Page 1 of 1

Force instant termination of a process

Posted: Fri Mar 25, 2011 9:58 pm
by is_m00nbl00d
I'm not really sure that's the best subject, but it's the one I came up with. ;D

First thing first.

My operating system has two web browsers - IE and Chromium. IE is defined as the default web browser. I do not use IE for anything, at all. It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled.

There's something I dislike in this approach, though - when I install/upgrade an application that iniciates Internet Explorer, forcing me to close the sandbox.

I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox. Plus, all this could be done minimized, that is, IE is started in the sandbox, but with its window minimized to the tray bar, during the all process, which shouldn't take more than a second to end. Would the latter be possible?


Thanks

Posted: Fri Mar 25, 2011 10:39 pm
by lylejk
You could just rightclick on the Sandbox and then Terminate Programs. I've had some issues individually terminating just IE for instance; I just terminate the whole SBIE session. :)

Posted: Fri Mar 25, 2011 11:21 pm
by _is_m00nbl00d
lylejk wrote:You could just rightclick on the Sandbox and then Terminate Programs. I've had some issues individually terminating just IE for instance; I just terminate the whole SBIE session. :)
But, that's what I want to avoid. Otherwise, I'd have to right-click the tray bar or open Sandboxie Control, and then right-click the respective sandbox and then kill it.

But, thanks anyway for the feedback! :)

I'm perfectly aware that this is not a top priority, in case tzuk considers it to be a nice feature. But, should he consider it to be OK, then it would be great to have such feature in versions to come. I know there are other priorities.

Posted: Sat Mar 26, 2011 2:24 am
by Mike
is_m00nbl00d wrote:It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled. ... I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox.
Here's how I keep unwanted programs from running:
  • 1. Force them all to run in a dedicated "NoRun" sandbox
    2. Set start/run access to only allow nonexistent.exe
Tada, nothing can run.

This approach has become a lot more pleasant since tzuk got rid of those csrss.exe pop-ups. Of course, if you're looking for a more permanent or robust method, SRP or AppLocker policies would probably be a better bet.

Posted: Sat Mar 26, 2011 10:19 am
by is_m00nbl00d
Mike wrote:
is_m00nbl00d wrote:It's been forced to run in its sandbox, with Internet access blocked and Drop Rights enabled. ... I think it would be great if I could define the sandbox to automatically terminate any process, as soon as they run in the sandbox.
Here's how I keep unwanted programs from running:
  • 1. Force them all to run in a dedicated "NoRun" sandbox
    2. Set start/run access to only allow nonexistent.exe
Tada, nothing can run.

This approach has become a lot more pleasant since tzuk got rid of those csrss.exe pop-ups. Of course, if you're looking for a more permanent or robust method, SRP or AppLocker policies would probably be a better bet.
Hello Mike,

I appreciate your feedback, and will most definetely try what you suggest, regarding the sandbox. :)

Regarding AppLocker, I do have it in place. But, the reason why I don't forbid its execution, is due to the fact that, at some point, I may need to make use of IE, and elevate secpol.msc to remove prohibition, not to mention entering credentials for UAC. Having such an option within Sandboxie would make things a lot faster and easier, IMO.

Posted: Sat Mar 26, 2011 11:10 am
by _is_m00nbl00d
@ Mike

I tried your suggestion, and it actually works simply great. I never thought about that option! One needs to hide the error message that appears, though. I just hope that, whenever I need to use IE, I remember about it. lol

Posted: Sat Mar 26, 2011 11:16 am
by _is_m00nbl00d
_is_m00nbl00d wrote:@ Mike

I tried your suggestion, and it actually works simply great. I never thought about that option! One needs to hide the error message that appears, though. I just hope that, whenever I need to use IE, I remember about it. lol
-edit-

This does make me want to suggest something else, regarding this trick.

I have relatives using Sandboxie as well. Some of them do not make use of IE, except to access their bank account (under a different user account). The above trick would apply to all user accounts, that is, IE would be forced to run in its sandbox, but forbidden from running there.

It would be great if we could choose which user accounts to apply sandbox settings.

Posted: Sat Mar 26, 2011 5:59 pm
by tzuk
At some point I am planning to add a Sandbox Settings page that lets you select which user accounts can use a particular sandbox.

Posted: Sat Mar 26, 2011 8:05 pm
by Mike
@_is_m00nbl00d: Glad it helped! For non-critical rules, I mostly prefer Sandboxie to AppLocker for the same reason, because it's easier and faster.

@tzuk: Although not a big deal, that would be a nice touch.

Posted: Sun Mar 27, 2011 6:33 am
by SnDPhoenix
tzuk wrote:At some point I am planning to add a Sandbox Settings page that lets you select which user accounts can use a particular sandbox.
Sounds great! :D