Sandboxie and Sandboxing explained

One purpose for Sandboxing applications is a method to prevent any permanent damage to your system caused by malware. The basic idea is that you prevent the malware from having access to your real system by having the sandbox pretend to be the real operating system. Applications that run inside the sandbox don't know they do not have direct access to the OS or any direct access to other system resources.

Sandboxie is somewhat different from the usual sandbox program since it does not virtualize everything. It virtualizes only the resources that are requested by the programs running inside the sandbox. The Sandboxie website lists these resources as; Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication such as Named Pipes and Mailbox Objects, Events, Mutexs , Semaphores, Sections and LPC Ports. Its worth noting that because Sandboxie does not allow loading drivers within the sandbox and refuses access to the Service Control Manager, rootkits cannot be installed.

The benefits of Sandboxie compared to a sandbox application like Returnil are mostly convenience. You don't have to reboot to run a program in a sandbox, and conversely you don't have to reboot to get out of the sandbox. An example of this is CrossOver Mac where it looks like windows applications are running natively within the Mac OS or andLinux where Linux applications appear to run natively within the Windows environment. In reality, neither applications running in CrossOver nor andLinux are running natively. They are running in what I think of as a blended mode, the application itself is being virtualized with only the native OS resources required to run the application. Sandboxie performs in the same way. It blends sandboxed applications into the non-sandboxed environment.

An application can be preset to run in a sandbox so that every time you start it, it runs in the sandbox, automatically starting the sandbox if necessary. Also in any program like explorer you can right click and choose run in sandbox. Any application that is started by an application running in the sandbox is also started in that sandbox. You can also run multiple sandboxes to isolate sandboxed programs. When the last sandboxed application is closed you can use a third party application to securely delete the sandbox.

Using Sandboxie you can define exceptions for applications to have access to specific resources outside of the sandbox. For example, you can allow your browser access to the actual file (or folder) where bookmarks are stored so that you don't lose any bookmarks when the sandbox is deleted. Exceptions can be made for almost any system resource. You can also define Quick Recovery folders (e.g. a folder where you store your downloaded files) to have Sandboxie prompt you to save a file outside of the sandbox. This is useful if you will be deleting the sandbox but don't want to lose a downloaded file. Access to resources outside of the sandbox can be denied as well. By configuring the ClosedFilePath and ClosedKeyPath settings within each sandbox's options you can deny access to any resource that you do not want the sandboxed applications to see. By default sandboxed applications have read only access to the file system and registry.

The drawback of Sandboxie (and similar programs) is that it is theoretically possible to write an exploit that bypasses the sandbox protection. If that happens then it's possible that a malicious program could do as much damage to your system as an application running outside of a sandbox. A sandbox application that virtualizes the entire OS and all resources like Returnil is more (but not entirely) immune to this presuming that at some point you save anything outside the sandbox.

An example Sandboxie setup is to configure two sandboxes. The first sandbox contains internet applications (the highest risk). The second contains applications that are untrustworthy or that are being tested. The first sandbox is automatically deleted each time after use. The second is for longer term use and is only deleted manually.

Hope this is what you were looking for Leo! Yes Seti, I know it's too long :)

Cith

Thank you so much Cithel,
yours is more than a tutorial, I also appreciate the comparison you made among different programs and different Operating Systems.
Excellent.
I personally do not mind if a text is too long or too short, I'm only interested in well written texts

Nice tutorial man

I too appreciate SandBoxie in most cases, but unfortunately forced features are annoying.

1) If you want to open always IE as sandboxed, you have need to sandbox also connected MS applications as Word and Windows Mail. I must do it, simply.
2) No possibility to exclude more sites you are visiting from sandboxing.

Except these things, I'm enough satisfied.

Got the first bit my friend simple explaination, well explainned. I think you needed to go on a bit from that and you did well with the rest. Some times you need length to put the quality in so I'll give you full marks this time:lol::lol: Interesting post as I said

Nice write up. Thank you Cith. I was always wondering to what extent you get a similar protection of the host system when using a virtual partition. I used Sandboxie and virtual partition (vBox) and find the handling of the virtual partition a lot more convenient.

Quote:

---

Originally Posted by Max_Payne

1) If you want to open always IE as sandboxed, you have need to sandbox also connected MS applications as Word and Windows Mail. I must do it, simply.
2) No possibility to exclude more sites you are visiting from sandboxing.

---

If I understand what you are saying, no that's not quite right. If you open any program from another program in the sandbox it is automatically sandboxed, as it should be, but that doesn't preclude you from running that same app outside the sandbox. I'm not sure why you would ever want to run Windows mail outside of a sandbox either presuming it connects to the internet.

As far as choosing which websites you sandbox that is correct, sandboxing is done at the application level. I'm not sure why you would need to exclude a public website from the sandbox since with third party advertising or the chance of the site being hijacked any website can be potentially dangerous.

Quote:

---

Originally Posted by seti

Some times you need length to put the quality in so I'll give you full marks this time

---

Thanks my friend! The whole time I was typing I was thinking "Seti is going to think this is way to long" :lol:

Quote:

---

Originally Posted by Cithel

If I understand what you are saying, no that's not quite right. If you open any program from another program in the sandbox it is automatically sandboxed, as it should be, but that doesn't preclude you from running that same app outside the sandbox. I'm not sure why you would ever want to run Windows mail outside of a sandbox either presuming it connects to the internet.

As far as choosing which websites you sandbox that is correct, sandboxing is done at the application level. I'm not sure why you would need to exclude a public website from the sandbox since with third party advertising or the chance of the site being hijacked any website can be potentially dangerous.

---

Of course I don't want a sandboxed Word or Win Mail when I have only IE forced in a sandbox... and a user must have possibility to choice applications to be sandboxed. You know that there are these limitations because IE itself has more dependencies.
An additional option to avoid to open other connected applications as sandboxed, available per browser, would be appreciated imho.

There are also Microsoft sites as Windows Update, not always websites potentially dangerous. I know that there is a feature to disable temporarily forced programs, but I think that it's not intuitive for all, i.e. I don't remember never to use it.

Fortunately some time ago I found an unofficial tip:

www.sandboxie.com :: View topic - Unsandboxed Windows Update shortcut (with IE forced)

However I prefer a better implementation with an exclusion list for Windows Update/Microsoft Update/and similar.

Quote:

---

Originally Posted by Max_Payne

Of course I don't want a sandboxed Word or Win Mail when I have only IE forced in a sandbox... and a user must have possibility to choice applications to be sandboxed. You know that there are these limitations because IE itself has more dependencies.

---

First if an application is connecting to the internet why would you not want it sandboxed??? What downside is there to running as safely as possible?

Second, you do have choice, not sure what you don't understand about that. Sandboxie does not require you to run an application in a sandbox. Sandboxie creates shortcuts for IE and Firefox to start in a sandbox. There is nothing keeping you from running either program outside the sandbox simply by starting it from the default shortcuts unless you manually configure Sandboxie to start all instances of an application in a sandbox. I don't see where you are being forced to do anything.

Since when is IE dependent on word or other office applications? In older office installations office apps were dependent on IE to a degree but now office apps do not depend on IE. Especially since IE is no longer built into the OS due to anti-trust lawsuits.

I know that I run office apps both in and out of the sandbox without any special configuration. I know that I want any spawned application or any email application (or any other application where I have downloaded files or email attachments) to be sandboxed. Especially any application that has scripting capabilities built into them such as VBS in Office. Why would you NOT want that protection when opening data from the internet?

Quote:

---

Originally Posted by Max_Payne

An additional option to avoid to open other connected applications as sandboxed, available per browser, would be appreciated imho.

---

Sorry, I have no idea what you are talking about. Connected applications? Per browser? Like Opera or Firefox? Other than older versions of IE what is "connected" to anything? If you are talking about reusing objects then instantiated objects are no different than encapsulated objects for the purpose of this conversation, both should be sandboxed when called from a program that its connected to the public network. Like I've said before, exceptions can be made to save specific files so, again, why would someone not want that protection?

Quote:

---

Originally Posted by Max_Payne

There are also Microsoft sites as Windows Update, not always websites potentially dangerous. However I prefer a better implementation with an exclusion list for Windows Update/Microsoft Update/and similar.

---

Frankly this would be a nightmare to program in any modern tabbed browser. How would you sandbox part of an application? One tab not in a sandbox if it is windows update but this other tab showing some other website is sandboxed in the same application. Having the sandbox software manage that sort of thing would be horribly inefficient. Ultimately to accomplish what you are talking about the browser would also have to be the sandbox. I'm not sure what the benefit would be to do that since there is no downside to running the whole application in a sandbox.

As far as windows update is concerned start it via wuapp.exe (the windows update shortcut in the start menu starts it this way) IIRC in every version from XP sp2 through Windows 7 and bypass the browser completely. In fact this is Microsoft's recommend method to connect to windows update.

ANY website is vulnerable to attack and Microsoft is not immune, they have been breached before (as have most high profile websites). Just because they haven't been hacked recently doesn't mean they won't be hacked today.

I guess I'm a little lost trying to understand what you want to accomplish here. Running an application that is connected to the internet outside of the sandbox is basically the same as excluding applications from real-time anti-malware or virus scanners. Why take the risk?

Since anything that you download can be saved outside the sandbox I just don't see your issue with running apps that are connected to the internet or opening untrusted files from the internet in the sandbox.

How do you explain this issue?

www.sandboxie.com :: View topic - Unsandboxed Office can't launch forced IE

There isn't solution. You can't have an unsandboxed Office in this occurance. It's a limitation.

Another example, Windows Mail can be opened by IE or another browser through a mailto shortcut. If I want only IE as forced program, I can't pretend this by SandBoxie.

It's always a limitation.