Securing sensitive data in a sandbox
This guide is aimed at more advanced users who are able to understand Sandboxie settings and perform the necessary testing on their own, and is not necessarily required. It is designed for those who want to strengthen sandbox protection as a starting point for their own research.
Blocking the Internet in a sandbox prevents not only infection (virus downloads) but also the transmission of stolen information in most cases. However, a sandbox does not essentially prevent the collection and accumulation of sensitive information within the sandbox. Therefore, there is a non-zero probability that the collected information will still be sent when you open Internet access in the sandbox for any reason (even for a trusted software).
I advise cleaning the sandbox after each session (you can set it up to happen automatically) so that viruses cannot take a foothold (even inside the sandbox) and to delete any information that has been collected, if any.
In addition to this, you can restrict what the virus can collect inside the sandbox with the relevant settings.
First, ensure that both of these options are enabled:
This will prevent data from being retrieved from the memory of a running process (e.g. your browser) outside the sandbox (or in another sandbox).
You can restrict access to files here:
This window lists all the rules that will be used to filter access to files. We are mainly interested in the Access field. Specifically, we are interested in one of its values:
Close (for detailed descriptions of access types, see the Sandboxie
You must be registered to see the links
.
This type of access prohibits both reading and writing to the file, which is what we need. Unfortunately, it has the highest priority over all other types of access, so it is not possible to set, for example,
Close for the entire disk and then restore
Normal access for the folders we need (at least I couldn't do it, but if you can, be sure to write about it). Therefore, you will have to list all the folders to which access must be denied.
You can do this in this window using the ‘Add File/Folder’ button (or Browse for ...), but for a large number of folders this can be difficult, so you can do it by editing the ini file:
Simply copy the line with "ClosedFilePath=" and enter the path you need manually. When you are done, do not forget to click "Save".
Now let's move on to the main question:
what to block.
It is difficult to block everything and leave only what is necessary, if only because it is not entirely clear what should be left. Blocking access to the Windows folder will make it impossible to run games (or anything else, for that matter). Furthermore, not all folders contain information that is worth hiding.
In general, I suggest approaching it from a different angle and only restricting access to what really needs to be hidden — anything that contains your personal data, logins, passwords, etc. This includes browsers, password managers, cryptocurrency wallets, and various applications (including games) with online accounts (Steam, Spotify, etc.).
You need to make a list of such applications installed on your computer and determine where each one stores its credentials and cache.
Usually, all this is located in \AppData\Local\[application] and \AppData\Roaming\[application] (sometimes also in \AppData\LocalLow\[application]). But there may be other folders — be sure to find out for your applications.
It would also be a good idea to block the application installation folder (in C:\Program Files\ or C:\Program Files (x86)). The good news is that these folders (plus C:\ProgramData\) can be blocked entirely without any problems — games continue to work (at least the ones I ran).
For Renpy games, I also completely blocked \AppData\Local\ and \AppData\LocalLow\ - Renpy doesn't store anything there and works fine without them. If you block \AppData\Roaming\, it starts and works, but saves and settings are stored in the game folder. In addition, I noticed an unexplained drop in performance.
For games on other engines (Unity, RPGM), this may not work, and at the very least, they will refuse to save at all. So check how it works for you and, if necessary, reduce the restrictions.
For Steam, you can also block the SteamApps folder, as games may also store some information.
If you have OneDrive or other folders synchronised with cloud storage, it is highly likely that you store sensitive information there, so you should also block access to them.
It is safe (from the point of view of games running in the sandbox) to block access to the sandbox files (C:\Sandbox\) and the global settings file (C:\Windows\Sandboxie.ini).
You can add any other folders at your choice, but make sure to add them one by one and check your games after each addition so that you don't have to guess what exactly is preventing the game from launching in case of problems.
If you have more than one sandbox (and I recommend creating different sandboxes for different types of games/engines), you will need to repeat this configuration for all other sandboxes.
Or use templates
Templates are a very useful tool for quickly changing settings for a group of sandboxes. In addition, Sandboxie Plus comes with useful templates (mainly for restoring the functionality of specific applications in the sandbox, but there are also several that enhance security; check this topic yourself).
Custom (local) templates are created here:
Click ‘Add Template’ - you will be asked for a name (for example, ‘ProtectData’) and then a window similar to the sandbox settings will open:
Add all your folders and files to be blocked here, then save (by clicking ‘Ok’).
Now go to the sandbox settings and enable the use of your template:
After that, if you change the template, it will immediately be applied to all sandboxes that have this template enabled.
That's all there is to it.
As you may have noticed, I only talked about files and folders here, but Sandboxie allows you to control access not only to them, but also to the registry, IPC, etc. Unfortunately, I didn't have enough time to test blocking for the registry (mainly because I don't really know what to block, and when I blocked entire branches, my games stopped working properly). Therefore, I leave this to your discretion, and if you conduct successful testing, be sure to write in the thread what you blocked and for which engines.
