Browser reinforcement with Sandboxie
Sunday, September 9, 2012 5:13:21 PM
But you can fully isolate the browser from your actual system using Sandboxie.
However, there is also a small trick to it. Usually sandbox programs only isolate the browser from the system. But in case of Sandboxie, it also lowers access rights inside the sandbox where browser is being sandboxed. So, while browser will work without any problems, any malware, exploit, keylogger, you name it, will be having a very hard time stealing even the data inside sandbox. So, it not only isolate the browser from the system itself, it also reinforces it.
There are few tips and tricks worth mentioning...
Using Sandboxie on Windows 64bit ?
Make sure you open Sandboxie main interface, click Configure in the menu and pick "Experimental Protection (64-bit)". This will reinforce Sandboxie for Windows 64bit which has certain kernel level defenses which otherwise prevent various security program (and malware) from operating properly.
Further dropping rights inside sandbox...
Make sure you also right click on your default sandbox that you use for the browser, select "Sandbox Settings", go to "Restrictions" and "Drop Rights" menu. Enable the feature.
This will further secure the contents of the sandbox itself.
Download folder exclusion...
Even though Sandboxie offers mechanism to quickly transfer downloads from sandbox to your actual system, i still think it's too difficult for average users you want to protect. Now, you can exclude it so any download will be directly excluded from sandbox. This is indeed not as secure but if you have browser set to download the file only (without the option to "Download and run"), you should be fine.
Right click on your default sandbox that you use for the browser, select "Sandbox Settings", go to "Resource access", "File access" and then "Direct access". Select the "List below applies to" and pick your browser group (<firefoxprograms> for example). Select Add button and browse for your default browser download location. Apply and close the window.
Along with all the goodies, there is also one rather annoying issue. You cannot use magnet or torrent links inside Sandboxie to download the stuff on your real system. For some reason it's just not possible to do it right now (Sandboxie v3.74), so you have to copy the link to magnet or torrent manually and paste it in the P2P program directly.
Sandboxie instead of VMWare Player, VirtualPC or VirtualBox...
Not exactly the same, but in essence you can use it for quick running of certain apps where you don't want to make your main system dirty. After you're done, you can just delete the contents of the sandbox and the program will not leave a single trace. Programs that don't require kernel drivers will work just fine in it.
Sandboxie is free for personal use and has few limitations. You can only run 1 app at a time in separate sandboxes. You can however run as many apps as you want at once inside one sandbox.
You also don't get an option to force any program or folder to be always sandboxed regardless of how you run it. You have to do it manually or via dedicated shortcut. But still, it shoudl be enough for most users.
Lifetime license is imo not that expensive considering what it offers (all the above). I think i might get it soon, because i got quite attached to it. Lifetime license is tempting and you can install it on any number of computers that you own.