Sandboxie Support

Are there any reasons to do one vs. the other? Performance perhaps?

Lets say I have 30 programs I want to sandbox, all under the same folder like "C\Programs", each program is in their own sub folder there, with many sub folders of their own, ect., basically hundreds of folders and thousands of files in total if I just Forced Folder "C\Programs".

I'd imagine it takes time for SB to parse all this and there will be performance hits, correct? So I should go the tedious way and manually add each .exe to the Forced Program list instead, right?

Also I guess this applies to Quick Recovery too, lets say 3 of my programs dump their settings to "C:\ProgramData\ProgramX(Y)(Z)" Would it be better to do one Quick Recovery Folder set to "C:\ProgramData" to cover them all, or should I do each individual folder?

Also is there a way to set up a Forced Folder (such as "C\Programs" but have SB only do .exe files and ignore all other fluff files like .ini files and .txt files?)

Hello Special,

There are several threads about ForceFolder/ForceProcess. Here are some that might help you :
viewtopic.php?p=106682#p106682
viewtopic.php?p=117909#p117909

Regarding using one over the other due to performance concerns, I received this response from the devs:

The Sandboxie driver decides (kernel based) to sandbox a process based on a number of factors: is the parent process sandboxed, is the process forced, is the path to the process forced ... and so on. To do this Sandboxie needs to look at every process launch on the system to determine to sandbox or not to sandbox by checking all the factors. Thus, there is no more overhead using forced folders. Technically, process folders will be a few microseconds faster since the path (forced folder) is checked before the process (forced process) is checked. Only one trigger is used to this.

ForceFolder is an all or nothing type of setting. You either Sandbox everything in the folder, or you don't (in which case you will need to use ForceProcess). Depending on what you are trying to do, these threads might come in handy:
viewtopic.php?p=63747#p63747
viewtopic.php?p=84974#p84974

Regards,
Barb.-

Barb@Invincea wrote: ↑

Fri Oct 27, 2017 10:56 am

Regarding using one over the other due to performance concerns, I received this response from the devs:

The Sandboxie driver decides (kernel based) to sandbox a process based on a number of factors: is the parent process sandboxed, is the process forced, is the path to the process forced ... and so on. To do this Sandboxie needs to look at every process launch on the system to determine to sandbox or not to sandbox by checking all the factors. Thus, there is no more overhead using forced folders. Technically, process folders will be a few microseconds faster since the path (forced folder) is checked before the process (forced process) is checked. Only one trigger is used to this.

Regards,
Barb.-

This is interesting, I would've figure it was the other way around here since being more "precise" in telling SB where to look would make it more efficient, but it also makes sense that by being more "general" with the pathing also lets SB just stop sooner without looking deeper into it, if that makes any sense. Or am I off base here?

EDIT: So I'm looking to revise my "Quick Recovery" setup, so would SB devs recommend just setting this location as "C:\Users\NAME\AppData" to cover any possible thing vs. a specific location like "C:\Users\NAME\AppData\Roaming\ProgramXYZ" where that is the folder your after?

Hello Special,

Per the dev's explanation above, Sandboxie checks for the path first, but the process for checking is still the same. You are saving microseconds if using ForceFolder vs ForceProcess, so it should not be a noticeable difference.

You can look at our documentation for Quick Recovery setups:
https://www.sandboxie.com/RecoverFolder
https://www.sandboxie.com/ShellFolders

Regards,
Barb.-

Okay, so basically just use whatever is easier and "cleaner" to setup.

In my opinion, is best to combine using both features and the sandboxed Windows explorer to sandbox all files and programs that run in your computer. For example, in my computers, all files that run, run sandboxed every time they run during their lifetime, in which sandbox and under which feature feature they run, depends where they are located. So, I dont choose using one feature over the other. Both have their place.

Bo

Like Bo said, I also used both to sandboxie my computer security, for example: I “forced program” run my browsers sandboxied and downloaded all files into my Downloads folder which I “forced folder”. Only when I am satisfied the downloaded files are cleaned with my anti-virus software do I move out of the “forced folder”.
Everything else run sandboxied.