Which apps benefit the most from Sandboxie and which ones don't benefit from Sandboxie?

[ghost]

Which apps benefit the most from Sandboxies and which ones don't benefit from Sandboxie?

[bastik-1001]

This depends partly on your use-case/threat-model. Anything that faces the risk of being exploited and still runs within Sandboxie, is at least another layer better off than running outside a sandbox. Apps themselves do not benefit directly, it's only the perspective of the user that something is better off sandboxed than not.

Browsers are a good example, they can be sandboxed and remain functional. If a browser is exploited to infect the system, that exploit is contained within the sandbox, unless there is another exploit to escape the sandbox, or that being configured too openly. E-Mail clients work sandboxed and face similar threats. In some instances, you can defend against malware that steals information, unless that information is inside the sandbox or being accessible from within.

Furthermore, anything that handles content from untrusted sources, like image viewers, media players, etc. An attacker might exploit a flaw in a parsing library, which would be contained in the sandbox. Editing the metadata of files with an image viewer or media player, while sandboxed, will not modify the real file, so one needs to be aware of limitations. One can run it unsandboxed for such tasks, or might configure it to be more lenient.

On the other end, there are system apps or apps that are supposed to perform actions to the real machine, like installing a driver, AV real-time scanners, defragment tools, disk deletion tools, etc. those need to operate at a level or require special permissions that it defeats their purpose to be sandboxed.

If you wrote your own drawing app and only draw your own images, never opening any resources, you may have no need to isolate it, but it should still work.

[ghost]

Just to clarify, Sandboxie can sandbox user-space apps on file system and registry level, correct? It can't isolate apps running their own drivers, can it? Drivers use kernel-space, which provides them with unrestricted access.

What about apps using their own services? Services require SYSTEM level file and registry access. For example, Steam can be launched within Sandboxie, but it still requires running its own "Steam Client Service". Does that service escape the sandbox if installed normally? Can the service itself be installed to run within Sandboxie sandbox?

[bastik-1001]

Sandboxie can sandbox user-space apps on file system and registry level, correct?

Correct.

It's not possible to install drivers into a sandbox, but apps can use already installed drivers.

For the rest, someone needs to explain the level or lack of isolation with drivers and services.

[diversenok]

Yes, Sandboxie isolates user-mode processes, including services, as long as they run inside the sandbox. It cannot isolate kernel drivers.

When you start a program inside a sandbox, the rest of the system sees it as running with very restricted access token: untrusted integrity, disabled group membership, no problematic privileges, and either ANONYMOUS LOGON or Sandboxie\Default_Box (or similar) user, depending on the settings. This feature prevents the program from escaping the sandbox. The sandboxed program itself, however, thinks that it runs as a normal user or admin or even SYSTEM because Sandboxie lies to it to maintain compatibility. Depending on this sandboxed token, Sandboxie will allow the program to access specific resources within the sandbox. For example, the sandboxed admin will be able to write to the sandboxed Program Files, but the sandboxed limited user will not. Either way, Sandboxie makes sure that all access happens only to the virtualized view of the filesystem and registry, regardless of the in-sandbox permissions. So, yes, you can install and run services in the sandbox and they will think they run as SYSTEM, even though they are still sandboxed and cannot make changes to the real system.