Sandboxie: Sandbox-based isolation software for Windows NT-based OS's (opens in new tab)

(github.com)

131 pointstirrex3y ago33 comments

33 comments

I rarely feel the need for sandboxie but the times I do, I feel that I'd be better served by a full VM. Got burned once because I misjudged risk level and the thing I ran within sandboxie managed to grab my browser's saved passwords.

lawl3y ago

Sandboxie (by default), does not restrict access to existing files in your user directory (or anywhere else).

It stops malware etc. From persisting because it catches writes. Basically it kind of mounts an overlayfs over your drive.

You can configure this differently, and iirc the paid donation version has an option to make your user directory private.

I agree that this probably isn't the best default, but that likeöy was a case of not rtfm'ing, andlnot misjudging the risk level. I was confused by this at first too.

gigel823y ago

I like the Sandbox app / feature built into Win10/11 (very fast to boot). I wish it'd allow saving snapshots and being automated. I want to set one up with a full dev environment for example.

Full HyperV VMs are significantly slower to boot and run.

kritr3y ago

If you haven’t already messed around with WSB files, I would encourage them for more complicated use cases.

https://docs.microsoft.com/en-us/windows/security/threat-pro...

The WinGet github repository has some scripts to setup and install programs inside.

tsujamin3y ago

Can second Windows Sandbox - 3s startup time, can copy things into it and it does like 85% of what I need completely isolated.

I mainly use it to test silent install flags when I'm deploying apps or running untrusted things :)

naikrovek3y ago

snapshots would be nice. it is actually a container of sorts underneath, with RDP support, so they could do it if they desired. (they don't, it seems, unfortunately.)

Windows containers gaining RDP is probably the bigger wishlist item, for me. Windows containers with a GUI would make some things extremely trivial and other things much easier.

1 more reply

currysausage3y ago

Windows Sandbox is really great, I just wish it could coexist with VirtualBox.

1 more reply

Randor3y ago

Yeah, the earlier versions of SandBoxie used SSDT hooks and offered much better protection. You can completely bypass some SandBoxie protections today with a direct interrupt 0x2e or SYSENTER call. SandBoxie offers very little protection.

userbinator3y ago

If you're doing any malware analysis, I think a VM is the minimum bar for isolation; and separate physical hardware is even better.

pabs33y ago

You probably want a VM on separate physical hardware on a separate network connection, to avoid it burrowing into the hardware and avoid it burrowing into your network.

1 more reply

anaisbetts3y ago

I'd have to agree. Windows Sandbox is built into the OS and is a much better option - it takes your existing Windows install and within literal seconds, creates and starts a clean VM whose contents will be burned on close. It's an insane technical achievement and it doesn't get enough kudos imho

polygloty3y ago

That's the reason why I hate it. I want my sandbox to persist. Use case: Filling once in a year tax forms with turbo tax that i can't seem to file in a single sitting

MuffinFlavored3y ago

I just tried it for the first time and the app I didn't trust could tell it was being sandboxed/spoofed/debugged/etc.

brokenmachine3y ago

Sounds like something an untrustworthy app would do.

senectus13y ago

ouch. unexpected lesson to be learned here...

Don't use browser password saving. I presume a third party app like bitwarden would have been better. though if the browser auto syncs and installs the extension your risk is a little higher.

iamevn3y ago

I was already almost entirely migrated to keepassxc but had kept using the browser feature out of habit. Quickly disabled that and had a really fun few days changing absolutely everything's password.

1 more reply

schmorptron3y ago

Oh? I always assumed the Firefox feature would be fine with a master password and 2fa set up , but is a third party manager really a substantial upgrade security wise?

staticassertion3y ago

Since when is Sandboxie open source?

edit: 2020. Awesome. I remember having to rely on reverse engineering to understand wtf it was doing. Now I can check!

When I was younger I wanted to start a company around automatic sandboxing very similar to Sandboxie, but dealing with Windows Kernel Drivers was miserable. Having something open source to derive inspiration and design from would have been so helpful.

pvg3y ago

Couple of previous big related threads from 2020 and 2019:

https://news.ycombinator.com/item?id=23809736

https://news.ycombinator.com/item?id=21496164

GuB-423y ago

I still use it to test installers.

We are working on traditional Windows apps, with an installer (NSIS or Qt) and Sandboxie is a great way to test it. During development, we can't trust that the installer won't leave a ton of crap that will break future installs, and running it under Sandboxie is a simple and effective way of starting with a clean slate every time. Also, by inspecting the content of the sandbox, it is also possible to see what the installer has done exactly and identify what wasn't properly removed during the uninstall so that it can be fixed.

xenophonf3y ago

Sandboxie is pretty great. This is how I've managed to multibox Elite: Dangerous ever since Frontier changed how they issue game keys in 2019. I can have multiple versions of Steam and multiple versions of the game running side by side. The only thing that can get a little wonky is the Steam Controller, with both the desktop and game-specific bindings getting activated simultaneously in some cases.

I would never use it for security-sensitive process isolation, like malware analysis. It's safer to use a dedicated computer or virtual machine for that sort of thing. But for gaming? chef's kiss

butz3y ago

Used it way back in my Windows 7 days, it was a great solution to keep system directories clean from all clutter that installed programs add and fail to remove during uninstall.

DeathArrow3y ago

I wonder what's the difference at the implementation level between this and Windows containers.

helloooooooo3y ago

Why not use Siloes instead of a custom driver?

password43213y ago

Probably because Sandboxie has been around for over a decade.

nsonha3y ago

wow this thing's still alive?

Aachen3y ago

I remember this from my Windows XP days (spent another two years on Win 7, before switching to and being happier with Linux). No interest beyond nostalgia but indeed here I am reading at least the comment thread :). Gotta agree that I'd also not use it for anything serious, like it's perhaps useful as hardening for your browser because no regular exploit will expect it, but that's about it. I was already weary of it with my limited security knowledge back in the teen days, and reading of someone whose browser password was stolen, I'm happy that I didn't trust the claims that I seem to remember it making back then. It's a bit similar to containers I guess: probably even safer but even as a security person I don't trust myself to configure those malware-proof.

j / k navigate · click thread line to collapse

33 comments

iamevn3y ago

lawl3y ago

Sandboxie (by default), does not restrict access to existing files in your user directory (or anywhere else).

It stops malware etc. From persisting because it catches writes. Basically it kind of mounts an overlayfs over your drive.

You can configure this differently, and iirc the paid donation version has an option to make your user directory private.

I agree that this probably isn't the best default, but that likeöy was a case of not rtfm'ing, andlnot misjudging the risk level. I was confused by this at first too.

gigel823y ago

I like the Sandbox app / feature built into Win10/11 (very fast to boot). I wish it'd allow saving snapshots and being automated. I want to set one up with a full dev environment for example.

Full HyperV VMs are significantly slower to boot and run.

kritr3y ago

If you haven’t already messed around with WSB files, I would encourage them for more complicated use cases.

https://docs.microsoft.com/en-us/windows/security/threat-pro...

The WinGet github repository has some scripts to setup and install programs inside.

tsujamin3y ago

Can second Windows Sandbox - 3s startup time, can copy things into it and it does like 85% of what I need completely isolated.

I mainly use it to test silent install flags when I'm deploying apps or running untrusted things :)

naikrovek3y ago

snapshots would be nice. it is actually a container of sorts underneath, with RDP support, so they could do it if they desired. (they don't, it seems, unfortunately.)

Windows containers gaining RDP is probably the bigger wishlist item, for me. Windows containers with a GUI would make some things extremely trivial and other things much easier.

1 more reply

currysausage3y ago

Windows Sandbox is really great, I just wish it could coexist with VirtualBox.

1 more reply

Randor3y ago

userbinator3y ago

If you're doing any malware analysis, I think a VM is the minimum bar for isolation; and separate physical hardware is even better.

pabs33y ago

You probably want a VM on separate physical hardware on a separate network connection, to avoid it burrowing into the hardware and avoid it burrowing into your network.

1 more reply

anaisbetts3y ago

polygloty3y ago

That's the reason why I hate it. I want my sandbox to persist. Use case: Filling once in a year tax forms with turbo tax that i can't seem to file in a single sitting

MuffinFlavored3y ago

I just tried it for the first time and the app I didn't trust could tell it was being sandboxed/spoofed/debugged/etc.

brokenmachine3y ago

Sounds like something an untrustworthy app would do.

senectus13y ago

ouch. unexpected lesson to be learned here...

Don't use browser password saving. I presume a third party app like bitwarden would have been better. though if the browser auto syncs and installs the extension your risk is a little higher.

iamevn3y ago

I was already almost entirely migrated to keepassxc but had kept using the browser feature out of habit. Quickly disabled that and had a really fun few days changing absolutely everything's password.

1 more reply

schmorptron3y ago

Oh? I always assumed the Firefox feature would be fine with a master password and 2fa set up , but is a third party manager really a substantial upgrade security wise?

staticassertion3y ago

Since when is Sandboxie open source?

edit: 2020. Awesome. I remember having to rely on reverse engineering to understand wtf it was doing. Now I can check!

pvg3y ago

Couple of previous big related threads from 2020 and 2019:

https://news.ycombinator.com/item?id=23809736

https://news.ycombinator.com/item?id=21496164

GuB-423y ago

I still use it to test installers.

xenophonf3y ago

I would never use it for security-sensitive process isolation, like malware analysis. It's safer to use a dedicated computer or virtual machine for that sort of thing. But for gaming? chef's kiss

butz3y ago

Used it way back in my Windows 7 days, it was a great solution to keep system directories clean from all clutter that installed programs add and fail to remove during uninstall.

DeathArrow3y ago

I wonder what's the difference at the implementation level between this and Windows containers.

helloooooooo3y ago

Why not use Siloes instead of a custom driver?

password43213y ago

Probably because Sandboxie has been around for over a decade.

nsonha3y ago

wow this thing's still alive?

Aachen3y ago

j / k navigate · click thread line to collapse