Default sandboxes

Zigul

New member
An humble suggestion: why not include, beside DefaultBox, also other sandboxes already preconfigured for specific cases? It's great to be able to customize each new sandbox, but for the average (or just lazy) user could be good to have out-of-the-box (no pun intended) a sandbox for a disposable browser, another one for external device, another one for games, another one for office work, etc. each one with a specific configuration. For example, the "disposable browser" one cannot access the sensitive folders and delete all its content as soon as it's closed; the "external devices" one can use internal programs to open files but can't access internet and keep the system as isolated as possible, whereas the "office docs" one can use only productivity programs and can also access the web; and so on, I'm just brainstorming... obviously these preconfigured sandboxes would be a friendly base for further customizations, making their set up process quicker.
 
Thank you for trying to improve Sandboxie's usability. This could indeed be helpful to end users.

Back then, I had the idea to start with two boxes, the default box and the restricted box, which was different from what it is today. (It used to be like the default with restrictions, like programs dropping their rights, which still can be done, but is strict enough to be labeled as security hardened box.) The developer wanted to stick to one default box.

This was also before there was a box creation wizard and a troubleshooting wizard. There have been ideas to extend one of the wizards or both, or have another wizard to help the user set-up boxes that are best suited for their use-case. They still can't be lazy, since they will not use it.

There would still be configuration needed in some or even most cases, but overall some form of what you describe can be better than the current state. Unfortunately, no one can see how users are handling Sandboxie-Plus and if it would make them get into the program better or if they end up confused, in one way or the other.
 
First of all, thank you for the reply and thanks to everyone involved in the Sandboxie-Plus development. I have to admit I have not been able to find the box creation wizard in the GUI (I'm using 1.5.3 version).
I tried anyway to set up some boxes, to make practice:
- the disposable browser one: using "hardened sandbox with data protection" to restrict the runnable programs in the sandbox to only the chosen browser and denying access to the disks shouldn't prevent the browser hijacking, but at least it shouldn't be easy to pivot from the browser to host folders and should also be harder to be subjected to "living off the land" attacks.
- the external device one: it's basically an offline "security hardened box" that see the host just in read-only mode; internal files can be exfiltrated (not by just copying them, but creating a copy after have opened them) but not altered; the only issue is that it seems it's not able to open images: error "Class not registered" when the default app is Windows Photos.
- I also tried to set up a sandbox to open suspicious attachment; I know this is never a good idea (and actually I am never forced to do it), but it's mainly supposed to be a way to familiarize with the program. The purpose is to have a sandbox restricted to the Downloads folder (assuming is the most common one for the intended use) that doesn't connect to internet, doesn't allow malicious code to exit the sandbox, but can open the most common file types (docs, pdf, images, video, etc.), without saving any permanent data. I also wanted to start up Malwarebytes and eventually also the discontinued VirusTotal Uploader desktop app at sandbox start up (not in the sandbox), just to remind the user to scan the files before open them.
I came up with the following init that is not working properly, due to some misconfiguration;

Enabled=y
BlockNetworkFiles=y
BorderColor=#ff00aa,ttl,6
ConfigLevel=9
UseSecurityMode=y
UsePrivacyMode=y
DropAdminRights=y
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
BoxNameTitle=n
CopyLimitKb=81920
AutoDelete=y
AllowNetworkAccess=<BlockNetAccess>,n
ClosePrintSpooler=y
OpenClipboard=n
DisableResourceMonitor=y
MonitorAdminOnly=y
NormalFilePath=<StartRunAccess>,C:\ProgramData
NormalFilePath=<StartRunAccess>,%userprofile%\AppData
StartProgram=C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
NormalIpcPath=<StartRunAccess>,*
ReadIpcPath=!<StartRunAccess>,*
BreakoutFolder=C:\Sandbox
BreakoutFolder=C:\Program Files\Sandboxie-Plus
BreakoutFolder=C:\Program Files\Malwarebytes\
ReadFilePath=<StartRunAccess>,%userprofile%\Downloads
ProcessGroup=<StartRunAccess>,7zFM.exe,acrobat.exe,brave.exe,excel.exe,explorer.exe,kleopatra.exe,mbam.exe,mpc-hc64.exe,notepad.exe,notepad++.exe,onenote.exe,OpenWith.exe,paintdotnet.exe,powerpnt.exe,sandman.exe,start.exe,vlc.exe,winword.exe,wmplayer.exe
FakeAdminRights=y
OpenDevCMApi=y
OpenFilePath=explorer.exe,*
OpenFilePath=sandman.exe,*
OpenFilePath=start.exe,*
OpenFilePath=mbam.exe,*

The error I get is:
Start.exe (4352): SBIE2112 Object is not accessible: \KnownDlls\kernel32.dll, call OpenSection (C0000022) access=0000000D initialized=1.
I can only guess it's a kernel access problem, but my knowledge stops there... any hints?
 
The box creation wizard got added with version 1.7.1.

At the time of writing, Sandboxie-Plus 1.11.2 is the latest release.

You can scan files with some tools, using a function that got added to Sandboxie-Plus. Please take a look at this comment. It can work with other software.

One recent update was an addon manager where, the combination of sigcheck and the powershell script can be downloaded, so that only files without any negative result on Virustoal are recovered.
 
Using "check for update" in the help menu kept me stuck with that old version, that kept saying there were no new update; anyway my bad for not checking the site. Just installed the last version, I'll enjoy the new functions, thank you.
 
Zigul said:
Using "check for update" in the help menu kept me stuck with that old version, that kept saying there were no new update; [...]

I am not sure, whenever your old version was still supposed to find an update, since there was a change in the update mechanism. It certainly would have been helpful, if that had still worked. This should not happen anymore, the update format got changed, allowing for different types of updates, like only looking for stable releases or pre-view versions.
 
I'm a Powershell noob, however I added the following lines to the script you linked above:

$VTlink = ($sigcheck | findstr /C:"VT link").substring(9) | clip
Write-Host "`n (LINK COPIED)"

so to have, in case the file signature is unknown to the VT database, the link to the exact VT scan page just copied in the clipboard, ready to be eventually pasted in the browser to check the results online.
 
Back
Top