Is this the correct way for a "Whitelist sandbox"?

Only allow the specified apps to run (ProcessGroup=<StartRunAccess_Firefox>), and allow Internet access to the ones in ProcessGroup=<InternetAccess_Firefox>.
There should be no further restrictions to the apps allowed to run.

Hi Ruhe, I haven't tried whitelisting like that so I can't comment, but a couple very minor points:

1. You might want to use ClosedFilePath=!<InternetAccess_Firefox>,InternetAccessDevices to replace those 11 lines from ...Http\* to ...Afd*.
2. You probably don't need both the long- and short-format process names. For example, for plugin-container.exe I've never used the 8.3 form, plugin~1.exe. Tzuk explained it here: http://www.sandboxie.com/phpbb/viewtopic.php?t=9407

Thanks.

1. Where can I find information in the board regarding InternetAccessDevices?
2. In the past there were problems with long file names, like Foxit Reader.exe. Therefore the recommendation was to include the short name too.

My first question back to you, would be what version of Sandboxie are you using?
The latest versions create their "ProcessGroup=..." lines underneath the sandbox heading, not under [GlobalSettings]:
Sandboxie will create them in the individual sandbox section, if you are using a recent version.
Also, there's new section in the GUI called "Program Groups", in which you can create your own Program Group for a particular sandbox.

I hope that the following lines are only there for some test you were planning on making, because they will allow everything to escape from the sandbox:Plus, the latest Sandboxie versions will create a simplified line for Internet Access:
ProcessGroup=<InternetAccess>,firefox.exe,plugin-container.exe,.... and so on
ClosedFilePath=!<InternetAccess>,InternetAccessDevices

The "InternetAccessDevices" grouping of lines is a recent development, and may not be documented yet.
It's automatically used for you, if you use the latest Sandboxie beta versions.
I imagine that you need to be using one of the latest versions in order to use this, or the setting won't make any sense to the earlier Sandboxie versions.

These are intentional settings. The sandbox should only control what apps may run.

1. InternetAccessDevices was introduced in the 3.49 betas, I think. I mentioned this setting but there was never any discussion. Anyway, if you create a new sandbox and block all internet access, this is the setting that Sandboxie Control adds.
2. Ah, I remember now. I thought that issue was specific to Foxit, but perhaps not.


Very true. But when process groups are used by multiple sandboxes, it can be convenient to leave them under [GlobalSettings]. Does anyone know if this is now deprecated? If it is, I suppose templates would be the obvious answer.

InternetAccessDevices and ProcessGroup are done. All my sandboxes are adjusted with the new settings.

Concerning the wild card exclusion lines that you have in the Firefox sandbox section -
make sure you do not use "Run Sandboxed" for an installer program, like the Firefox installer, because your install will take place unsandboxed.
----
I was planning to check what settings might be needed for a program that I was installing in a sandbox, and I added the wild card exclusions to the sandbox settings before I installed the program. I should have waited to use the wild card settings until after the install.

Anyway, the installer program was happy to make use of the wild card settings, and I wound up with the program installed outside of the sandbox, even though I had used "Run Sandboxed".