Sandboxie - How does it work and be used?

Autobahn

Member
Member
Messages
191
I have just installed this program and am still getting used to it.

I understand that I can run my browser in the sandbox but if I download a program or create some new tabs in my browser they won't be saved.

I have also read that you can run 'windows explorer' sandboxed so if you have a crash you can continue because of 'windows explorer' being sandboxed.

I don't even know what 'windows explorer' is: What I want to know, is if any information that needs to be saved won't be saved because it's in the sandbox.

This is what I'm trying to get my head round: What is happening when something is in the sandbox.

What else could I sandbox which would be useful.

I know that I can play a game sandboxed, or open a file using 'Sandboxie' to view the contents and I will be protected if there is anything bad inside the file.

How do users of 'Sandboxie' use it, to give me an idea of how it can be used.
How do you go about installing new programs?

How can I run everything sandboxed and do everything I used to do on my laptop, but with extra protection.

Any thoughts will be appreciated.

Thanks
 

My Computer

System One

  • OS
    Windows 8.1 update 1
    Computer type
    Laptop
    System Manufacturer/Model
    Dell Inspiron 15R special edition
    CPU
    Intel Core i5-3210M CPU @ 2.50GHz
    Graphics Card(s)
    Intel HD Graphics 4000
    Browser
    Firefox
    Antivirus
    Avast

My Computer

System One

  • OS
    Windows 8.0 x64
    Computer type
    Laptop
    System Manufacturer/Model
    Toshiba Satelite C55D-A Laptop
    CPU
    AMD EI 1200
    Memory
    4 gb DDR3
    Graphics Card(s)
    Raedon 340 MB dedicated Ram
    Monitor(s) Displays
    Built in
    Screen Resolution
    1366 x 768
    Hard Drives
    640 GB (spinner) Sata II
    Keyboard
    Built in
    Mouse
    Touch pad

My Computer

System One

  • OS
    windows 8.1 Update 1 Pro 64bit
    System Manufacturer/Model
    Pavillion H8-1202
    CPU
    I7-2600 @ 3.4 GHz
    Motherboard
    PEGATRON
    Memory
    8 GB
    Graphics Card(s)
    NIVDIA GeForce GT 520
    Sound Card
    Realtek ALC656GR CODEC
    Monitor(s) Displays
    Samsung SyncMaster S22B350
    Screen Resolution
    1920X1080 32 bit color
    Hard Drives
    Samsung 850 EVO SSD 500GB
    Keyboard
    Razer Blackwidow Ultimate 2013
    Mouse
    Logitech M510
So you don't use any kind of sandbox program?
 

My Computer

System One

  • OS
    Windows 8.1 update 1
    Computer type
    Laptop
    System Manufacturer/Model
    Dell Inspiron 15R special edition
    CPU
    Intel Core i5-3210M CPU @ 2.50GHz
    Graphics Card(s)
    Intel HD Graphics 4000
    Browser
    Firefox
    Antivirus
    Avast
So you don't use any kind of sandbox program?

Occasionally I use ToolWiz TimeFreeze. Sandboxie was excellent for 32 bit. But with 64 bit Microsoft prevented the kernel from being patched. That means the 64 bit Sandboxie has to use different techniques than the 32 bit. What you use is highly dependent on how you use the machine etc..

If you paid for Sandboxie I would participate in the forums there. I did for several years. It's kind of complex to discuss on a single thread here. Especially since I haven't updated past version 2.x.
 

My Computer

System One

  • OS
    Windows 8.0 x64
    Computer type
    Laptop
    System Manufacturer/Model
    Toshiba Satelite C55D-A Laptop
    CPU
    AMD EI 1200
    Memory
    4 gb DDR3
    Graphics Card(s)
    Raedon 340 MB dedicated Ram
    Monitor(s) Displays
    Built in
    Screen Resolution
    1366 x 768
    Hard Drives
    640 GB (spinner) Sata II
    Keyboard
    Built in
    Mouse
    Touch pad
Sandboxie is a great program... For Windows XP.
It was one of my essential programs when I was under XP, specifically for any Internet applications like browsers and emails.

In Windows 7 and 8 though, you're better off using a Standard User Account instead of Administrator, and putting UAC on High. This is more than enough for most users. If an application tries to modify something it isn't allowed to (any system settings), then you'll get a warning and an UAC prompt.
If you want more info on the benefits of using a User Account, check this :
Standard User Account | CyberCoyote.org | HTCC

For power users, you can put some applications in Low Integrity Level, this is basically what Metro Apps and Internet Explorer in Protected Mode use. This a new built-in way to sandbox applications in Windows since Vista, sadly you have to do it manually if your program isn't already designed to do that. I use ICACLS (Icacls) to do that via command-line and while you need to be a little tech-savy, I find it actually much better than Sandboxie. It restricts the programs much more than usual, they can't write or modify anything that isn't also at Low Integrity (apart from the Download folder nothing should be on a default Windows setup).
More info :
https://isc.sans.edu/diary/Limiting+Exploit+Capabilities+by+Using+Windows+Integrity+Levels/10531
What is the Windows Integrity Mechanism?

The only thing Sandboxie might still be good at under Win 7/8 is when you want to test suspicious programs. In theory if it is malicious, Sandboxie will allow you to restrict anything it does to the system. But honestly, the sandbox mechanisms it provides aren't foolproof (there are various ways to bypass them), and if you really are security conscious you are better off using virtualization (Virtualization - Windows 8 Forums) , which isn't foolproof either but is a step higher in the difficulty to exploit, combined with disk imaging.
 
Last edited:

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
Sandboxie is a great program... For Windows XP.
It was one of my essential programs when I was under XP, specifically for any Internet applications like browsers and emails.

In Windows 7 and 8 though, you're better off using a Standard User Account instead of Administrator, and putting UAC on High. This is more than enough for most users. If an application tries to modify something it isn't allowed to (any system settings), then you'll get a warning and an UAC prompt.
If you want more info on the benefits of using a User Account, check this :
Standard User Account | CyberCoyote.org | HTCC

For power users, you can put some applications in Low Integrity Level, this is basically what Metro Apps and Internet Explorer in Protected Mode use. This a new built-in way to sandbox applications in Windows since Vista, sadly you have to do it manually if your program isn't already designed to do that. I use ICACLS (Icacls) to do that via command-line and while you need to be a little tech-savy, I find it actually much better than Sandboxie. It restricts the programs much more than usual, they can't write or modify anything that isn't also at Low Integrity (apart from the Download folder nothing should be on a default Windows setup).
More info :
https://isc.sans.edu/diary/Limiting+Exploit+Capabilities+by+Using+Windows+Integrity+Levels/10531
What is the Windows Integrity Mechanism?

The only thing Sandboxie might still be good at under Win 7/8 is when you want to test suspicious programs. In theory if it is malicious, Sandboxie will allow you to restrict anything it does to the system. But honestly, the sandbox mechanisms it provides aren't foolproof (there are various ways to bypass them), and if you really are security conscious you are better off using virtualization (Virtualization - Windows 8 Forums) , which isn't foolproof either but is a step higher in the difficulty to exploit, combined with disk imaging.
Thanks for the detailed reply.

Completely forgot about UAC - how exactly does it protect me? What will happen if I am searching Google on a certain subject and click on a dodgy website by mistake or download a program that includes browser search hijack for instance?

Mine was set at the absolute minimum - don't know why I set it as low as that!?

I read the link: 'Cybercoyote' and will have to read it again - too much information and I could not get my head round it all.

I don't really understand about 'user accounts' and what the difference is between 'standard' and ' administrator'.

My user account says:
Local Account
Administrator

I can't work out why it is best to create a new 'user account' and why it is best for it to be a 'standard' one?

I have now set the UAC to 'Always notify' but I am still an 'administrator'.

Can I leave it like that or is it best to now create a new 'user account'?
 

My Computer

System One

  • OS
    Windows 8.1 update 1
    Computer type
    Laptop
    System Manufacturer/Model
    Dell Inspiron 15R special edition
    CPU
    Intel Core i5-3210M CPU @ 2.50GHz
    Graphics Card(s)
    Intel HD Graphics 4000
    Browser
    Firefox
    Antivirus
    Avast
Microsoft since Windows Vista strongly recommends to use what's called a Limited User or Standard User account for regular use of your desktop PC.( Why use a standard user account instead of an administrator account? )

This a major security feature that follows the Principle of least privilege . Basically, under this account, the user and all the applications he launches are very limited in what they can do. They can't, for example, modify the system settings, the windows registry, other programs settings (like your browser default search engine, or toolbar, etc...). As you can see, this prevents most of what malware do, without even an anti-virus.

In practice, if you're under a standard user (without administrator privileges) and you click something something suspicious in your browser, Windows will prevent it and give you a warning. You'll be presented with a prompt for your administrator password. At this point if you type the password and allow it, this is on you...

This kind of security can be very annoying when you set up a fresh new installation of Windows since you get constant prompts for your administrator's password which is why many users don't follow Microsoft recommendations (and probably why you put UAC so low). But after this phase, it is mostly silent and is in practice only seen when installing new software or when you encounter malware.

UAC is a response by Microsoft to the hassle of using a standard account : you can still use an administrator account (which is the norm under windows and is part of the culture of its customers) but get warnings when something tries to access restricted parts of the system. I still recommend creating a new account as limited user though. Unless you constantly install new software, this is in my opinion the safest course. Opinions may vary on this though.
More info : UAC and Virtualization - some infos for all | Wilders Security Forums

Anyway, as you can see a standard user account covers much of what sandboxing applications do : it limits the damage of any untrusted applications. At some point though, when you tell the system that you trust an application, you give them a lot of leeway to do whatever they want. It is very black and white. Untrusted can't do much, Trusted can do almost anything. That's when sandboxing can be nice since it allows you a finer control of what the applications can do. But for most users I don't think this is necessary (and as you'll see below, sandboxing is already implemented internally in some browsers). You should also note that malware can in some instance detect that they are run sandboxed or virtualized and will just stay stealthed and don't do anything, so you can never be sure something is safe by testing it this way.

Here are my recommendations for a secure PC:

* Principle of least privilege: use a standard user account for day-to day use.

* Update regularly. This is very important, automatic updates help with that but can be very annoying when installing at the wrong moments. Windows Update is of course the first to check, but all your other applications and especially Internet facing ones (browser, email, messaging, etc..) are crucial too. This is to prevent Exploits.

* Use a firewall and block all inbound traffic. The windows firewall does that perfectly by default so make sure it's enabled.

* Use an anti-virus. I'm fine with Windows Defender but a lot of other choices exist. This isn't the be-all and end-all of your security contrary to what AV developers woud like to make us believe, only one of the layers to protect you.

* Disable Autorun. IIRC by default in windows 8, autorun is disabled on USB/CD. If it's not, turn it off, you don't want anything to execute without your consent, since USB sticks have become a major mean of malware transmission. More info : How to disable the Autorun functionality in Windows

* Install and use EMET (Download Enhanced Mitigation Experience Toolkit 5.0 from Official Microsoft Download Center). This is a great tool by Microsoft to prevent most current exploits. Be careful with the options though, and use the recommended settings if you don't know what you're doing. More info : Quickly Secure Your Computer With Microsoft?s Enhanced Mitigation Experience Toolkit (EMET)

* Be careful with what you authorize to run on your PC. Use google to check that anything new you install is safe. Check the Digital signature of the executables. Use additional virus scanners than your main one, I recommend VirusTotal which simplifies this process.

* A lot of people will say that you should be careful where you browse on Internet, and it's true... up to a point. Be aware that a lot of malware come from visiting legit and very popular sites, not underground ones. The main culprit are ads which are hosted outside the official sites and can lead to malicious programs or sites. This is why the choice of your browser, no matter if you have safe browsing habits or not, should at least partly be based on how secure it is it is.
Chrome (Sandbox FAQ - The Chromium Projects) and IE (Enhanced Protected Mode - IEBlog - Site Home - MSDN Blogs) implement internal sandboxing, and at least with Chrome it is in theory safer than Sandboxie against exploits and Drive-by downloads. Firefox lacks this (although Mozilla is working on it : https://wiki.mozilla.org/Electrolysis), but some of its extensions are very good for security like AbBlock and NoScript.

* Disable/Uninstall what you don't use. This is to lower your attack surface. The more applications/plugins/services/protocols/etc... you have running, the more vulnerable you are. In theory, you should disable everything you don't need. In practice, I recommend disabling/uninstalling Java. Flash is another big offender and if you can I think you should disable it too. At least you should enable the Click To Play Plugins feature in your browser which allows to you selectively run plugins when you want, not all the time.

* Finally : Backup. Backup. Backup. Check for disk-imaging/cloning solutions, free ones exist and speed up the process of restoring your system. Don't rely on anti-virus for clearing your PC when infected but restore to a clean state from your backups.
 
Last edited:

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
I prefer Deep Freeze over something like Sandboxie. But, it's a bit of a different application. Deep Freeze is more geared towards you always running your PC in "frozen" mode unless you want to make a change and then you temporarily suspend Deep Freeze to make your changes then refreeze the system again. But, you want to be sure you have a dedicated data drive to save items you don't want deleted at next reboot.
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    Tablet
    System Manufacturer/Model
    Nokia Lumia 2520
    CPU
    Qualcomm® Snapdragon™ 800
    Memory
    2GB
    Monitor(s) Displays
    10.1"
    Screen Resolution
    1920 x 1080
    Hard Drives
    32GB SSD
    Case
    Asus Case
    Keyboard
    Microsoft Wedge Keyboard
    Mouse
    Bornd Bluetooth Mouse
    Browser
    IE 11
I prefer Deep Freeze over something like Sandboxie. But, it's a bit of a different application. Deep Freeze is more geared towards you always running your PC in "frozen" mode unless you want to make a change and then you temporarily suspend Deep Freeze to make your changes then refreeze the system again. But, you want to be sure you have a dedicated data drive to save items you don't want deleted at next reboot.

Deep Freeze looks more comprehensive. But for a single user freeware ToolWiz TimeFreeze seems to work well. By default it only shadows the system partition. But that is adjustable. I liked to run it backwards. Have it come up with Windows but disabled. That way I can turn it off and on without a reboot. Undo changes is just leave it running and reboot. I did notice a bit of a performance hit but it's impossible to have redirection of disk writes without some type of penalty.

Edit: Much simpler to configue than Sandboxie. But SB is for sandboxing applications individually.
 

My Computer

System One

  • OS
    Windows 8.0 x64
    Computer type
    Laptop
    System Manufacturer/Model
    Toshiba Satelite C55D-A Laptop
    CPU
    AMD EI 1200
    Memory
    4 gb DDR3
    Graphics Card(s)
    Raedon 340 MB dedicated Ram
    Monitor(s) Displays
    Built in
    Screen Resolution
    1366 x 768
    Hard Drives
    640 GB (spinner) Sata II
    Keyboard
    Built in
    Mouse
    Touch pad
Microsoft since Windows Vista strongly recommends to use what's called a Limited User or Standard User account for regular use of your desktop PC.( Why use a standard user account instead of an administrator account? )

This a major security feature that follows the Principle of least privilege . Basically, under this account, the user and all the applications he launches are very limited in what they can do. They can't, for example, modify the system settings, the windows registry, other programs settings (like your browser default search engine, or toolbar, etc...). As you can see, this prevents most of what malware do, without even an anti-virus.

In practice, if you're under a standard user (without administrator privileges) and you click something something suspicious in your browser, Windows will prevent it and give you a warning. You'll be presented with a prompt for your administrator password. At this point if you type the password and allow it, this is on you...

This kind of security can be very annoying when you set up a fresh new installation of Windows since you get constant prompts for your administrator's password which is why many users don't follow Microsoft recommendations (and probably why you put UAC so low). But after this phase, it is mostly silent and is in practice only seen when installing new software or when you encounter malware.

UAC is a response by Microsoft to the hassle of using a standard account : you can still use an administrator account (which is the norm under windows and is part of the culture of its customers) but get warnings when something tries to access restricted parts of the system. I still recommend creating a new account as limited user though. Unless you constantly install new software, this is in my opinion the safest course. Opinions may vary on this though.
More info : UAC and Virtualization - some infos for all | Wilders Security Forums

Anyway, as you can see a standard user account covers much of what sandboxing applications do : it limits the damage of any untrusted applications. At some point though, when you tell the system that you trust an application, you give them a lot of leeway to do whatever they want. It is very black and white. Untrusted can't do much, Trusted can do almost anything. That's when sandboxing can be nice since it allows you a finer control of what the applications can do. But for most users I don't think this is necessary (and as you'll see below, sandboxing is already implemented internally in some browsers). You should also note that malware can in some instance detect that they are run sandboxed or virtualized and will just stay stealthed and don't do anything, so you can never be sure something is safe by testing it this way.

Here are my recommendations for a secure PC:

* Principle of least privilege: use a standard user account for day-to day use.

* Update regularly. This is very important, automatic updates help with that but can be very annoying when installing at the wrong moments. Windows Update is of course the first to check, but all your other applications and especially Internet facing ones (browser, email, messaging, etc..) are crucial too. This is to prevent Exploits.

* Use a firewall and block all inbound traffic. The windows firewall does that perfectly by default so make sure it's enabled.

* Use an anti-virus. I'm fine with Windows Defender but a lot of other choices exist. This isn't the be-all and end-all of your security contrary to what AV developers woud like to make us believe, only one of the layers to protect you.

* Disable Autorun. IIRC by default in windows 8, autorun is disabled on USB/CD. If it's not, turn it off, you don't want anything to execute without your consent, since USB sticks have become a major mean of malware transmission. More info : How to disable the Autorun functionality in Windows

* Install and use EMET (Download Enhanced Mitigation Experience Toolkit 5.0 from Official Microsoft Download Center). This is a great tool by Microsoft to prevent most current exploits. Be careful with the options though, and use the recommended settings if you don't know what you're doing. More info : Quickly Secure Your Computer With Microsoft?s Enhanced Mitigation Experience Toolkit (EMET)

* Be careful with what you authorize to run on your PC. Use google to check that anything new you install is safe. Check the Digital signature of the executables. Use additional virus scanners than your main one, I recommend VirusTotal which simplifies this process.

* A lot of people will say that you should be careful where you browse on Internet, and it's true... up to a point. Be aware that a lot of malware come from visiting legit and very popular sites, not underground ones. The main culprit are ads which are hosted outside the official sites and can lead to malicious programs or sites. This is why the choice of your browser, no matter if you have safe browsing habits or not, should at least partly be based on how secure it is it is.
Chrome (Sandbox FAQ - The Chromium Projects) and IE (Enhanced Protected Mode - IEBlog - Site Home - MSDN Blogs) implement internal sandboxing, and at least with Chrome it is in theory safer than Sandboxie against exploits and Drive-by downloads. Firefox lacks this (although Mozilla is working on it : https://wiki.mozilla.org/Electrolysis), but some of its extensions are very good for security like AbBlock and NoScript.

* Disable/Uninstall what you don't use. This is to lower your attack surface. The more applications/plugins/services/protocols/etc... you have running, the more vulnerable you are. In theory, you should disable everything you don't need. In practice, I recommend disabling/uninstalling Java. Flash is another big offender and if you can I think you should disable it too. At least you should enable the Click To Play Plugins feature in your browser which allows to you selectively run plugins when you want, not all the time.

* Finally : Backup. Backup. Backup. Check for disk-imaging/cloning solutions, free ones exist and speed up the process of restoring your system. Don't rely on anti-virus for clearing your PC when infected but restore to a clean state from your backups.

Thanks for such a detailed reply.
I am so busy with work at the moment I have not got round to making a 'standard user account' - this will be my first priority.

I have never heard of EMET and think it will be a good idea to install it.

I watched a video on Youtube about EMET, but this was for Windows 7 64bit.

Microsoft EMET setup explained for the Home User - YouTube

I have Sumatra pdf reader (as mentioned in the video), so I will have to add that to the list of prgrams to be protected.
I'm just wondering what other programs I need to protect?

One question about EMET: If I want to uninstall it, will there be problems - will it cause problems with any programs for instance, or with my computer?
It most probably won't, but you never know.

There are so many things to think about and how these changes will affect the way I use my computer.
 

My Computer

System One

  • OS
    Windows 8.1 update 1
    Computer type
    Laptop
    System Manufacturer/Model
    Dell Inspiron 15R special edition
    CPU
    Intel Core i5-3210M CPU @ 2.50GHz
    Graphics Card(s)
    Intel HD Graphics 4000
    Browser
    Firefox
    Antivirus
    Avast
EMET is very lightweight, and you can install/uninstall it without any problems.

Any application can be added to EMET but some need tinkering with what features you select.
The apps you want the most to protect with EMET are all your Internet facing programs, specifically your browser(s), mail reader, etc.. But you can also add multimedia players, office apps (word, excel, ..).
 

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
Hi there

A Virtual machine is far better IMO. That is far better protection --also if the Virtual machine gets infected just fire up a new one.

I always HATE with a passion anything that says "Go Pro".

XP machines can still run quite nicely with FREE Virtualisation software - HYPER-V, VBOX or VMWARE.

This whole "Go Pro" stuff when it used to be free just gets my goat.

Decent VM's are isolated from the host so not any chance of the HOST getting infected. Just clone some VM's and then you can tinker around to your hearts content. Modern machines can run VM's almost as fast as the Native Host.

Cheers
jimbo
 

My Computer

System One

  • OS
    Linux Centos 7, W8.1, W7, W2K3 Server W10
    Computer type
    PC/Desktop
    Monitor(s) Displays
    1 X LG 40 inch TV
    Hard Drives
    SSD's * 3 (Samsung 840 series) 250 GB
    2 X 3 TB sata
    5 X 1 TB sata
    Internet Speed
    0.12 GB/s (120Mb/s)
Hi there

A Virtual machine is far better IMO. That is far better protection --also if the Virtual machine gets infected just fire up a new one.

I always HATE with a passion anything that says "Go Pro".

XP machines can still run quite nicely with FREE Virtualisation software - HYPER-V, VBOX or VMWARE.

This whole "Go Pro" stuff when it used to be free just gets my goat.

Decent VM's are isolated from the host so not any chance of the HOST getting infected. Just clone some VM's and then you can tinker around to your hearts content. Modern machines can run VM's almost as fast as the Native Host.

Cheers
jimbo

Any changes that are made in the 'virtual machine' won't be saved will they?
So if I installed a new program it will be deleted when I close the 'virtual machine'?
 

My Computer

System One

  • OS
    Windows 8.1 update 1
    Computer type
    Laptop
    System Manufacturer/Model
    Dell Inspiron 15R special edition
    CPU
    Intel Core i5-3210M CPU @ 2.50GHz
    Graphics Card(s)
    Intel HD Graphics 4000
    Browser
    Firefox
    Antivirus
    Avast
Any changes that are made in the 'virtual machine' won't be saved will they?
So if I installed a new program it will be deleted when I close the 'virtual machine'?

The VM saves when you shut down the same as Windows. If you delete the VM then all is gone. The point being a file inside the VM virtual disc can't be accessed while the VM is not running for all intents and purposes. If you surf in a VM and get a virus you can just delete the VM. Also for VMs like VMWare Player you can copy the Virtual Machines folder as a backup. If a VM gets infected. delete it and copy the old one back from the Virtual Machines folder backup.

Edit: That type of backup is quick and dirty and OK if you have another drive with plenty of space. To get some compression you can back up using an imaging program such as Macrium Reflect.
 

My Computer

System One

  • OS
    Windows 8.0 x64
    Computer type
    Laptop
    System Manufacturer/Model
    Toshiba Satelite C55D-A Laptop
    CPU
    AMD EI 1200
    Memory
    4 gb DDR3
    Graphics Card(s)
    Raedon 340 MB dedicated Ram
    Monitor(s) Displays
    Built in
    Screen Resolution
    1366 x 768
    Hard Drives
    640 GB (spinner) Sata II
    Keyboard
    Built in
    Mouse
    Touch pad
Back
Top