Sandboxie Forum - Control Your Sandbox (3711)

SnDPhoenix:

Thu Oct 02, 2008 3:03 am

]]>Quoting MitchE323: ]]>Plus it is nice, you don't have to add the Sandboxie family of programs as they are taken care of by default. :D ]]> Yep, thats what I thought was cool. :P

MitchE323:

Wed Oct 01, 2008 9:21 pm

Plus it is nice, you don't have to add the Sandboxie family of programs as they are taken care of by default. :D

SnDPhoenix:

Wed Oct 01, 2008 4:58 pm

]]>Quoting MitchE323: ]]>SnD, do you have a mix of sandboxes that include ForceProcess and ForceFolder? ]]> Yeah I do, some have forceprocesses, some have forcefolders and some have both (or none). :P

MitchE323:

Wed Oct 01, 2008 4:10 pm

[quote:ba6d2ad21d]I couldn't reproduce that[/quote:ba6d2ad21d] You probably will not be able to as even I can not, as I said it is all fine here. SnD, do you have a mix of sandboxes that include ForceProcess and ForceFolder? cause this notepad.exe fluke happened right after I redid a sandbox that had a ForceFolder setting. But like I said, I can not get it to reproduce here either, so it may just be me or my machine.

SnDPhoenix:

Wed Oct 01, 2008 3:55 pm

]]>Quoting MitchE323: ]]>hmmm... I added notepad.exe as an allowed program and then later while still testing I removed notepad.exe as allowed - and now everything mysteriously is working as expected. Right now notepad.exe is not added to the group and Edit Configuration opens fine. :shock: ]]> Thats cause I am here now, I rubbed off onto the Sandboxie installed on your PC. :wink: But seriously though, I couldn't reproduce that, so dont know why that could've happened... Anyways though, I too went through all the settings for all of my sandboxes (I got about 12-14 :P) and now I feel each of my sandboxes are 50 times stronger! :D

MitchE323:

Wed Oct 01, 2008 3:25 pm

hmmm... I added notepad.exe as an allowed program and then later while still testing I removed notepad.exe as allowed - and now everything mysteriously is working as expected. Right now notepad.exe is not added to the group and Edit Configuration opens fine. :shock:

MitchE323:

Wed Oct 01, 2008 3:18 pm

Well that is really my question.... without Notepad.exe added to StartRunAccess and clicking Edit Configuration brings up a sandboxie prompt that Notepad.exe is restricted from running. If you can not reproduce that, I will redo my setup and see if the problem is at my end.

tzuk:

Wed Oct 01, 2008 3:12 pm

I don't understand. Why would Notepad start sandboxed in the first place?

MitchE323:

Wed Oct 01, 2008 3:10 pm

It looks like if you have a setting involving , you have to also specify Notepad.exe as an allowed program if you want to use "Edit Configuration". That is easy enough to set up, but wouldn't whatever the edit was end up sandboxed?

MitchE323:

Wed Oct 01, 2008 2:42 pm

Really terrific work here Tzuk, thanks a ton! I am playing with it now..... :D I redid all my sandbox settings so my ProcessGroup names would match whatever Sandboxie wants to give it so now it is all "Official" haha thanx again. :D

tzuk:

Wed Oct 01, 2008 1:52 pm

Thanks SnD !!

SnDPhoenix:

Tue Sep 30, 2008 9:16 pm

]]>Quoting tzuk: ]]>* You don't have the burden of having to specify SandboxieRpcss and friends. Programs in the Sandboxie installation folder are immune to Start/Run restrictions. ]]> Hooray!!! :D The new v3.31.02 beta is awesome! 8)

tzuk:

Tue Sep 30, 2008 1:33 pm

Sandboxie Control has better configuration now for both Internet Access and a new Start/Run Access. Accessible either through Sandbox Settings -> Restrictions or through Program Settings. Other than the obvious improvement of not having to manage manually in the Ini file, there are two more benefits: * You can ask to be notified by message (SBIE1307 and SBIE1308) when a program is restricted. * You don't have the burden of having to specify SandboxieRpcss and friends. Programs in the Sandboxie installation folder are immune to Start/Run restrictions.

MitchE323:

Wed Aug 20, 2008 10:22 pm

haha Well of course it would be the UltimateExaltedMysticSupreme accomplishment to become a "Sticky" I have to disagree. These types of threads become history fairly quickly as the ideas are either accepted and utilized or not accepted and discarded. I think stickys should be reserved for "rules of the thread" type stuff. Like a. state your OS b. state the programs version c. try to describe a way to replicate the problem blah, blah, blah.....

SnDPhoenix:

Wed Aug 20, 2008 10:17 pm

Haha, you have to ask now Peter out of all the chances we had before? :P But yeah, threads like these should be stickied so people can find them. I wanted to sticky the "Xtras" thread, but it got too long and had random unneeded posts, therefore it was too late to sticky it. :?

Peter2150:

Wed Aug 20, 2008 3:16 pm

Can we make this thread a sticky??

Ruhe:

Wed Aug 20, 2008 6:49 am

Thanks for your explanation. ]]>Quoting MitchE323: ]]>Who knows, maybe it is already possible, if you want to experiment. Example; [b:62785228d5][GlobalSettings] ProcessGroup=,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,,firefox.exe ProcessGroup=,,wmplayer.exe ProcessGroup=,,iexplore.exe [/b:62785228d5] ]]> Looks good, but already tried this last night. It does not work either. [quote:62785228d5]Plus, remember Tzuk saying that at some point he will look deeper into all of this, and maybe if it comes to be a part of the GUI then those three Sandboxie programs can be inserted "behind the scenes" within the programing.[/quote:62785228d5] That would be very handy - or the above method.

MitchE323:

Tue Aug 19, 2008 10:27 pm

[quote:0874d35106][GlobalSettings] ProcessGroup=,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,firefox.exe [sbFirefox] ClosedIpcPath=!,* ClosedIpcPath=!,* [/quote:0874d35106] [b:0874d35106]ClosedIpcPath=!,*[/b:0874d35106] This line is saying that Firefox can not run in the sbFirefox sandbox; as only sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe can run [b:0874d35106]ClosedIpcPath=!,*[/b:0874d35106] This line is saying that sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe can not run as only Firefox can run in the sbFirefox sandbox. So, as you have found, it is not going to work. [quote:0874d35106]Did I miss or misunderstood anything?[/quote:0874d35106] No you didn't misunderstand anything, it is just the 'workaround' is not possible. [quote:0874d35106][GlobalSettings] ProcessGroup=,something1.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,something2.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,something3.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe [/quote:0874d35106] This is the correct way. And then only one ClosedIpcPath=! per sandbox. :wink: You may find later that some sandboxes do not require the three Sandboxie programs at all. That is Sandboxies' call. The ProcessGroups are only stating what is allowed to run (if called upon) What you are looking for is the ability to form a ProcessGroup into another ProcessGroup but Tzuk may just shut down Feature Requests if we ask for that. :D ------------------------------------------------------------------------------------- Who knows, maybe it is already possible, if you want to experiment. Example; [b:0874d35106][GlobalSettings] ProcessGroup=,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,,firefox.exe ProcessGroup=,,wmplayer.exe ProcessGroup=,,iexplore.exe [/b:0874d35106] But I have never tested that....... :? ------------------------------------------------------------------------------------ Plus, remember Tzuk saying that at some point he will look deeper into all of this, and maybe if it comes to be a part of the GUI then those three Sandboxie programs can be inserted "behind the scenes" within the programing.

Ruhe:

Tue Aug 19, 2008 9:21 pm

Hi Mitch, hi tzuk, I've tried the following (just a part of sandboxie.ini): [GlobalSettings] ProcessGroup=,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,firefox.exe [sbFirefox] ClosedIpcPath=!,* ClosedIpcPath=!,* After this it's not possible to start Firefox sandboxed anymore. My intention was to prevent something like this, because of all the redundant Sandboxie entries for each sandbox: [GlobalSettings] ProcessGroup=,something1.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,something2.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,something3.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe Did I miss or misunderstood anything?

MitchE323:

Sun Aug 17, 2008 4:31 pm

@Oneder; That line is in there, just a little buried 8) @arran777; That ini file is basically set up fine. Your problem with the test was one of two things. The movie clip opened as a "Child Process" to your browser or you need to empty the sandbox for the new settings to take effect. I notice you do not have AutoDelete in a line, so I assume you empty the sandbox manually or not at all. The only problem with the ini file is that you have ForceProcess=admunch.exe in two different sandboxes. Sandboxie will accept the one listed first in the ini file so it is ok in the DefaultBox but the ForceProcess line has no meaning in the other sandbox. You can list it in multiple ProcessGroups as you have done. If you are not having a problem with AdMunch in the IE box, maybe it also is opening as a Child Process to IE. I am not familiar with AdMunch. Is there a definitions file for AdMunch? Consider trying it unsandboxed with an openfilepath to that definitions file for updates - then you will be able to delete the sandbox after each session and not lose your AdMunch updates.

Oneder:

Sun Aug 17, 2008 11:47 am

Add under [DefaultBox] ClosedIpcPath=!,*

arran:

Sun Aug 17, 2008 6:11 am

HI can some one please help me here. I am trying to make it so as only firefox and admuncher can run in my default box. I edited the config file and tested it by downloading a movie clip and before I recovered the movie clip from sandboxie I was able to run it inside sandboxie, so unfortunatly for me other things besides firefox and admuncher can still run in the sandbox. Here is how my ini file is what have I done wrong?????? [GlobalSettings] ProcessGroup=,admunch.exe,firefox.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,fdm.exe,iexplore.exe,admunch.exe ProcessGroup=,admunch.exe,firefox.exe [DefaultBox] ConfigLevel=4 AutoRecover=y AutoRecoverIgnore=.jc! AutoRecoverIgnore=.part RecoverFolder=%Personal% RecoverFolder=%Desktop% LingerProcess=trustedinstaller.exe LingerProcess=wuauclt.exe LingerProcess=devldr32.exe LingerProcess=syncor.exe LingerProcess=jusched.exe LingerProcess=acrord32.exe Enabled=y NeverDelete=n OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\places* OpenFilePath=seamonkey.exe,%AppData%\Mozilla\Profiles\*\bookmark* OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\places* OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\bookmark* ClosedIpcPath=!,* ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=E:\ ClosedFilePath=F:\ ForceProcess=admunch.exe [UserSettings_0C700215] SbieCtrl_UserName=arran SbieCtrl_ShowWelcome=N SbieCtrl_NextUpdateCheck=1555555555 SbieCtrl_UpdateCheckNotify=Y SbieCtrl_HideWindowNotify=N SbieCtrl_WindowLeft=665 SbieCtrl_WindowTop=59 SbieCtrl_WindowWidth=660 SbieCtrl_WindowHeight=425 SbieCtrl_Hidden=N SbieCtrl_ActiveView=40021 SbieCtrl_BoxExpandedView_DefaultBox=Y SbieCtrl_AutoApplySettings=N SbieCtrl_SettingChangeNotify=N SbieCtrl_ColWidthProcName=250 SbieCtrl_ColWidthProcId=70 SbieCtrl_ColWidthProcTitle=310 SbieCtrl_BoxExpandedView_IExplorer=Y SbieCtrl_ReloadConfNotify=N SbieCtrl_EditConfNotify=N [IExplorer] Enabled=y ConfigLevel=4 AutoRecover=y AutoRecoverIgnore=.jc! AutoRecoverIgnore=.part RecoverFolder=%Favorites% RecoverFolder=%Personal% RecoverFolder=%Desktop% LingerProcess=trustedinstaller.exe LingerProcess=wuauclt.exe LingerProcess=devldr32.exe LingerProcess=syncor.exe LingerProcess=jusched.exe LingerProcess=acrord32.exe ForceProcess=iexplore.exe ForceProcess=admunch.exe ForceProcess=fdm.exe NeverDelete=n ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd*

MitchE323:

Tue Aug 05, 2008 3:35 pm

[quote:ae27744da1] Version 3.29.14 writes the new settings that we talked about here. It won't auto-upgrade old settings, though, so you'll have to turn off Internet Access restrictions and then turn it back on, to get the new settings. [/quote:ae27744da1] 3.29.14 Works just fine with this, nice.

MitchE323:

Tue Aug 05, 2008 3:24 pm

[quote:1c985ecdcc]Are you talking about restricting executable programs?[/quote:1c985ecdcc] Precisely. [quote:1c985ecdcc]So if we're talking about the same thing then I agree.[/quote:1c985ecdcc] :D Thanx Tzuk!

tzuk:

Tue Aug 05, 2008 3:16 pm

]]>Quoting MitchE323: ]]>Thanks Tzuk, I see what you mean - a lot of rope-a-dope just to maybe get .00001 extra. Ok, well that is done. Do you have any plans on adding lines for Internet Access in an update - perhaps as Ruhe points out, with *s? ]]> I don't know what Ruhe pointed out. (This is a long topic and I have to admit I have only read the last few posts.) Version 3.29.14 writes the new settings that we talked about here. It won't auto-upgrade old settings, though, so you'll have to turn off Internet Access restrictions and then turn it back on, to get the new settings. ]]>Quoting MitchE323: ]]>Also, it seems such a good fitting with ProcessGroup and ClosedIpcPath=! that can we Feature Request that at some point the GUI would handle a procedure as outlined here? I realize that asking for a new page in the GUI is a ton, but as DogDog points out, this would all be a lot more certain if done through SandboxIE Control. ]]> Again this is a little vague for someone who hasn't read throughout the entire topic. :) Are you talking about restricting executable programs? I do see there is too much interest in this feature to leave it for manual Ini editing. So if we're talking about the same thing then I agree.

MitchE323:

Tue Aug 05, 2008 1:37 am

Thanks Tzuk, I see what you mean - a lot of rope-a-dope just to maybe get .00001 extra. Ok, well that is done. Do you have any plans on adding lines for Internet Access in an update - perhaps as Ruhe points out, with *s? Also, it seems such a good fitting with ProcessGroup and ClosedIpcPath=! that can we Feature Request that at some point the GUI would handle a procedure as outlined here? I realize that asking for a new page in the GUI is a ton, but as DogDog points out, this would all be a lot more certain if done through SandboxIE Control.

tzuk:

Mon Aug 04, 2008 6:53 pm

If I'm not sure, the resources that end with 6 are only there on Vista, and implement IPv6 which isn't useful. So they are blocked for sake of completeness but I don't think it makes one bit of difference either way, assuming no program is going to use these resources. The UDP resource would probably not get a lot of use, but possible for stuff like multiplayer games running in your Web browser.

MitchE323:

Mon Aug 04, 2008 4:29 pm

Here is something we can play with; I have a sandbox where Internet Explorer is the only program with internet access. ok so with the new settings we have this; ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIp6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 well I can get (at least as far as I can see right now) everything I need with; ClosedFilePath=\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=\Device\RawIp6 ClosedFilePath=\Device\Udp ClosedFilePath=\Device\Udp6 which means that I can block off 4 of the items even from Internet Explorer. I am still able to download, flash still works, can't find any differance yet. Not reccomending, just experimenting. :shock: What I am wondering is whether or not there are any malware or keylogger type items that are sent out via the browser that utilize any of the blocked functions? :? Also wondering if we can open up any of the three * items and also block parts of those?

MitchE323:

Mon Aug 04, 2008 9:27 am

@Ruhe; I do believe that a * will suffice and eliminate two of the lines - just as you say. However, Tzuk stated it as separate lines and frankly, whether or not I have two additional lines in my ini file means nothing to me. So that is why I left it as you see. Plus, I have something else in mind that is better handled with individual lines. See next post;

Ruhe:

Mon Aug 04, 2008 9:18 am

]]>Quoting tzuk: ]]>Thanks Mitch, probably a good idea to add \Device\Udp and \Device\Udp6 to Sandboxie. Looks like those devices implement the "UDP" transport, as opposed to the "TCP" transport, for data going out on the network. And looks like there is also \Device\RawIp6 in addition to \Device\RawIp. ]]> Mh, this sentence sounds for me this has to be implemented first, or does SB already support \Device\Udp* and \Device\RawIp* ? I mean, if already implemented, the 'Block All' button would set the options (what it doesn't at the moment). @Mitch Why 4 lines for UDP and RawIP? Are the above two lines not sufficient?

MitchE323:

Sun Aug 03, 2008 10:56 pm

Thanx Tzuk, I'll edit the early posts in this thread so it is easier to copy/paste. Also "Good Pick-up" goes out to Tarsins, :D

SnDPhoenix:

Sun Aug 03, 2008 10:46 pm

So after this? It'll go from 4 lines to 7? :lol:

tzuk:

Sun Aug 03, 2008 10:43 pm

Thanks Mitch, probably a good idea to add \Device\Udp and \Device\Udp6 to Sandboxie. Looks like those devices implement the "UDP" transport, as opposed to the "TCP" transport, for data going out on the network. And looks like there is also \Device\RawIp6 in addition to \Device\RawIp.

MitchE323:

Sun Aug 03, 2008 10:36 am

I have also seen that line inserted as a 5th line of the internet access settings over at Wilders, and I think it was used here when the Internet Access settings were first created. \Device\RawIp \Device\Ip* \Device\Tcp* \Device\Afd* \Device\UDP All I can tell you is that the top 4 lines are what currently SandboxIE gives you to block internet access. I am no way a network expert or anything so maybe others can chime in better with a desciption maybe on all 5 lines, so everyone can understand what is happening, and whether we should include the UDP line or not.

tarsins:

Sun Aug 03, 2008 10:20 am

I've also got the line ClosedFilePath=!,\Device\udp in my configuration. I'm not sure where it came from and is it needed?

MitchE323:

Thu Jul 31, 2008 8:26 am

[quote:60addf467e]I can now see what is happening and why it works.[/quote:60addf467e] :D :D Your welcome DogDog :D :D

dogdog:

Thu Jul 31, 2008 7:38 am

First of all - thanks. I had missed that ",*" was part of instruction line. I can now see what is happening and why it works. I understand your comment about starting a different thread. My only observation is that if people modify the Ini file without understanding how the instruction works then this is a dangerous route. Hence I think that an explanation of why it works does belong in the same thread as how it works. Howevever, if the majority disagree then I will go with the flow. Again, thanks for your help.

MitchE323:

Thu Jul 31, 2008 7:32 am

That's a good idea. Thanks Pete :D

Peter2150:

Thu Jul 31, 2008 3:10 am

Dogdog, while I understand your interest in IPC, that isn't really the purpose of this thread. This thread is more generally controlling different aspects of the sandbox. If you want to discuss IPC in depth please start another thread. Thanks, Pete

MitchE323:

Wed Jul 30, 2008 11:18 pm

]]>Quoting dogdog: ]]>You have added ",*" to the line I had. What does the extra ",*" do?? ]]> Closed Inter-Process Communication between Test.exe and everything. *=everything [quote:caa794f7ba]If "ClosedIpcPath=! means that all the programs in the process group named restricted can run but all others are stopped. Then why doesn't "ClosedIpcPath=Test.exe" specifically stop program called Test from running given that the ! inverses the setting?? [/quote:caa794f7ba] Your "If" is incorrect, so therefore the result of that "If" is not as you expect. You are miss-writing the instruction ClosedIpcPath=!,* [quote:caa794f7ba]Why was there no need for IPC restriction??[/quote:caa794f7ba] "No need" as pertaining to ProcessGroup as ProcessGroup was yet to be invented.

dogdog:

Wed Jul 30, 2008 10:39 pm

]]>Quoting MitchE323: ]]> ]]>Quoting dogdog: ]]> If ClosedIpcPath=! is a white list then I presumed that ClosedIpcPath= is a black list. I therefore added to the Ini file the instruction: "ClosedIpcPath=test.exe" on the presumption that this would stop the program called test from running. However the program called test could still run. What am I missing?? ]]> DogDog, I was making a point on the exclamation point, not describing how to do a blacklist. Try it as ClosedIpcPath=Test.exe,* :wink: ]]> You have added ",*" to the line I had. What does the extra ",*" do?? If "ClosedIpcPath=! means that all the programs in the process group named restricted can run but all others are stopped. Then why doesn't "ClosedIpcPath=Test.exe" specifically stop program called Test from running given that the ! inverses the setting?? Is ClosedIpcPath=! different from OpenIpcPath=?? Still do not understand how Sanboxie is stopping any particular program from running?? Is it denying access to some particular resource?? Why was there no need for IPC restriction??

MitchE323:

Wed Jul 30, 2008 9:52 pm

]]>Quoting dogdog: ]]> What is the mechanism in the "ClosedIpcPath=!X_Program" instruction that prevents programs other than X_Program from running. ]]> IPC=Inter-Process Communication http://en.wikipedia.org/wiki/Inter-process_communication So..... ClosedIPC is Closed Inter-Process Communication.....

MitchE323:

Wed Jul 30, 2008 9:51 pm

]]>Quoting dogdog: ]]> If ClosedIpcPath=! is a white list then I presumed that ClosedIpcPath= is a black list. I therefore added to the Ini file the instruction: "ClosedIpcPath=test.exe" on the presumption that this would stop the program called test from running. However the program called test could still run. What am I missing?? ]]> DogDog, I was making a point on the exclamation point, not describing how to do a blacklist. Try it as ClosedIpcPath=Test.exe,* :wink:

MitchE323:

Wed Jul 30, 2008 9:50 pm

]]>Quoting dogdog: ]]> If you use Resource Access-> Internet Access and specify more than one program, Sandboxie automatically creates the Process Group and uses the name of created Process Group in ClosedFilePath line Sandboxie creates in Ini file. ]]> Of course it does. That page in the GUI was set up for Internet Access and LATER when ProcessGroup was invented Tzuk made the new GUI adaptable for ProcessGroup and that is what you see in the existing Internet Access page. Because there was no need for IPC restriction there was no page for that put in the GUI. http://sandboxie.com/phpbb/viewtopic.php?p=18867#18867 "And finally I revised the Internet Access page......." That update was 323.06 and the GUI was created in 3.20

dogdog:

Wed Jul 30, 2008 4:23 pm

]]>Quoting MitchE323: ]]>So when you use ClosedIpcPath, and ClosedFilePath as instructions in the same sandbox - you are using ClosedIpcPath actually to stop all the BadGuys. They can not run, and so of course they also can not access the internet. You are now using the Internet Access settings to control what YOUR programs are doing (in the example case, Word-Excel-PSP). So think of ClosedIpcPath=! as a white list anti-executable and the Internet Access settings as an outbound Firewall. :wink: ]]> I clearly do not understand the mechanism. If ClosedIpcPath=! is a white list then I presumed that ClosedIpcPath= is a black list. I therefore added to the Ini file the instruction: "ClosedIpcPath=test.exe" on the presumption that this would stop the program called test from running. However the program called test could still run. What am I missing??

dogdog:

Wed Jul 30, 2008 4:05 pm

]]>Quoting MitchE323: ]]> @DogDog; This type of IPC setting is not possible without ProcessGroup (by definition 3 SandboxIE programs need to run). ProcessGroup was invented after the GUI was set up, so you need 'Edit Configuration' for that setting. Be aware that the setting is ClosedIpcPath=! which includes the '!' mark which inverses the setting and turns it into a whitelist. So; ClosedIpcPath= X_Program would apply to X_Program and ClosedIpcPath=! X_Program would apply to all programs other than X_Program. ]]> What is the mechanism in the "ClosedIpcPath=!X_Program" instruction that prevents programs other than X_Program from running. I have looked at the various user pages but cannot find anything to help me. I could not really see how the ClosedIpcPath page described the program blocking function you set out.

dogdog:

Wed Jul 30, 2008 11:04 am

]]>Quoting MitchE323: ]]> @DogDog; This type of IPC setting is not possible without ProcessGroup (by definition 3 SandboxIE programs need to run). ProcessGroup was invented after the GUI was set up, so you need 'Edit Configuration' for that setting. Be aware that the setting is ClosedIpcPath=! which includes the '!' mark which inverses the setting and turns it into a whitelist. So; ClosedIpcPath= X_Program would apply to X_Program and ClosedIpcPath=! X_Program would apply to all programs other than X_Program. ]]> Not completely correct. If you use Resource Access-> Internet Access and specify more than one program, Sandboxie automatically creates the Process Group and uses the name of created Process Group in ClosedFilePath line Sandboxie creates in Ini file. Thought that there might be an equivalent function for the process that restricts the programs that can run ie that creates ClosedIpcPath??

MitchE323:

Tue Jul 29, 2008 6:26 pm

@DogDog; This type of IPC setting is not possible without ProcessGroup (by definition 3 SandboxIE programs need to run). ProcessGroup was invented after the GUI was set up, so you need 'Edit Configuration' for that setting. Be aware that the setting is ClosedIpcPath=! which includes the '!' mark which inverses the setting and turns it into a whitelist. So; ClosedIpcPath= X_Program would apply to X_Program and ClosedIpcPath=! X_Program would apply to all programs other than X_Program.

MitchE323:

Tue Jul 29, 2008 6:19 pm

@soccerfan; I guess I believe in Laye........... oh forget it, I can't even bring myself to say it. :shock:

soccerfan:

Tue Jul 29, 2008 2:02 pm

]]>Quoting MitchE323: ]]> There is an additional point. I hear guys all the time say things like; "All programs are cracked sooner or later." ..... That may have been true in the past. But in this, The New Age, we are being Pro-Active. First of all, the malware is in a sandbox and has to figure that out (they are not even there yet). But secondly, the malware would also have to somehow overcome a closed IPC instruction. Then the hurdle of somehow gaining internet access is still waiting for that malware. I think we will be ok. 8) ]]> Layered security that works! And all this from a single lean streamlined program. Now that's a novel concept :D

dogdog: Using GUI

Tue Jul 29, 2008 12:41 pm

As a generalisation it is better to use GUI to specify requirements and allow Sandboxie itself to modify Ini file. This works with internet access - Sandboxie sets up Process Group and creates appropriate closedfilepath instructions within Ini file. Does the same comment apply to IPC access?? Will it also create process group automatically?? Presumably one uses IPC Access->Blocked Access and then add the programs that are the only ones to be allowed to run inthe sandbox??

MitchE323:

Mon Jul 28, 2008 1:16 pm

You are all of course, quite welcome. Just to sum this all up, there are a couple of advantages in using ClosedIpcPath=! and ClosedFilePath=! along with ProcessGroup within a sandbox. As we have seen, you can control not only the running of outside programs, but the internet access of your own programs as well. There is an additional point. I hear guys all the time say things like; "All programs are cracked sooner or later." They say that you have to also run this or that program because "Malware writers are always ahead of the game." They say that legitimate program developers have to play catch-up and react to whatever it is that the malware writers come up with. That may have been true in the past. But in this, The New Age, we are being Pro-Active. First of all, the malware is in a sandbox and has to figure that out (they are not even there yet). But secondly, the malware would also have to somehow overcome a closed IPC instruction. Then the hurdle of somehow gaining internet access is still waiting for that malware. I think we will be ok. 8)

Peter2150:

Mon Jul 28, 2008 2:10 am

Thanks from me also Mitch.

jmonge:

Mon Jul 28, 2008 2:06 am

sure mitch and thanks

MitchE323:

Mon Jul 28, 2008 2:03 am

@jmonge Maybe post a new thread in Anything Else so we can isolate the settings you need, and you can post your ini file there.

jmonge:

Mon Jul 28, 2008 2:01 am

thanks mitch

MitchE323:

Mon Jul 28, 2008 1:56 am

@Peter2150 Windows Media Player when not a child process along with a program like Acrobat Reader, are two examples where you would not bother with 'RunAccess'. The proper way to handle those two is to use ForceFolder on the entire program, and then figure out what needs internet access (usually through trial and error) and allow internet access to what is needed.

MitchE323:

Mon Jul 28, 2008 1:53 am

@jmonge I am not too familiar with Windows Live Messenger, but Internet Explorer will call on Windows Media Player as a "child-process" and so you should need nothing additional for WMP. Now if you are running Windows Media Player outright, that is different. See my next post to Pete.

jmonge:

Mon Jul 28, 2008 1:49 am

mitch i dont know how to set my defaultbox to allow internet explorer,wmplayer and windowslive mesenger to acce the internet connection and block the rest.

SnDPhoenix:

Sun Jul 27, 2008 11:32 pm

Damn nice job! I know we (and alot others) have been wanting an "post your tips/ini here" sort of thread, but hadnt had the time to get around to it. Glad to see someone found the time to start one! Nice job on the tips Mitch. Everything you've recommended is pretty much what I would've posted. Only thing I would say is if you want to make your PC that much more secure, block off access to the keyboard and clipboard (except the programs you exclude). If I get a few minutes to think, I'll post some tips and/or examples in here.

MitchE323:

Sun Jul 27, 2008 8:09 pm

So when you use ClosedIpcPath, and ClosedFilePath as instructions in the same sandbox - you are using ClosedIpcPath actually to stop all the BadGuys. They can not run, and so of course they also can not access the internet. You are now using the Internet Access settings to control what YOUR programs are doing (in the example case, Word-Excel-PSP). So think of ClosedIpcPath=! as a white list anti-executable and the Internet Access settings as an outbound Firewall. :wink:

MitchE323:

Sun Jul 27, 2008 7:07 pm

@ Guest10; You're quite welcome. Maybe others will join in with tips on other browsers such as Firefox....... :D

MitchE323:

Sun Jul 27, 2008 6:55 pm

@ Oneder; Whatever is between the " < > " is simply the name of the group - it has no effect on what that instruction is doing. Just like naming your sandbox is up to you. I could create a sandbox and name it [FirefoxOnlySandbox] and still run Internet Explorer in it. ProcessGroup= ProcessGroup= These are just names of ProcessGroups. They, in themselves do not have any effect.

MitchE323:

Sun Jul 27, 2008 6:46 pm

[quote:ebff81e4bb][b:ebff81e4bb]Peter2150 wrote;[/b:ebff81e4bb] Cool. So I gather if I don't care what runs in the Pokerstars sandbox I don't need it, but if I want to restrict it, I do.[/quote:ebff81e4bb] Actually it is more a choice of sometimes a program has just too many exe files running and it is a pain to list them all. It is fairly easy to figure out which of the programs need internet access, but sometimes it is hard to tell what actually needs to be running. In those cases I just use Internet Access. Usually along with ForceFolder.....

Oneder:

Sun Jul 27, 2008 3:29 pm

Mitch, under [GlobalSettings] Would ProcessGroup= do the same as ProcessGroup= Or would one be more secure than the other?

Guest10:

Sun Jul 27, 2008 3:28 pm

Thanks for the write-up, Mitch :D

Peter2150:

Sun Jul 27, 2008 1:44 pm

]]>Quoting MitchE323: ]]>[quote:3ccb369721]Do we also need a ProcessGroup...... ]]> You could, if you like. HaHa I actually left it out to show that you can be flexable and do not need to follow precise rules. One thing that is very helpful when setting up your sandboxes is to think it all through first, develop a stategy and have your sandbox fine tuned to you. 8)[/quote:3ccb369721] Cool. So I gather if I don't care what runs in the Pokerstars sandbox I don't need it, but if I want to restrict it, I do. Pete

MitchE323:

Sun Jul 27, 2008 12:59 pm

[quote:3503d18dd9]Do we also need a ProcessGroup......[/quote:3503d18dd9] You could, if you like. HaHa I actually left it out to show that you can be flexable and do not need to follow precise rules. One thing that is very helpful when setting up your sandboxes is to think it all through first, develop a stategy and have your sandbox fine tuned to you. 8)

Peter2150: Re: Control Your Sandbox

Sun Jul 27, 2008 12:46 pm

]]>Quoting MitchE323: ]]> Now let's merge the two sandboxes together. [GlobalSettings] ProcessGroup=,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,iexplore.exe ProcessGroup=,Pokerstars.Exe,PokerStarsUpdate.exe,PokerStarsCommunicate.exe [DefaultBox] ClosedIpcPath=!,* ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* [PokerStars] ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* So first we merged two instructions together that pertained to the same sandbox. And then we added and merged a second sandbox as well. :wink: ]]> Hi Mitch This is beautiful. Question. Do we also need a ProcessGroup=,Pokerstars.exe. etc etc etc Type statement so these can run in the Pokerstars sandbox. A big caveat for Tzuk and all. Clearly this involves editing the sandbox ini file. This could affect sandboxie the same way editing the registry can affect your system. Don't do this unless a) you are comfortable and b) you make a backup of the file first. Now off to edit. Pete

MitchE323: Control Your Sandbox

Sun Jul 27, 2008 10:48 am

This can be a thread where members can post working ini portions, so those that are new or are having trouble can see what the settings should look like. We have hints and tips scattered all over and this can be a central location. We have a few members that are really good with Firefox, a few others that are really good with IE, and the same for Opera and Outlook. It would be great if they could post pertinent parts of their ini files. I would leave out all of the 'LingerProcess=" and User Settings etc as they only produce very long posts that are hard to focus on. I'll start out with one where you can take full control over what happens within your sandbox. Let's say that you want to allow only four programs to run in a sandbox. That's executing at all is what I mean. This could really be of benefit in terms of what would happen if you downloaded a virus. We know that any virus can not escape the sandbox and damage your system. But what about a virus that runs and just keeps sapping resources? Or a keylogger that records your keystrokes? Some of this has to be inserted by 'Edit Configuration' because ProcessGroups was invented by Tzuk after he was already finished with the new SandboxIE GUI. I will use ClosedIpcPath, and ClosedFilePath. OK, I will make those four programs be Internet Explorer, Word, Excel and Paint Shop Pro. [GlobalSettings] ProcessGroup=,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe [DefaultBox] ClosedIpcPath=!,* That setting says that only Internet Explorer, Word, Excel and Paint Shop Pro can run in the DefaultBox sandbox. You need to include the three SandboxIE executables as SandboxIE needs them to run. So a group was created, and then rules for that group in a sandbox were set. Now if Virus.exe, or Keylogger.exe is somehow downloaded into that sandbox during your surfing, it can not even run in the first place. You can set your virus scanner to ignore the sandbox. Notice also that the four programs do not necessarily need to run in this sandbox, they are allowed to run. This would be from right-click 'run sandboxed'. If you are registered, you can use ForceProcess or ForceFolder and then those executables would have to run in that box. You can even get a little tighter with your rules by limiting internet access. I sure as heck do not trust Word and Excel and PSP with internet access, so I will stop that. *Important Notice; There are new additional lines added for Internet Access which are explained by Tzuk later in this thread. [GlobalSettings] ProcessGroup=,iexplore.exe [DefaultBox] ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIP6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 That setting says that only Internet Explorer can access the net from the DefaultBox sandbox. A group has been created, and rules for that group in a sandbox have been set. When I merge the two sets of instructions together, the ini file looks like this. [GlobalSettings] ProcessGroup=,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,iexplore.exe [DefaultBox] ClosedIpcPath=!,* ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIP6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 That complete instruction states that only those four programs (actually seven) can run in the DefaultBox sandbox, and only one of them can access the web - Internet Explorer. OK, so let's create a second sandbox. [GlobalSettings] ProcessGroup=,Pokerstars.Exe,PokerStarsUpdate.exe,PokerStarsCommunicate.exe [PokerStars] ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIP6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 That setting says that in the PokerStars sandbox, only the three listed programs can access the web. Now let's merge the two sandboxes together. [GlobalSettings] ProcessGroup=,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe ProcessGroup=,iexplore.exe ProcessGroup=,Pokerstars.Exe,PokerStarsUpdate.exe,PokerStarsCommunicate.exe [DefaultBox] ClosedIpcPath=!,* ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIP6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 [PokerStars] ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Ip* ClosedFilePath=!,\Device\Tcp* ClosedFilePath=!,\Device\Afd* ClosedFilePath=!,\Device\RawIP6 ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Udp6 So first we merged two instructions together that pertained to the same sandbox. And then we added and merged a second sandbox as well. :wink: Edited to include new Internet access lines.