Defense Plus & Sandboxie

Hi All,

Hope this is the appropriate board. I realize this board is actually for Comodo’s sandbox but since the subject matter is similar I thought this would be the right one. I apologize if I’m wrong.

I play all my games in a sandbox. The problem is, if I don’t remember to add the game’s exe files to Defense plus trusted files, then often times I get a black screen where I can’t do anything. Nothing works including Ctrl+Alt+Del or Alt+Tab or Esc. Only thing I can do at that point is to hold the power button till the system shuts down.

With Sandboxie, the hierarchy is :\Sandboxie%SANDBOX%. Is there a way to create a global rule in Defense Plus to have it ignore everything in that path? Just Defense Plus and not the firewall.


Do you want to exclude it from all of Defense+ (HIPS and Auto-Sandbox) or only the Auto-Sandbox? If you have HIPS disabled then you only need to exclude it for the auto-sandbox.

If for only the auto-sandbox then you can go to Advanced Settings > Security Settings > Defense+ > Behavior Blocker - Once there you look for Define exclusions for behavior blocking and to the right of you click Exclusions. When you see the new window you either right-click in the middle of it or click the little arrow at the bottom, you then choose Add > Folders and then you look for the :\Sandboxie\ folder, I’m assuming it’s C:\Sandboxie\ and then highlight it and click OK, now also click OK on all relevant CIS windows. This should work however I don’t know how it does with the %SANDBOX% part, you could perhaps play around a bit and see for yourself how it deals with it. If you want to make manual changes because you can’t enter a certain path then simply add a folder as described above, then right-click the folder while at the Exclusion list and then click Edit at that point you can freely type what you want (wildcards like * and ? do apply)

Hope that helps.

I probably should have said that I was still using v5.12 because the newer interface looked like a child’s application - at least it did a year or two ago. I figured there’s probably not a solution for my older version so I decided to try the upgrade. It still looks a little kiddish but not as bad as last time so I haven’t decided if I’m going to stay with it.

Thank you for your excellent instructions, found everything right away. (used :\Sandboxie*) I have it setup but haven’t had a chance to test it out yet. I actually have auto-sandbox disabled and Hips enabled. I turned off Comodo’s sandbox because I was concern that it might conflict with Sandboxie. Do you know if these two apps can play ok together?

Oh, I can’t really remember the layout for CIS 5.x so I can’t really give instructions on that. :embarassed:

I believe it should be possible to set up in CIS 5.x although I do not remember the layout so I can’t really give directions of how to do it.

In that case it won’t work, I mean, if you’re using HIPS then making an exclusion for the Sandbox isn’t going to make a difference.

You can’t really create an exclusion in that sense for HIPS, you can however set up :\Sandboxie* to be considered as an Allowed Application. To do that you can follow the instructions below, please notice that I have written the instructions both in a continuous text and in bullet point form, I would appreciate it if you could tell me which one you prefer. :slight_smile:

Instructions in a continuous text:
To do this you must once again open the advanced settings and navigate to Security Settings > Defense+ > HIPS > HIPS Rules - Once here you want to right-click in the middle of the list or click the little arrow at the bottom and then click Add, when the new window opens you want to write in the path for the folder in the field next to Name: (I don’t understand what you mean by “:\Sandboxie%SANDBOX%” mostly what’s before that, for example is it “C:”? Or does it simply somehow start with just “:” ? Or is it on several drive letters? If it’s the last of the three, please enter ?:\Sandboxie*) after that make sure that Use Ruleset: is set to Allowed Application and then click OK on all relevant windows.

Instructions in bullet point form:

[ol]- Go to Advanced Settings > Security Settings > Defense+ > HIPS > HIPS Rules

  • Right-click anywhere in the list or click the little arrow at the bottom of the window and then click Add
  • In the new window you want to write the path to the folder in the field next to NAME: (Notice that you can’t add folders from the Browse feature)

[li]I don’t understand what you mean by “:\Sandboxie%SANDBOX%” mostly what’s before that, for example is it “C:”? Or does it simply somehow start with just “:” ? Or is it on several drive letters?

  • If the path is “C:\Sandboxie%SANDBOX%” then you should add C:\Sandboxie* ; if the path is literally “:\Sandboxie%SANDBOX%” then you should add :\Sandboxie* ; if the path is located on multiple driver letters then you should use ?:\Sandboxie*
  • Make sure that Use Ruleset: is set to Allowed Application
  • Click OK on all relevant windows[/ol]

Sorry I’m not sure how the Comodo Sandbox and Sandboxie work together, other users might know though.

I have taught and written guides for both tech support personal and the non-technical home user. I have observed when you are sharing technical concepts with non-technical people, they seem to learn easier if it’s in a structural step-by-step format. Technical people can flow either way, it’s a matter of preference. I personally like the continuous text because I like to try to ride the writer’s “path of thoughts”, as I roll through their sentences. This method often reveals more information in little ways, than the “do-this, do-that format”. I guess, it comes down to who’s your audience. Hope that helps. :slight_smile:

I don’t think the Allowed Application concept is going to work. The Sandboxie path :\Sandboxie%SANDBOX% means all sandboxes are created under the folder called “Sandboxie”. The percent signs means there can be more than one sandbox created.

When one installs a game or application in Sandboxie, it creates all the necessary files and folders, as well as the directory structure and any registry settings that the app needs. If the app needs something from outside of the sandbox (we’ll call that the host side) then Sandboxie will reach outside of itself and pull a copy of those files into the sandbox. You can think of it as Sandboxie duplicates the host side (file directory and registry structure) but only takes what is needed to make the app run correctly. It does this for every sandbox that is created and as far as I know, it’s unlimited.

I currently have 61 sandboxes and they are constantly changing, deleting or updating. Unless I’m missing something I’m thinking the Allowed Application probably won’t work because of the constant changes. However, if there is a way to get Hips to completely ignore the directory structure or Sandboxie’s branch (Main folder & all subfolders) under :\Sandboxie, then it should work. (This is what I thought you had me do in your first post) Do you know if there’s a way to do this?

BTW - if you want to see what I’ve been talking about, Sandboxie is freeware and payware []. The freeware side only allows one sandbox to be running at a time and there might be one other thing… I can’t remember it’s been so long since I used the freeware side; but for 30 days it works like payware, everything works. You can use the freeware side forever if you like. I’m not trying to advertise Sandboxie, I’m only mentioning it in the attempt to find a solution to a problem. [So please, no one flame me about it]

Thank you, I’ll keep that in mind. =)

That’s the point of the asterisk in the path. The path I suggest you enter is “?:\Sandboxie*” where the question-mark (?) is a wildcard meaning any one character (for drive letter), then the path [b]:\Sandboxie[/b] and then the asterisk (*) which means any character and any amount of characters.

So using the rule above, these examples should be run as Allowed Application:
C:\Sandboxie\Example program\Example Subfolder\Bin\Example Executable.exe
D:\Sandboxie\Another Example Program\Another Example Program.exe

I think you get the idea? Now… it depends… Does Sandboxie run the executable from its original location and then simply saves the data to the mentioned folder or does it copy the executables to the mentioned folders and run them from there? I believe that question is key to answering whether or not this rule will solve the issue.

Also another issue is that Allowed Applications aren’t inherently allowed to launch other applications unless they are trusted, so you may have to create additional rules, I’ll show you how to do that if we can establish that the base rule even works.

I’ll take a look at it soon, if I haven’t come back regarding this within an hour then I’ll get back to you tomorrow after work (in other words, it’ll be a while)

So I’ve taken a look at Sandboxie now and I think I’ve gotten an understanding of it now. So the above rule will work in SOME but not all situations, it depends on how you use it. There are two ways to use it for programs that need to be installed, a) run the installer in the sandbox or b) run the installer outside of the sandbox but run the main executable sandboxed after installation.

For a) the main installer will, to the HIPS in CIS, look as if it’s running from for example C:\Users\Sanya\Downloads\ BUT the files it installs will be contained in C:\Sandbox\Sanya\Blahblahblah\ so when you try to run the actual program installed, it would be run from C:\Sandbox\Sanya\Blahblahblah\Executable.exe (unless there are other features in Sandboxie that I didn’t consider) So in that case HIPS will be all over the INSTALLER but it will treat all applications installed in the sandbox as Allowed Applications!

For b) it seems like the executable is run from that location which it is located in, so if you installed the game outside of the sandbox to for example C:\Program Files (x86)\Steam\Steamapps\common\Half-Life 2\ then if you run the game in the sandbox now, HIPS will see that as C:\Program Files (x86)\Steam\Steamapps\common\Half-Life 2\hl2.exe

Also, are you sure it’s C:\Sandboxie\ for you? It’s C:\Sandbox\ for me… but that doesn’t really matter that much, point is that if you create an allow rule for C:\Sandbox* or C:\Sandboxie* (depending on which it shows) it should work for applications installed within the sandbox, but will not work for applications installed outside of the sandbox and run in the sandbox from there.

Another example:
I have an application Portable_App.exe, I run it in the sandbox, HIPS will see it as C:\Users\Sanya\Downloads\Portable_App.exe
I have an application Installer.exe, I run it in the sandbox, HIPS will see it as C:\Users\Sanya\Downloads\Installer.exe - But if installer installs something and then runs it, lets say Main_App.exe, then HIPS will see it as C:\Sandbox\Sanya\Blahblahblah\Main_App.exe

I hope that makes sense to you, it’s late and I’m not really very awake anymore, sorry. I’ll check back in tomorrow after work, hopefully you can get it going and working without any hiccups.

I went back and re-read your post and yeah… I feel like an idiot. lol! You’re right, the Allowed Application does work. THANK YOU!!
To answer your other question, I have sandboxes on drive E. If you open Sandboxie’s Control Panel and then go to… CONFIGURE → EDIT CONFIGURATION, this will open the Sandboxie.ini file. Then under [GlobalSettings] at the top, you can add the following path: FileRootPath=[drive letter]:\Sandboxie%SANDBOX% Mine looks like:


You’re right about the two methods of using Sandboxie. If you install something outside a sandbox and then right-mouse-click on the exe and select “Run Sandboxed”, only files that are activated or initialized will be present within the sandbox when you close the app. Otherwise like you mentioned, one can install and run the entire app from within the sandbox. (Great for gaming and checking out new browsers or apps)

Most of the time Comodo and Sandboxie work well together and with the change you suggested, it will make my life a little more pleasant. :slight_smile:

I’m glad it’s working for you. =)

Now as I mentioned earlier, the allowed application ruleset doesn’t by default allow the application to launch other applications unless the other applications are trusted applications, so you if for example E:\Sandboxie\Game\Exe1.exe tries to launch E:\Sandboxie\Game\Exe2.exe then HIPS will show you an alert (unless CIS trusts Exe2.exe) You can however change this behavior if you want by following these steps; First you want to again open the Advanced Settings > Security Settings > Defense+ > HIPS > HIPS Rules - now you want to find the previously created rule for E:\Sandboxie* and then right-click it and click Edit, in the new window we’re going to switch from Use Ruleset: to Use a Custom Ruleset and then from the drop-down menu to the left that says Copy from we choose Ruleset > Allowed Application - Now in the list under Access Rights you should see things like Run an executable and Interprocess Memory Accesses etc, we want to focus on Run an executable, now on that line you should see that it is set to Ask and Exclusions say Modify (0/0), we want to click that “Modify” text, in the new window please right-click in the middle and click Add > Folders and then add [b]E:\Sandboxie[/b] and click OK on all relevant windows. Now applications contained in E:\Sandboxie* will be considered Allowed Applications and they will be allowed to launch other applications in E:\Sandboxie*

If you have any further questions then don’t hesitate to ask. =)

Brilliant! Thank you again for your excellent instructions.
Everything is working great. :slight_smile: