How to start a sandboxed process without access to outside storage?

[RaXorX]

How can I start a program fully isolated from the external storage?
Ex. if I run a software inside and outside of the sandbox, the inside one keeps getting all the data of the outside instance and there's no way to just block it up.

[DavidXanatos]

Yes, there is. It is called privacy mode, i.e. the blue/red/cyan boxes, but you need to have a supporter certificate to use this feature without the time limit of 5 minutes.

[RaXorX]

from what I can see I can use the privacy modes for like 5 minutes at the least or not as well?
At least that's what it says unless that's more of a half truth idk.

[RaXorX]

Also, I think I can use that 5 minutes of period. But the problem is, how the heck do I import a file to be fun within that sandbox? Whenever I would try to run one it would always say file cannot be found.

That was on Red box. I'm not aware which box is the best just to take away all access - like shouldn't sandboxie should first copy that file somewhere it can access it from?

[bastik-1001]

It depends on the type of sandbox, one is using. By default, a sandbox has read access to what the user has access to. So with the standard box, for example, it can read C:\Custom folder\custom file.txt, so just opening it in the sandbox does not do anything to the file, so it will be read from its location. If there are changes applied to the file, that are supposed to be saved, then Sandboxie will create a copy within the sandbox, so the original file is preserved and a copy is read and writeable in the sandbox.

Using a sandbox with data protection (like the red one), Sandboxie restricts what can be accessed under that sandbox, even if the user himself has access to those files and locations, so that those need to be explicitly allowed.

Either you have to allow access to what you want to open in the sandbox, or you may copy those to the sandbox, which is located under C:\Sandbox\%USER%\%Sandbox%

[bastik-1001]

You can also use resource access settings to control what a given sandbox has access to, but that is not as easy as using the privacy type boxes. See this comparison for help on resource access.

[RaXorX]

From what I can tell it needs exact proper wildcards and locations to set up.
Yeah I tried that and it wasn't really that easy at all.

[RaXorX]

@bastik-1001 @DavidXanatos
Okay back to trying out Sandboxie one more time and I'm using the Red box. Creating one gives me the prompt to get a certificate else it'll only allow 5 minutes of usage.

Now the problem, once again, when I use the Run Program option, first error/log I get in the log panel is

Second error, C:\Users\[Username]\Desktop is unavailable.

It does show the windows explorer. It has access to the main windows folder, it has access to the Program Files folders. But user directory (Users) and other drives are inaccessible. Meaning I can only start a program that's installed or start a program that's stored in the private directories under the MOST secure box.

Is that me or is that backward? Like, I would only want to run a program that's very suspicious in the MOST secure box, because most probably it's suspicious and hence I need the extra secure box for it. I shouldn't be made to first install it or put in locations where I most definitely don't want it having access to.

I don't understand how that logic works or not. Sadly, the red box shouldn't have access to the private directories - even read access to them. Windows is the one directory I think that might need read access for proper functioning, but not the Program Files - because I'm not sure if I would want to run a program that I installed in a box that's supposed to give me the extra security as a sandbox.

Like, I wouldn't install a program first that I want to run in an extra security box to have to run in the extra security box.

[bastik-1001]

The problem you encountered is a bug. That needs to be fixed.

Second error, C:\Users[Username]\Desktop is unavailable.

That is expected, as Sandboxie does not allow it to be accessed, when the privacy type box is used.

Adding NormalFilePath=C:\Users\[Username]\Desktop to the box restores access to that folder, allowing programs to read from that folder, while at the same time redirecting any attempts to write to it, into the corresponding sandbox folder.

When the installer works normally in Sandboxie, you can install something into the box without it being installed to the system. You can also download, move, copy files into the sandbox and start them with Sandboxie. If you just want to run some binary in C:\untrusted\program\program.exe you have to allow the box to read that path. By default, you can't start something in a privacy type box, if it is not located in a generic place, since anything else is not available. If you want to access something in a privacy type sandbox, you have to make it available by having it in the sandbox or it being configured in a way so that it can be accessed.

What's considered to be made available by default in such a box, might be a bit too broad for many instances. As far as I know, it has been chosen to be compatible with installed programs. David, might be able to give you more insight on that and can probably explain the logic, behind the access restrictions on those types of boxes.

[RaXorX]

Adding NormalFilePath=C:\Users[Username]\Desktop to the box

Where am I supposed to add this to?
Oh damn, weird, when I had tried resource access tab to set the restrictions it hadn't worked then. But it does now :)

😅

[bastik-1001]

When you edit the Sandboxie.ini or when you use Sandman (default user interface for the plus version) to right-click on the box, select Sandbox Options and then "Edit ini Section". There you can add folders that are supposed to be readable, but not writable via NormalFilePath=

You can also use the resource access option in the default user interface for the Plus version (Sandman.exe) where you select Normal for the "Access" while the path is C:\Users\[Username]\Desktop*

I am glad that it works for you.

[DavidXanatos]

C:\Users[Username]\Desktop* is missing a \ should be C:\Users[Username]\Desktop*

[bastik-1001]

I edited it to fix the error. Thanks.