Request: Start/Run Access Restriction allowing sandboxed exe

[kawaiiwolf]

Referencing the help pages ( http://www.sandboxie.com/index.php?Rest ... s#startrun ), I we find the text:

When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run.

This works well for applications installed outside a sandbox and run within, but I found it doesn't work for what I need it to do. Mostly I tend to install programs INTO a sandbox for the purposes of disk/registry/program isolation. I would like to, for example, be able to:

1. Install an application into a freshly created sandbox, such as firefox.
2. Ensure that application (installed in the sandbox) is the only application allowed to run within the sandbox. Mostly this is to make sure other programs aren't accidentally run within and to prevent any applications from being maliciously used to alter the contents of said sandbox (such as malware).

Note: Installing outside the sandbox is a last resort, I wish to keep my base windows install as uncluttered as possible. While a portable version of the example application (firefox) exists that can run without installation, not all applications can do this.

So time for the request: Can we get a checkbox on the Start/Run Access Restrictions tab of the Sandbox Settings to allow executables (installed/located within the sandbox) to run within so long as they match the whitelist in the aforementioned settings tab ?

[Craig@Invincea]

You can create a sandbox just for Firefox. Install into there.

You can have as many sandboxes as you like, but only one can be active at anyone time in the shareware version.

When you have a program to start as forced, it will always force into the DefautSandbox

When you run other programs (not forced) you are provided with a pop up box to select the sandbox to run the application in.

While most programs can be installed directly within a sandbox, there are ones that cannot be. (Office, Programs requiring driver installation, services, etc.)

[kawaiiwolf]

Ohh I understand that, and I've got about a dozen or so sandboxes for just such purposes with a lifetime license (firefox as an example, one of them). What I want to do is ensure that no applications OTHER than what is specified can run within them.

In said example, I only want firefox.exe (in addition to explorer.exe, dllhost.exe and rundll32.exe) to be able to run into said sandbox. I don't want it opening up other software to open up files it may download, nor running executables within that sandbox that are downloading using it. Right now this is only possible if you install firefox outside a sandbox and run it within. I wish to install and run it within while still preventing other applications that are not white-listed from running.

[RooJ]

Hi kawaiiwolf,

I think the security issue here is that there's nothing stopping a compromised application naming all of it's executables (or any application on your system) "firefox.exe" and then running it. A compromised application doesn't even need to read your sandboxie config to check the whitelist, it can just check the process name it's currently running under. Granted this would all happen sandboxed but it completely defeats the purpose of the setting. As sandboxie doesn't work on hash values (at least in the config) I'm not sure there would be an easy way to secure it.

Far from ideal but you can achieve something similar with a workaround while you wait for an official response.

As an example take firefox; Install firefox in the sandbox as you normally would. Once installed recreate the path to the main executable on your REAL system. For instance create the folder "C:\program files\mozilla\firefox" on your real system. Now copy firefox.exe (just that one exe) from the sandbox to the location you just created and delete it from the sandbox, leave all other files alone.

You can now run the exe sandboxed as it's not actually within the sandbox on launch. Just remember to move the new exe out after each firefox update.

You could also store the firefox exe in a seperate sandbox if you didn't want it on your main system, but I think you'd need to modify the current working directory or maintain a full mirrored install in order for it to work properly.

[kawaiiwolf]

This solution ended out working out pretty well ! I made a "C:\Sandbox Program Files\" Folder and had the sandboxed programs install there (within their respective sandboxes) and copied the exes out of the sandbox into the bare drive. Another sandbox uses that location as a forced folder, ensuring that anything in there is being run in SOME sandbox. This also has the added benefit of allowing you to register a file type on the bare system with an application installed in a sandbox. You just have to change the the registry class ( win10: CLASSES > Application > something.exe > ... ) to open with sandboxie's "Start.exe /box:BoxName". It's about as isolated as you're gonna get while still being able to register applications to double-click shell handlers.

[RooJ]

Nice, glad to hear it helped.

Just remember there's a slight security issue with installing something like a web browser inside a sandbox due to the fact you won't be clearing the sandbox after each use.
If the browser is compromised at some point (and if not picked up by other security products) it can remain compromised from that moment onwards. Malware could add code to legitimate browser DLL's or the browser exe for instance and then monitor activity each time the browser is in use.
In a situation where the browser binaries are outside of the sandbox and the sandbox is regularly cleared this can't happen.

There are workaround's to this too of course but thought it was worth mentioning.

[Craig@Invincea]

That's an excellent point. Compromised browser is a compromised browser. While your PC is safe, the browser may not be that's directly installed in that sandbox. Malware that needs a driver won't be an issue as a driver cannot be installed in the SB. You can always invoke blockedfilepath to add a layer between you and sensitive areas on your PC.

But it's best to delete the contents, or be even more mindful.

[kawaiiwolf]

A compromised browser is low on my list of priorities, and I used it here as an easy example. What I'm really interested in is data/process isolation. "Uninstalling" a program is as simple as deleting the sandbox it resides in; I'm much more concerned with programs clogging up and worming into who knows where in a hard disk or registry and by using sandboxie, it ensures it's gone when I want it gone. It also insures an install can't try to jack into browsers, startup and the windows shell with any real success, keeping my system clean and relatively annoyance free.

I realize the intended use case is to isolate a running application, "Trust no program" ... however I'm taking it to the point where I find the installers more dangerous to trust than the application itself. I don't know how many other users there are like this but sandboxie works quite well to that end, better than any other application I've seen.

[TimW]

My understanding is that SB needs to first know a drive letter in order to create the forced folder/forced disk settings.
I see posts from 2010 that mention the USBDLM program which allows a user to manage drive letters. That program is still under active development and works well on Win 10 Pro. http://www.uwe-sieber.de/usbdlm_e.html

[Craig@Invincea]

A compromised browser is low on my list of priorities, and I used it here as an easy example. What I'm really interested in is data/process isolation. "Uninstalling" a program is as simple as deleting the sandbox it resides in; I'm much more concerned with programs clogging up and worming into who knows where in a hard disk or registry and by using sandboxie, it ensures it's gone when I want it gone. It also insures an install can't try to jack into browsers, startup and the windows shell with any real success, keeping my system clean and relatively annoyance free.

I realize the intended use case is to isolate a running application, "Trust no program" ... however I'm taking it to the point where I find the installers more dangerous to trust than the application itself. I don't know how many other users there are like this but sandboxie works quite well to that end, better than any other application I've seen.

The fact you cannot install a driver in the SB also makes all the more difficult for different vectors of malware.