Can I set full file access to drive C: - except the system dirs

If it's not about a problem in the program
Post Reply
CBruce
Posts: 10
Joined: Thu Sep 07, 2017 8:38 pm

Can I set full file access to drive C: - except the system dirs

Post by CBruce » Thu Sep 28, 2017 2:52 pm

Is there a combination of settings that I can use to allow programs with internet access, installed in a sandbox, full file access to all of the C: drive except the system folders? I want the sandboxed programs to be able to move large files to non-system folders on the C: drive - but I also want to make sure that any accidentally downloaded malware has no access to the system folders.

I thought this would be a common configuration, but I can't find anything about it when looking at docs and searching the forums.

I have tried using sandbox settings for full access to C:\ and then setting the system folders to readonly access - (not sure if that's even a valid config) - but then my Sandboxie desktop shortcuts cannot launch the sandboxed programs... ("not found" messages).

Thanks,
CBruce

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2465
Joined: Mon Nov 07, 2016 3:10 pm

Re: Can I set full file access to drive C: - except the system dirs

Post by Barb@Invincea » Fri Sep 29, 2017 2:23 pm

Hello CBruce,

Maybe something like this will help:
viewtopic.php?p=30824#p30824
viewtopic.php?p=126368#p126368

Regarding copying files:
https://www.sandboxie.com/CopyLimitKb

Also, you may want to look at the internet access restrictions:
https://www.sandboxie.com/RestrictionsSettings#internet

Regards,
Barb.-

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Can I set full file access to drive C: - except the system dirs

Post by Syrinx » Sat Sep 30, 2017 9:29 pm

I really would NOT recommend doing it but in my test with notepad and trying to save files in various folders these seem to be what you want.

OpenPipePath=C:\
ReadFilePath=C:\Boot
ReadFilePath=C:\Program Files
ReadFilePath=C:\Windows

That still doesn't cover other sandbox folders either if the container folders are set up for C:\ as well (like default) so things running in the one with those rules could modify files in those other sandboxes as well.

Doing it this way will also interfere with some normal operations such as if you then try to install a new program into the sandbox and install it to Program Files, it won't be able to create the files and it would fail.

On another note, I did not see any issues using 'Run Sandboxed' from desktop shortcuts as you mentioned after opening all of C:\ unless the program existed only inside the sandbox. Yet another reason to not attempt it that way I suppose.

You'd be much better off poking holes for just a few specific locations (say those user folders you move the files to) instead of opening up the whole drive and then trying to re-protect certain things.
Goo.gl/p8qFCf

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests