First of all, thank you for the reply and thanks to everyone involved in the Sandboxie-Plus development. I have to admit I have not been able to find the box creation wizard in the GUI (I'm using 1.5.3 version).
I tried anyway to set up some boxes, to make practice:
- the disposable browser one: using "hardened sandbox with data protection" to restrict the runnable programs in the sandbox to only the chosen browser and denying access to the disks shouldn't prevent the browser hijacking, but at least it shouldn't be easy to pivot from the browser to host folders and should also be harder to be subjected to "living off the land" attacks.
- the external device one: it's basically an offline "security hardened box" that see the host just in read-only mode; internal files can be exfiltrated (not by just copying them, but creating a copy after have opened them) but not altered; the only issue is that it seems it's not able to open images: error "Class not registered" when the default app is Windows Photos.
- I also tried to set up a sandbox to open suspicious attachment; I know this is never a good idea (and actually I am never forced to do it), but it's mainly supposed to be a way to familiarize with the program. The purpose is to have a sandbox restricted to the Downloads folder (assuming is the most common one for the intended use) that doesn't connect to internet, doesn't allow malicious code to exit the sandbox, but can open the most common file types (docs, pdf, images, video, etc.), without saving any permanent data. I also wanted to start up Malwarebytes and eventually also the discontinued VirusTotal Uploader desktop app at sandbox start up (not in the sandbox), just to remind the user to scan the files before open them.
I came up with the following init that is not working properly, due to some misconfiguration;
Enabled=y
BlockNetworkFiles=y
BorderColor=#ff00aa,ttl,6
ConfigLevel=9
UseSecurityMode=y
UsePrivacyMode=y
DropAdminRights=y
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
BoxNameTitle=n
CopyLimitKb=81920
AutoDelete=y
AllowNetworkAccess=<BlockNetAccess>,n
ClosePrintSpooler=y
OpenClipboard=n
DisableResourceMonitor=y
MonitorAdminOnly=y
NormalFilePath=<StartRunAccess>,C:\ProgramData
NormalFilePath=<StartRunAccess>,%userprofile%\AppData
StartProgram=C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
NormalIpcPath=<StartRunAccess>,*
ReadIpcPath=!<StartRunAccess>,*
BreakoutFolder=C:\Sandbox
BreakoutFolder=C:\Program Files\Sandboxie-Plus
BreakoutFolder=C:\Program Files\Malwarebytes\
ReadFilePath=<StartRunAccess>,%userprofile%\Downloads
ProcessGroup=<StartRunAccess>,7zFM.exe,acrobat.exe,brave.exe,excel.exe,explorer.exe,kleopatra.exe,mbam.exe,mpc-hc64.exe,notepad.exe,notepad++.exe,onenote.exe,OpenWith.exe,paintdotnet.exe,powerpnt.exe,sandman.exe,start.exe,vlc.exe,winword.exe,wmplayer.exe
FakeAdminRights=y
OpenDevCMApi=y
OpenFilePath=explorer.exe,*
OpenFilePath=sandman.exe,*
OpenFilePath=start.exe,*
OpenFilePath=mbam.exe,*
The error I get is:
Start.exe (4352): SBIE2112 Object is not accessible: \KnownDlls\kernel32.dll, call OpenSection (C0000022) access=0000000D initialized=1.
I can only guess it's a kernel access problem, but my knowledge stops there... any hints?