Sandboxie Support

I'm not really sure that's the best subject, but it's the one I came up with. ;D

First thing first.

My operating system has two web browsers - IE and Chromium. IE is defined as the default web browser. I do not use IE for anything, at all. It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled.

There's something I dislike in this approach, though - when I install/upgrade an application that iniciates Internet Explorer, forcing me to close the sandbox.

I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox. Plus, all this could be done minimized, that is, IE is started in the sandbox, but with its window minimized to the tray bar, during the all process, which shouldn't take more than a second to end. Would the latter be possible?


Thanks

You could just rightclick on the Sandbox and then Terminate Programs. I've had some issues individually terminating just IE for instance; I just terminate the whole SBIE session.

lylejk wrote:You could just rightclick on the Sandbox and then Terminate Programs. I've had some issues individually terminating just IE for instance; I just terminate the whole SBIE session.

But, that's what I want to avoid. Otherwise, I'd have to right-click the tray bar or open Sandboxie Control, and then right-click the respective sandbox and then kill it.

But, thanks anyway for the feedback!

I'm perfectly aware that this is not a top priority, in case tzuk considers it to be a nice feature. But, should he consider it to be OK, then it would be great to have such feature in versions to come. I know there are other priorities.

is_m00nbl00d wrote:It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled. ... I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox.

Here's how I keep unwanted programs from running:

• 1. Force them all to run in a dedicated "NoRun" sandbox
  2. Set start/run access to only allow nonexistent.exe

Tada, nothing can run.

This approach has become a lot more pleasant since tzuk got rid of those csrss.exe pop-ups. Of course, if you're looking for a more permanent or robust method, SRP or AppLocker policies would probably be a better bet.

Mike wrote:

is_m00nbl00d wrote:It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled. ... I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox.

Here's how I keep unwanted programs from running:

• 1. Force them all to run in a dedicated "NoRun" sandbox
  2. Set start/run access to only allow nonexistent.exe

Tada, nothing can run.

This approach has become a lot more pleasant since tzuk got rid of those csrss.exe pop-ups. Of course, if you're looking for a more permanent or robust method, SRP or AppLocker policies would probably be a better bet.

Hello Mike,

I appreciate your feedback, and will most definetely try what you suggest, regarding the sandbox.

Regarding AppLocker, I do have it in place. But, the reason why I don't forbid its execution, is due to the fact that, at some point, I may need to make use of IE, and elevate secpol.msc to remove prohibition, not to mention entering credentials for UAC. Having such an option within Sandboxie would make things a lot faster and easier, IMO.

@ Mike

I tried your suggestion, and it actually works simply great. I never thought about that option! One needs to hide the error message that appears, though. I just hope that, whenever I need to use IE, I remember about it. lol

_is_m00nbl00d wrote:@ Mike

I tried your suggestion, and it actually works simply great. I never thought about that option! One needs to hide the error message that appears, though. I just hope that, whenever I need to use IE, I remember about it. lol

-edit-

This does make me want to suggest something else, regarding this trick.

I have relatives using Sandboxie as well. Some of them do not make use of IE, except to access their bank account (under a different user account). The above trick would apply to all user accounts, that is, IE would be forced to run in its sandbox, but forbidden from running there.

It would be great if we could choose which user accounts to apply sandbox settings.

At some point I am planning to add a Sandbox Settings page that lets you select which user accounts can use a particular sandbox.

@_is_m00nbl00d: Glad it helped! For non-critical rules, I mostly prefer Sandboxie to AppLocker for the same reason, because it's easier and faster.

@tzuk: Although not a big deal, that would be a nice touch.

tzuk wrote:At some point I am planning to add a Sandbox Settings page that lets you select which user accounts can use a particular sandbox.

Sounds great!