I've made a comment about your thread before and I'd like to repeat myself again here
It is really nice to have a guide on sandboxie here given the increased number of attacks lately, but your settings do not prevent the attacker from doing things while also may interfere with normal games running (especially if it uses extra plugins like bepinex, or have a special way of doing stuff, like, as you've mentioned, RPGM)
I'd like to suggest making a good research on this topic and rewriting whole guide in fewer words and more useful settings shown to user. As well as pros, cons and vulnerabilities listed
For research it would be a good idea to install sandboxie In a VM and run all of the infected games from here to see if it blocks the attack and if the game runs without issues
The problems are as follows:
Sandboxie does not prevent changes to the host. It does create a copy of a file if it's modified and saves it in "Sandboxie" folder instead of the real path, but that's pretty much it. Same goes for registry keys
However reading is allowed, running new processes is allowed, I do believe that scheduling tasks is also allowed (but not sure, there could be a setting for it maybe?)
The only setting so far that somewhat saves you is turning off internet access for the game so downloader can't load malicious archive.
So if you run virus in a sandboxie it will just run in sandboxie and do everything it wanted
Alternatively I see at least few possible ways of escaping sandbox, which are pretty easy but not guaranteed to work, and a few hard ways that are guaranteed to be working. Sandboxie is not a VM and there's a reason VM runs pretty slow, you know
If you want I can write a few games for your tests with "fake malicious code" to see if your final setup will prevent it from running
Also I do have a few links to infected games saved, can share
Yes, I agree that a sandbox is less secure than a virtual machine, and I agree that this guide lacks security settings. Unfortunately, no one (with a few exceptions) has offered anything in this regard (as I had hoped), and I am not very experienced in this area.
I'm not sure what you mean by process launch allowance — they will also be in the sandbox, I checked it, besides, Renpy is essentially based on this — exe launches python, without it it simply won't work.
As for task scheduling — good question, I'll have to check it. But I think it should be blocked at the user level, and Sandboxie has a setting that prohibits privilege escalation. I agree that this needs to be double-checked, and in general, testing should be done in a VM as you suggested. So send me links to the infected games. The only thing is, I'm not sure where I'll find the time for this, but that's another matter.
As for read access, yes, it is a problem. If Info Stealer does start up, it can collect information. There are settings that allow you to block access to specific folders and registry keys. I would like someone with more experience to tell me what can be hidden (e.g. browser caches, crypto wallets, etc.). I have some ideas, but they need to be tested.
One more thing: I highly recommend auto-clearing the sandbox after finishing the game. This will remove everything that the application/game added to the disk. This way, even if a scheduled task is added somehow, it will have nothing to run. And that is precisely why I do not recommend enabling the immediate file recovery option. I prefer to see which files the game has changed after it finishes and choose what to recover and what to send to the abyss. At the same time, it allows me to notice bad behaviour.
In summary, the scope of work is clear, but I cannot guarantee that I will be able to complete it quickly. Therefore, I am appealing to everyone to share their experience of working with Sandboxie, especially for non-Renpy games and any additional software such as translators and cheats.
By the way the reasoning should be quite the opposite.
I've even seen a "Scarecrow" program somewhere, that leads the process to believe it is running in a virtual environment along with tons of debuggers and monitors so if the virus have debug detection it would shut itself down instead of proceeding
Edit: found it, it's called "cyber scarecrow". Won't post the link here but you can Google to find out. Pretty fun idea
Well, let it finish. The goal is not to catch the virus red-handed, but to prevent it from launching.
There is most likely another problem here: if the virus detects where it is running, it can exploit a known vulnerability in that sandbox or virtual machine to break out. Therefore, there should be more levels of security, and therefore, protection of personal data and ways to mitigate the damage from the virus should be provided. Security is a complex thing.
I am not a professional user of sandboxie myself, so can't help with proper setup, but I do know that there are settings that effectively let you to isolate a program so much that only thing it can see is game folder and game process.
Unless escaped out of sandbox this should be the way to prevent malicious activity I think
Once again, not a pro in this regard, can't be sure how safe the sandbox can be
The only thing I'm sure is that sandbox can't be 100% safe
If you restrict visibility to only the game folder, there is a high probability that the application simply will not start - drivers often need access to certain folders, and in general to the AppData folder, Windows, etc.
At least in my case, even Renpy refused to start when I restricted it that much. You need to be careful when restricting access. That's why I didn't add anything to the guide on this topic.
