Until now i have been using SB just to do my banking,but seeing the rising threat level i am now using SB for regular browsing and email, this works perfect !
As far as Safe banking concerns I read :
"Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. "
Why is this ?
my settings:
[bank]

[/code]

I have sometimes other sandboxes open , like my email client ,(with mail i am working on) and sandboxed firefox, so it is inconvienient to close all boxes ,if necessary i will do so but i'd like to know the reason.
I presume i use "The Terminate All Programs command "?
Thanks

I can't answer your main question.Regarding the wild card character (*) in your Internet Access Process Group:
Having Internet Access Restrictions turned on, automatically prevents programs whose .exe files are located inside of the sandbox from having Internet Access.
Is it your intention to allow any program whose .exe file is located outside of the sandbox to be able to access the Internet when using that sandbox, instead of adding a long list of .exe programs to the ProcessGroup line?
I can sympathize with that, if it is your intention, because my ProcessGroup line for programs that have Start/Run access is quite long.

OpenPipePath gives a little more direct access to the D:\Downloads folder than I would recommend, since the setting applies to all programs that use the sandbox, including programs whose .exe file is located inside of the sandbox.
An OpenFilePath setting might be more appropriate than an OpenPipePath setting, since only programs whose .exe file is outside of the sandbox would be allowed to make use of OpenFilePath.

Thanks for responding,

No, the (*) is a mistake , i only want iexplore.exe to be able to run.
To me, this dialog is somewhat confusing,on the top it says:"the following programs can access the internet" at the bottom it says:
"When this feature is enabled, programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet.so if i put iexplore.exe there it can't access the internet.....,obviously this is not so, the help says:
"when any restrictions are in effect programs that are installed (or downloaded) into the sandbox will never be allowed to access the Internet. this is better to understand ( to me)
OpenPipePath gives a little more direct access to the D:\Downloads folder than I would recommend, since the setting applies to all programs that use the sandbox, including programs whose .exe file is located inside of the sandbox.

I only use it to download bank statements , if it is safer i can use "immmediate recovery". to recover the files

ProcessGroup=<InternetAccess>,*,iexplore.exe
Well, when you remove the wild card and comma (*,) from the line, be prepared to start adding more .exe programs to the list.
Listing programs that are allowed Internet access might not be as bad as listing all programs that can Start and Run using the sandbox. I have quite a list, for that.
I don't use Internet Access restrictions, because I use a firewall program and programs that cannot start and run are not going to be able to access the Internet, anyway.Some do have a hard time understanding, but it all depends on where the .exe file that is asking for Internet access is located. When the Internet Access Restriction is turned on, only .exe files that are located outside of the sandbox can be allowed to access the Internet while using that sandbox.
The files for these .exe programs remain outside of the sandbox, even though they are running under Sandboxie's supervision.
If any .exe file finds its way into the sandbox, such as being downloaded there, it will not be allowed Internet access even if the name matches an .exe program that is located outside of the sandbox - such as iexplore.exe.An OpenFilePath setting
(Sandbox Settings > Resource Access > File Access > Direct Access)
should be OK to use, instead of:
(Sandbox Settings > Resource Access > File Access > Full Access)

With any direct access setting, you should limit what programs can make use of it, though.
Sandbox Settings > Resource Access > File Access > Direct Access
"Add Program" button: iexplore.exe <-- if that's the program that saves the bank statements
"Add" button: Navigate to and select the D:\Downloads folder.
results in:
OpenFilePath=iexplore.exe,D:\Downloads\

I have only one question. Where I'm suppose write this configuration in Sandboxie, in what section?
And how?
Is this configuration enough for protection, but still will not disable my internet, opening and surfing with Mozilla Forefox and Internet Explorer? I only hope this maximum configuration will not freeze my computer, so I can't open anything at all.
Thanks.

@Guest10
Thank you for the elaborate explanations, i'll use it to strengthen the "bank"sandbox.
And when i find the time i'll read up some more on the config options.
Cheers
PS, i still like to know the answer to the original question....anyone?

@Lumberjack


See http://www.sandboxie.com/index.php?SandboxieIni

This is just my personal setup ,it is not a proven safe bankig config, ask the more experienced members here for recommendations.

Hi pool.

Assumptions:

1) You're referring to your question that asked: "Note that if you don't like to regularly delete your sandbox, you can set aside one sandbox for trusted browsing, and delete just that sandbox before carrying out the trusted activity. But it is still important to first stop all sandboxed activity in all sandboxes, for maximum protection. " Why is this ?

2) You read that in the keylogger section: http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend

If the above assumptions are correct, then my understanding is that tzuk makes that recommendation to mitigate the possiblity of active malware contained in sandbox A monitoring browsing activity (such as banking) occurring in sandbox B.

Indeed i did

This i dont understand, this would defeat the sandbox concept,which is that malware can't "escape"from the sandbox.
This point is not all that important to me i trust SB and i'll follow his advice ofcourse, i was just curious.

If keylogger code is in sandbox A, it will stay contained in sandbox A, so you're right...it can't escape from that sandbox. However, the keylogger can still be monitoring* activity going on with your computer, including keystrokes you are entering in other sandboxes. The fact that the keylogger is contained in a sandbox doesn't mean it is stopped from doing its dirty deeds*. It just means it is contained in the sandbox and can be flushed when the contents of that sandbox are deleted.

* There are fairly simple ways to harden your sandbox to lessen the risk factor here.

bs1 pretty much sums it up well.

Also, do remember that Sandboxie's main aim is to prevent permanent changes to your REAL system. This means malware could be operating "freely" in the sandbox, but it would be unable to make any permanent changes to the REAL system.

But because malware could potentially be operating "freely" in a sandbox, for those who don't regularly delete the sandbox, the best protection would be to use a separate sandbox for trusted browsing (eg. banking) while ensuring all other activity in other sandboxes are "shut down" during that eg. banking session.

@ BS1 & ssj100

I should have thought of this myself; A valid reason to close other sandboxes is indeed the possibility of malware running, especcially keyloggers, not a good idea when you do your banking........
An aside; taking this into acount ,installing a program in a sandbox for a longer period (which i don't do myself) would maybe not be a good idea, there would be always a Sbox open.


If you have time , could you maybe elaborate ?always willing to learn, thanks

Users of Sandboxie have varying methods to harden their sandboxes based on their unique needs and comfort level, but here are some fairly common ones:

(a) configure the sandbox to automatically delete contents http://www.sandboxie.com/index.php?DeleteSettings (so that every time you use the sandbox it is fresh with no possibility of keyloggers, etc. lingering in it from a previous browsing session)

(b) configure the sandbox so only your browser has internet access http://www.sandboxie.com/index.php?RestrictionsSettings#internet

(c) if you have any private/personal information stored on your computer, such as tax return information or account numbers in My Documents, then use File Access>Blocked Access to restrict access to that information during your browsing session http://www.sandboxie.com/index.php?ResourceAccessSettings#file

(d) if the only program you need running during your browsing session is your browser, then use Start/Run Access to configure the sandbox accordingly. That way, in the unlikely event you pick up any malware it will not be able to run. http://www.sandboxie.com/index.php?RestrictionsSettings#startrun

Thank you for elaborating



This is already in place


Is now in place


Is now in place


Is now in place.
And i followed the recommendations from "Guest10"

+ while banking i make sure all other boxes are closed.
so here is what my"bank"config looks like now:

Should have been removed, once the setting above it was added.