Request: Start/Run Access Restriction allowing sandboxed exe

Ideas for enhancements to the software
Post Reply
kawaiiwolf
Posts: 21
Joined: Mon Jun 29, 2015 10:36 am

Request: Start/Run Access Restriction allowing sandboxed exe

Post by kawaiiwolf » Fri Feb 19, 2016 11:16 am

Referencing the help pages ( http://www.sandboxie.com/index.php?Rest ... s#startrun ), I we find the text:
When any Start/Run restrictions are in effect, programs that are installed (or downloaded) into the sandbox will never be allowed to start or run.
This works well for applications installed outside a sandbox and run within, but I found it doesn't work for what I need it to do. Mostly I tend to install programs INTO a sandbox for the purposes of disk/registry/program isolation. I would like to, for example, be able to:
  1. Install an application into a freshly created sandbox, such as firefox.
  2. Ensure that application (installed in the sandbox) is the only application allowed to run within the sandbox. Mostly this is to make sure other programs aren't accidentally run within and to prevent any applications from being maliciously used to alter the contents of said sandbox (such as malware).
Note: Installing outside the sandbox is a last resort, I wish to keep my base windows install as uncluttered as possible. While a portable version of the example application (firefox) exists that can run without installation, not all applications can do this.

So time for the request: Can we get a checkbox on the Start/Run Access Restrictions tab of the Sandbox Settings to allow executables (installed/located within the sandbox) to run within so long as they match the whitelist in the aforementioned settings tab ?

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by Craig@Invincea » Fri Feb 19, 2016 11:34 am

You can create a sandbox just for Firefox. Install into there.

You can have as many sandboxes as you like, but only one can be active at anyone time in the shareware version.

When you have a program to start as forced, it will always force into the DefautSandbox

When you run other programs (not forced) you are provided with a pop up box to select the sandbox to run the application in.

While most programs can be installed directly within a sandbox, there are ones that cannot be. (Office, Programs requiring driver installation, services, etc.)

kawaiiwolf
Posts: 21
Joined: Mon Jun 29, 2015 10:36 am

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by kawaiiwolf » Sat Feb 20, 2016 3:47 pm

Ohh I understand that, and I've got about a dozen or so sandboxes for just such purposes with a lifetime license (firefox as an example, one of them). What I want to do is ensure that no applications OTHER than what is specified can run within them.

In said example, I only want firefox.exe (in addition to explorer.exe, dllhost.exe and rundll32.exe) to be able to run into said sandbox. I don't want it opening up other software to open up files it may download, nor running executables within that sandbox that are downloading using it. Right now this is only possible if you install firefox outside a sandbox and run it within. I wish to install and run it within while still preventing other applications that are not white-listed from running.

RooJ
Posts: 83
Joined: Sun Dec 21, 2014 2:47 pm

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by RooJ » Thu Mar 03, 2016 11:56 pm

Hi kawaiiwolf,

I think the security issue here is that there's nothing stopping a compromised application naming all of it's executables (or any application on your system) "firefox.exe" and then running it. A compromised application doesn't even need to read your sandboxie config to check the whitelist, it can just check the process name it's currently running under. Granted this would all happen sandboxed but it completely defeats the purpose of the setting. As sandboxie doesn't work on hash values (at least in the config) I'm not sure there would be an easy way to secure it.

Far from ideal but you can achieve something similar with a workaround while you wait for an official response.

As an example take firefox; Install firefox in the sandbox as you normally would. Once installed recreate the path to the main executable on your REAL system. For instance create the folder "C:\program files\mozilla\firefox" on your real system. Now copy firefox.exe (just that one exe) from the sandbox to the location you just created and delete it from the sandbox, leave all other files alone.

You can now run the exe sandboxed as it's not actually within the sandbox on launch. Just remember to move the new exe out after each firefox update.

You could also store the firefox exe in a seperate sandbox if you didn't want it on your main system, but I think you'd need to modify the current working directory or maintain a full mirrored install in order for it to work properly.

kawaiiwolf
Posts: 21
Joined: Mon Jun 29, 2015 10:36 am

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by kawaiiwolf » Tue Mar 22, 2016 4:02 pm

This solution ended out working out pretty well ! I made a "C:\Sandbox Program Files\" Folder and had the sandboxed programs install there (within their respective sandboxes) and copied the exes out of the sandbox into the bare drive. Another sandbox uses that location as a forced folder, ensuring that anything in there is being run in SOME sandbox. This also has the added benefit of allowing you to register a file type on the bare system with an application installed in a sandbox. You just have to change the the registry class ( win10: CLASSES > Application > something.exe > ... ) to open with sandboxie's "Start.exe /box:BoxName". It's about as isolated as you're gonna get while still being able to register applications to double-click shell handlers.

RooJ
Posts: 83
Joined: Sun Dec 21, 2014 2:47 pm

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by RooJ » Wed Mar 23, 2016 6:58 pm

Nice, glad to hear it helped.

Just remember there's a slight security issue with installing something like a web browser inside a sandbox due to the fact you won't be clearing the sandbox after each use.
If the browser is compromised at some point (and if not picked up by other security products) it can remain compromised from that moment onwards. Malware could add code to legitimate browser DLL's or the browser exe for instance and then monitor activity each time the browser is in use.
In a situation where the browser binaries are outside of the sandbox and the sandbox is regularly cleared this can't happen.

There are workaround's to this too of course but thought it was worth mentioning.

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by Craig@Invincea » Thu Mar 24, 2016 8:31 am

That's an excellent point. Compromised browser is a compromised browser. While your PC is safe, the browser may not be that's directly installed in that sandbox. Malware that needs a driver won't be an issue as a driver cannot be installed in the SB. You can always invoke blockedfilepath to add a layer between you and sensitive areas on your PC.

But it's best to delete the contents, or be even more mindful.

kawaiiwolf
Posts: 21
Joined: Mon Jun 29, 2015 10:36 am

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by kawaiiwolf » Fri Mar 25, 2016 7:28 pm

A compromised browser is low on my list of priorities, and I used it here as an easy example. What I'm really interested in is data/process isolation. "Uninstalling" a program is as simple as deleting the sandbox it resides in; I'm much more concerned with programs clogging up and worming into who knows where in a hard disk or registry and by using sandboxie, it ensures it's gone when I want it gone. It also insures an install can't try to jack into browsers, startup and the windows shell with any real success, keeping my system clean and relatively annoyance free.

I realize the intended use case is to isolate a running application, "Trust no program" ... however I'm taking it to the point where I find the installers more dangerous to trust than the application itself. I don't know how many other users there are like this but sandboxie works quite well to that end, better than any other application I've seen.

TimW
Posts: 37
Joined: Sat Sep 06, 2008 2:45 pm

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by TimW » Fri Mar 25, 2016 8:25 pm

My understanding is that SB needs to first know a drive letter in order to create the forced folder/forced disk settings.
I see posts from 2010 that mention the USBDLM program which allows a user to manage drive letters. That program is still under active development and works well on Win 10 Pro. http://www.uwe-sieber.de/usbdlm_e.html

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area

Re: Request: Start/Run Access Restriction allowing sandboxed

Post by Craig@Invincea » Sat Mar 26, 2016 11:19 am

kawaiiwolf wrote:A compromised browser is low on my list of priorities, and I used it here as an easy example. What I'm really interested in is data/process isolation. "Uninstalling" a program is as simple as deleting the sandbox it resides in; I'm much more concerned with programs clogging up and worming into who knows where in a hard disk or registry and by using sandboxie, it ensures it's gone when I want it gone. It also insures an install can't try to jack into browsers, startup and the windows shell with any real success, keeping my system clean and relatively annoyance free.

I realize the intended use case is to isolate a running application, "Trust no program" ... however I'm taking it to the point where I find the installers more dangerous to trust than the application itself. I don't know how many other users there are like this but sandboxie works quite well to that end, better than any other application I've seen.
The fact you cannot install a driver in the SB also makes all the more difficult for different vectors of malware.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests