This can be a thread where members can post working ini portions, so those that are new or are having trouble can see what the settings should look like. We have hints and tips scattered all over and this can be a central location. We have a few members that are really good with Firefox, a few others that are really good with IE, and the same for Opera and Outlook. It would be great if they could post pertinent parts of their ini files. I would leave out all of the 'LingerProcess=" and User Settings etc as they only produce very long posts that are hard to focus on.

I'll start out with one where you can take full control over what happens within your sandbox. Let's say that you want to allow only four programs to run in a sandbox. That's executing at all is what I mean. This could really be of benefit in terms of what would happen if you downloaded a virus. We know that any virus can not escape the sandbox and damage your system. But what about a virus that runs and just keeps sapping resources? Or a keylogger that records your keystrokes?

Some of this has to be inserted by 'Edit Configuration' because ProcessGroups was invented by Tzuk after he was already finished with the new SandboxIE GUI. I will use ClosedIpcPath, and ClosedFilePath.

OK, I will make those four programs be Internet Explorer, Word, Excel and Paint Shop Pro.

[GlobalSettings]

ProcessGroup=<RunAccess_DefaultBox>,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

[DefaultBox]

ClosedIpcPath=!<RunAccess_DefaultBox>,*

That setting says that only Internet Explorer, Word, Excel and Paint Shop Pro can run in the DefaultBox sandbox. You need to include the three SandboxIE executables as SandboxIE needs them to run.

So a group was created, and then rules for that group in a sandbox were set. Now if Virus.exe, or Keylogger.exe is somehow downloaded into that sandbox during your surfing, it can not even run in the first place. You can set your virus scanner to ignore the sandbox. Notice also that the four programs do not necessarily need to run in this sandbox, they are allowed to run. This would be from right-click 'run sandboxed'. If you are registered, you can use ForceProcess or ForceFolder and then those executables would have to run in that box.

You can even get a little tighter with your rules by limiting internet access. I sure as heck do not trust Word and Excel and PSP with internet access, so I will stop that.

*Important Notice; There are new additional lines added for Internet Access which are explained by Tzuk later in this thread.

[GlobalSettings]

ProcessGroup=<InternetAccess_DefaultBox>,iexplore.exe

[DefaultBox]

ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Ip*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Afd*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIP6
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp6

That setting says that only Internet Explorer can access the net from the DefaultBox sandbox. A group has been created, and rules for that group in a sandbox have been set.

When I merge the two sets of instructions together, the ini file looks like this.

[GlobalSettings]

ProcessGroup=<RunAccess_DefaultBox>,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ProcessGroup=<InternetAccess_DefaultBox>,iexplore.exe

[DefaultBox]

ClosedIpcPath=!<RunAccess_DefaultBox>,*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Ip*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Afd*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIP6
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp6

That complete instruction states that only those four programs (actually seven) can run in the DefaultBox sandbox, and only one of them can access the web - Internet Explorer.

OK, so let's create a second sandbox.

[GlobalSettings]

ProcessGroup=<InternetAccess_PokerStars>,Pokerstars.Exe,PokerStarsUpdate.exe,PokerStarsCommunicate.exe

[PokerStars]

ClosedFilePath=!<InternetAccess_PokerStars>,\Device\RawIp
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Ip*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Afd*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\RawIP6
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Udp
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Udp6

That setting says that in the PokerStars sandbox, only the three listed programs can access the web.

Now let's merge the two sandboxes together.

[GlobalSettings]

ProcessGroup=<RunAccess_DefaultBox>,iexplore.exe,winword.exe,excel.exe,psp.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe
ProcessGroup=<InternetAccess_DefaultBox>,iexplore.exe
ProcessGroup=<InternetAccess_PokerStars>,Pokerstars.Exe,PokerStarsUpdate.exe,PokerStarsCommunicate.exe

[DefaultBox]

ClosedIpcPath=!<RunAccess_DefaultBox>,*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Ip*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Afd*
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\RawIP6
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp
ClosedFilePath=!<InternetAccess_DefaultBox>,\Device\Udp6

[PokerStars]

ClosedFilePath=!<InternetAccess_PokerStars>,\Device\RawIp
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Ip*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Tcp*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Afd*
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\RawIP6
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Udp
ClosedFilePath=!<InternetAccess_PokerStars>,\Device\Udp6

So first we merged two instructions together that pertained to the same sandbox. And then we added and merged a second sandbox as well.

Edited to include new Internet access lines.

Hi Mitch

This is beautiful. Question. Do we also need a ProcessGroup=<RunAccess_PokerStars>,Pokerstars.exe. etc etc etc Type statement so these can run in the Pokerstars sandbox.

A big caveat for Tzuk and all. Clearly this involves editing the sandbox ini file. This could affect sandboxie the same way editing the registry can affect your system. Don't do this unless a) you are comfortable and b) you make a backup of the file first.

Now off to edit.

Pete

You could, if you like. HaHa I actually left it out to show that you can be flexable and do not need to follow precise rules.

One thing that is very helpful when setting up your sandboxes is to think it all through first, develop a stategy and have your sandbox fine tuned to you.

Cool. So I gather if I don't care what runs in the Pokerstars sandbox I don't need it, but if I want to restrict it, I do.

Pete

Thanks for the write-up, Mitch

Mitch, under [GlobalSettings]

Would
ProcessGroup=<Restricted_DefaultBox>

do the same as
ProcessGroup=<RunAccess_DefaultBox>

Or would one be more secure than the other?

Actually it is more a choice of sometimes a program has just too many exe files running and it is a pain to list them all. It is fairly easy to figure out which of the programs need internet access, but sometimes it is hard to tell what actually needs to be running. In those cases I just use Internet Access. Usually along with ForceFolder.....

@ Oneder;
Whatever is between the " < > " is simply the name of the group - it has no effect on what that instruction is doing. Just like naming your sandbox is up to you.

I could create a sandbox and name it

[FirefoxOnlySandbox]

and still run Internet Explorer in it.

ProcessGroup=<Restricted_DefaultBox>
ProcessGroup=<RunAccess_DefaultBox>

These are just names of ProcessGroups. They, in themselves do not have any effect.

@ Guest10;
You're quite welcome. Maybe others will join in with tips on other browsers such as Firefox.......

So when you use ClosedIpcPath, and ClosedFilePath as instructions in the same sandbox - you are using ClosedIpcPath actually to stop all the BadGuys. They can not run, and so of course they also can not access the internet.

You are now using the Internet Access settings to control what YOUR programs are doing (in the example case, Word-Excel-PSP).

So think of ClosedIpcPath=! as a white list anti-executable and the Internet Access settings as an outbound Firewall.

Damn nice job!
I know we (and alot others) have been wanting an "post your tips/ini here" sort of thread, but hadnt had the time to get around to it.
Glad to see someone found the time to start one!

Nice job on the tips Mitch. Everything you've recommended is pretty much what I would've posted.
Only thing I would say is if you want to make your PC that much more secure, block off access to the keyboard and clipboard (except the programs you exclude).

If I get a few minutes to think, I'll post some tips and/or examples in here.

mitch i dont know how to set my defaultbox to allow internet explorer,wmplayer
and windowslive mesenger to acce the internet connection and block the rest.

@jmonge I am not too familiar with Windows Live Messenger, but Internet Explorer will call on Windows Media Player as a "child-process" and so you should need nothing additional for WMP. Now if you are running Windows Media Player outright, that is different. See my next post to Pete.

@Peter2150 Windows Media Player when not a child process along with a program like Acrobat Reader, are two examples where you would not bother with 'RunAccess'. The proper way to handle those two is to use ForceFolder on the entire program, and then figure out what needs internet access (usually through trial and error) and allow internet access to what is needed.

thanks mitch