Sandboxie revisted

[FlyingPenguin]

Okay, I've been using NoScript in Firefox to protect myself, and also running Firefox with limited rights using DropMyRights, but it's getting REAL hard to use NoScript anymore because so many web sights have a BAZILLION scripts running now, and it's really hard to tell which ones to enable. NoScript also blocks cross-site scripting and a LOT of websites require it now, so even saying "temporarily allow all scripts" doesn't work on some sites because cross-site scripting still kicks in.

Steve Gibson was lamenting the same thing in this week's podcast, and he mentioned he was trying out Sandboxie.

I played with Sandboxie a few years ago, but found it hard to use. It's greatly improved since then. While there is a free version, it's limited in functionality - most important is that the only way to launch a browser in a sandbox is to use the Sandboxie sandbox shortcut. That doesn't help if you launch a web site from an email link, or a shortcut on your desktop. The paid version forces any browser you specify to run in a sandbox no matter how it's launched.

So I went ahead and bought a lifetime license for 5 PCs. I'm using it on my desktop. I am still using NoScript to reduce ads, but I've disabled some of NoScripts advanced features like cross-site scripting blocking to make it more functional.

So far I like it. You do need to enable some settings that allow Firefox (or whichever browser) to share things like bookmarks and cookies outside the sandbox. This was the problem with Sandboxie a few years back when I first looked at it - nothing you did in the sandbox persisted outside the sandbox, which made it awkward. You do have to get used to the fact that when you download a file, it's only downloaded in the sandbox until you allow it to be copied to your hard drive, but that's dealt with a lot better now. Sandboxie prompts you to see if you want to move a just downloaded file outside the sandbox so you can run it.

I've also installed in on my Media Center PCs I have hooked up to my HDTV's. I do a lot of Youtube and other video watching on those PCs, and NoScript was starting to be a real pain to work around, but I want to ensure that nothing nasty gets through.

Seems to be working out for me so far.
http://www.sandboxie.com/

[FlyingPenguin]

Followup:
Found a way to manually Whitelist certain folders in a Sandbox, so I've allowed the download folder to be directly accessible from Firefox. That way a downloaded file goes strait into the actual download folder instead of being held in limbo in the sandbox until I permit it to be moved.

I have no issues with downloaded files being saved on the main drive. You still can't run an executable from within Firefox without it being contained in the Sandbox. I'm already used to no being able to run a downloaded fire from within the browser from when I was using DropMyRights.

If I'm stupid enough to download an infected file AND run it outside the sandbox, that's my problem.

[wvjohn]

I remember using this a while back

[FlyingPenguin]

Another minor issie I had to find a workaround for. I like to drag the url of the page I'm reading to the desktop to create a shortcut. Sandboxie won't let you do that because it breaks the sandbox isolation.

Workaround it to install a Firefox add-on called "deskCut" and configure Sandboxie to allow the sandbox full access to the desktop. The Add-on's original purpose was to replicate the functionality in IE where you can right-click on a web page or a link on a webpage, and make a desktop shortcut.

Sure, a minor security risk, in exchange for convenience, but not a big deal. I don't care if a malicious file gets copied to the desktop as long as it can't be run by a script from the browser, which it can't while sandboxed.

This was the problem I had with the original Sandboxie - it was WAY too restrictive.

If anyone expresses an interest, I'll document where all these settings are.

[Losbot]

Of course we're interested.