround is to use third party software. But personally, I try to minimise the number of third party software installations on my system.

With the method of opening a sandboxed explorer.exe window, you ensure everything you open in your Downloads folder will always run sandboxed.

After typing the above, I managed to dig out some stuff from my good old days (which I think still applies to this day):
http://ssj100.fullsubject.com/t88-newbi ... p-help#488
http://ssj100.fullsubject.com/t311-sand ... boxie#2499

The fact that some files can trigger a process just by hovering the mouse over the file was my inspiration to use the above security approach. Here's evidence of such a potential exploit:
https://blog.didierstevens.com/2009/03/ ... gger-trio/

And found a rather interesting thread on bypassing SRP, but I also discussed the above exploit and why I modified my security approach:
http://ssj100.fullsubject.com/t313p50-b ... g-srp#2664

I had a little laugh when I read that I used batch commands to move files! That was a bit inconvenient, and I stopped doing that quite a while ago!

Windows Photo Viewer

If in Windows 10, yes because this is a Metro app.

Same applies for Windows 8.1.

ssj100 wrote:I would suggest that the "best" way would be to have a "Downloads" folder where you download all files into. Then simply create a shortcut (sandboxed explorer.exe) to that folder.

Everyone will have slightly different approaches and setups, but with this method, you can guarantee that every file downloaded will always run sandboxed, and it's arguably as convenient as any other approach.

Sandbox man, using the sandboxed explorer is a great way for running downloads sandboxed. I feel like ssj about it being the safest way to run files sandboxed. I always use the sandboxed explorer ro run files that I download that I am not 100% sure what they are and pictures. Like he said, anything you navigate to with the sandboxed explorer is guarantee to run sandboxed.

Bo

I don't want the download to be outside SBIE environment at any time.Is this possible?
I would like the download, at all times, to be within SBIE environment. It would download
into SBIE then I would execute it from within SBIE environment ideally.

Example, I don't want this scenario: download to SBIE, Recover to Windows 8.1 downloads
folder (from SBIE), then Open download with SBIE from within Windows download folder
Instead I'm after: download to SBIE, Open file within SBIE, Delete Contents with SBIE (when finished)

Just about every browser available gives you the choice to run/open a downloaded file so that would be one way to go [any browser or program within SBIE will continue to operate in SBIE, including if a document you later open within requires a program that you may not have set to forced].

This next instance doesn't seem to be what you want so you can likely ignore this:
Another would be to ensure the target 'download' folder is a forced folder within SBIE [PAID] then launch it from there once it's downloaded. So unless you use Quick Recovery or OpenFilePath/OpenPipePath s the file will remain within SBIE. If you navigate to it with an unsandboxed program and intentionally open it there well, that would be your own fault.

If you download and open or RUN anything that was downloaded within a box via the boxed program(s), it will not start outside. If on the other hand you open up an (unsandboxed) explorer instance then navigate to the specific Sandbox folder followed by navigating to the download folder and copy it outside or otherwise launch it [I'm actually not sure how starting it within, from the unsandboxed program would be handled as I've never tried it but I wouldn't expect SBIE to do anything myself] there's a good chance whatever you open/run will be run outside if that folder hasn't been defined as forced.

In short, SBIE likely does exactly what you want already but it isn't 'User Proof'. Even if you define paths that are 'unprotected' so far as file changes there is no escaping [that I know of] a sandbox once a program is in it. This includes anything else this program launches/opens while it's inside [for that session]. The other instance I outlined is 'User Error'

While I'm one of those weird people that thinks transferring control of programs between boxes if rules are defined for both would be great I understand that it wouldn't be the easiest thing to pull off so I'm content with the way things are. Once in, always in! (Trademarked¿)

sanbox man wrote:I don't want the download to be outside SBIE environment at any time.Is this possible?
I would like the download, at all times, to be within SBIE environment. It would download
into SBIE then I would execute it from within SBIE environment ideally.

Example, I don't want this scenario: download to SBIE, Recover to Windows 8.1 downloads
folder (from SBIE), then Open download with SBIE from within Windows download folder
Instead I'm after: download to SBIE, Open file within SBIE, Delete Contents with SBIE (when finished)

I think just removing Downloads from Quick Recovery will accomplish this.

sanbox man wrote:I don't want the download to be outside SBIE environment at any time.Is this possible?
I would like the download, at all times, to be within SBIE environment. It would download
into SBIE then I would execute it from within SBIE environment ideally.

What we have suggested are the proper ways to continue running files/downloads sandboxed after downloading is over. But I think to do exactly what you want would be for you to go into C:\Sandbox and look for the download in there and execute it from there. If you do this, keep in mind that all exes will run sandboxed from there and most files you download will run sandboxed but not all.

You can also run files sandboxed without having them recovered by going to the Files and Folders view within the Sandboxie UI. Open that view for the sandbox you are using and look for the downloaded file. When you find it, right click it and click Run sandboxed.

To run files sandboxed either way I explained above, you need to be using a sandbox were the program that runs the file is allowed to run in Start Run restrictions.

Bo

ssj100 wrote: But personally, I try to minimize the number of third party software installations on my system.

Why?

ssj100 wrote: The fact that some files can trigger a process just by hovering the mouse over the file was my inspiration to use the above security approach. Here's evidence of such a potential exploit:
https://blog.didierstevens.com/2009/03/ ... gger-trio/

And found a rather interesting thread on bypassing SRP, but I also discussed the above exploit and why I modified my security approach:
http://ssj100.fullsubject.com/t313p50-b ... g-srp#2664

Thank you that was informative.

ssj100 wrote: I had a little laugh when I read that I used batch commands to move files! That was a bit inconvenient, and I stopped doing that quite a while ago!

Why did you stop?

Craig@Invincea wrote:

Windows Photo Viewer

...yes because this is a Metro app.

What technically prevents Metro Apps from being sandboxed? Why can't they be?

bo.elam wrote:...you need to be using a sandbox were the program that runs the file is allowed to run in Start Run restrictions.

Why don't some programs allow sandboxing? Why are they developed that way?

sanbox man wrote:

ssj100 wrote: But personally, I try to minimize the number of third party software installations on my system.

Why?

Simple answer is that more software means more chance for exploitation.

sanbox man wrote:

ssj100 wrote: I had a little laugh when I read that I used batch commands to move files! That was a bit inconvenient, and I stopped doing that quite a while ago!

Why did you stop?

As I said, it was a bit inconvenient. I also tend not to view newly introduced files in my Downloads folder with a REAL explorer instance until I'm relatively sure they're clean (eg. VirusTotal, EEK, Digital Signatures, File Hash etc)

sanbox man wrote:

bo.elam wrote:...you need to be using a sandbox were the program that runs the file is allowed to run in Start Run restrictions.

Why don't some programs allow sandboxing? Why are they developed that way?

sanbox man, Start Run restrictions are in Sandbox settings>Restrictions.

Bo

ssj100 wrote: I also tend not to view newly introduced files in my Downloads folder with a REAL explorer

This is what I was after. Which explorer do you use before then?

ssj100 wrote:...instance until I'm relatively sure they're clean (eg. VirusTotal, EEK, Digital Signatures, File Hash etc)

Virus Total is owned by Google - can they be trusted with privacy of files they scan I wonder?