¿Program being able to access a "Blocked Access" HDD?

If it's not about a problem in the program
Post Reply
SandboxerX86
Posts: 2
Joined: Mon Nov 12, 2018 1:25 pm

¿Program being able to access a "Blocked Access" HDD?

Post by SandboxerX86 » Mon Nov 12, 2018 1:58 pm

Hi, first i want to say that i'm just a regular user without technical knowledge of how Sandboxie or the program works so maybe this is just nothing and it's a normal behavior but i want to inform about it just in case.

Ok so i have a sandbox configured with "Blocked Access" so that no program can access the internet or the hard drive D:\

Code: Select all

ClosedFilePath=InternetAccessDevices
ClosedFilePath=D:\
I installed a lot of different programs inside that sandbox and none could access the drive "D:\" as expected so the block is working without problems, but then i installed a recovery data tool called EaseUS Data Recovery Wizard and to my surprise it accessed the HDD and was able not only to read the content of it but even recover files from it.

At first i thought maybe this was normal and that these kind of programs would have access so i installed another recovery tool called Recuva but that program wasn't able to access de HDD so that made me doubt and that's why i'm here.

So basically the only thing I wanted is to report on this behavior and ask if it's normal or not.
Thank you.

PD: the sandboxie version i'm using is 5.20 64bit and the program can be downloaded from here in case you want to try: https://www.easeus.com/datarecoverywiza ... ftware.htm

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Barb@Invincea » Tue Nov 13, 2018 10:03 am

Hi SandboxerX86 ,

To better assist you, we will need you to please follow these guidelines:
viewtopic.php?f=11&t=19746

Also, please use the latest version of Sandboxie, as we no longer support older versions:
https://www.sandboxie.com/DownloadSandboxie

Once you have provided all the required info(including the repro steps please), we will test it on our end so that we can better assist you.

Regards,
Barb.-

SandboxerX86
Posts: 2
Joined: Mon Nov 12, 2018 1:25 pm

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by SandboxerX86 » Tue Nov 13, 2018 12:56 pm

Oh i'm sorry for not following the guidelines in the first message, since i just wanted to report this behavior and it's not that i really need assistance with this so that's why i didn't added the info. And yes i plan to update my version of sandboxie soon but right now i can't because i'm doing some work, but thanks for letting me know.

Anyway here it is:
:!: The Windows version number? Windows 8.1 x64
:!: Sandboxie version number 5.20 64bit
:!: Does the issue occur in a new Sandbox with Default settings? no, because the problem is related to the "blocked access" function and that option is not activated on default settings
:!: NAME & Version/build numbers of any applications involved? EaseUS Data Recovery Wizard Free version 12.6.0
:!: Are you running antivirus/anti-malware software? Yes, Windows Defender
:!: What are the exact steps to reproduce the issue?
1- Create a New Sandbox
2- Select that sandbox and right click -> Sandbox Settings -> Resource Access -> File Access -> Blocked Access and select "The list bellow applies to All programs", then click Add button and select a hard drive (in my case D:\) OR edit the settings file manually adding "ClosedFilePath=hard drive letter" example "ClosedFilePath=D:\"
3- Download the program EaseUS Data Recovery Wizard and place the installer somewhere on you PC then proceed to install it sandboxed by right clicking the installer and selecting "Run Sandboxed"
4- Follow the install instructions, start it at the end of the install and on the main menu select to scan the hard drive you blocked previously "ej: D:\"
And that's it, the program will start scanning the blocked drive instead of not being able to access it as one would expect.

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1662
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Curt@invincea » Mon Nov 19, 2018 4:40 pm

This application is not going through the Windows file system API's. They are using low-level direct disk access.

You can block this by adding the following line to your sandboxie.ini. I am not sure what other side-effects this may cause, so please give it a try and let us know.

ClosedFilePath=\Device\Harddisk0\DR0

Mr.X
Posts: 605
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Mr.X » Mon Nov 19, 2018 8:18 pm

Curt@invincea wrote:
Mon Nov 19, 2018 4:40 pm
ClosedFilePath=\Device\Harddisk0\DR0
Didn't work out Curt. This program is still accessing the harddisk.
I put such line in the respective sandbox.
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Barb@Invincea » Tue Nov 20, 2018 10:28 am

All,

I tested in a different VM than Curt's, and his entry also works for me.

Please, be sure to follow these steps:
Close all of your Sandboxed apps.
Configure --> Edit configuration
Copy paste the following at the end of your desired Sandbox: (Replace "E" with your drive's letter) :
ClosedFilePath=E:\
ClosedFilePath=\Device\Harddisk0\DR0

Save the changes
Configure --> Reload configuration
Relaunch EaseUs program, you will no longer see the partition.
If you have multiple partitions, you may need to do that for each one .

Let us know the outcome.

Regards,
Barb.-

Mr.X
Posts: 605
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Mr.X » Tue Nov 20, 2018 1:11 pm

After trial and error, especially with lines syntax, I managed to block low level access to the desired drives/partitions.

Disk Management:
Image


Lines added to ini file:

Code: Select all

ClosedFilePath=D:\
ClosedFilePath=Q:\
ClosedFilePath=\Device\Harddisk0\DR0
ClosedFilePath=T:\
ClosedFilePath=\Device\Harddisk2\DR2
ClosedFilePath=P:\
ClosedFilePath=\Device\Harddisk1\DR1

I successfully hide them:
Image
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1662
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Curt@invincea » Tue Nov 20, 2018 1:22 pm

Try using wildcards.

Mr.X
Posts: 605
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Mr.X » Tue Nov 20, 2018 1:29 pm

Curt@invincea wrote:
Tue Nov 20, 2018 1:22 pm
Try using wildcards.
Please wildcard those lines for me so I can learn, I hope, lol.
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Crazy
Posts: 29
Joined: Tue Jul 17, 2018 5:47 am

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Crazy » Wed Nov 21, 2018 8:55 am

Curt@invincea wrote:
Mon Nov 19, 2018 4:40 pm
This application is not going through the Windows file system API's. They are using low-level direct disk access.

You can block this by adding the following line to your sandboxie.ini. I am not sure what other side-effects this may cause, so please give it a try and let us know.

ClosedFilePath=\Device\Harddisk0\DR0
What does mean that DR0? 0 is the number of the partition?

What would happen if a ransomware accesses the hard drive the way that program does?

Mr.X
Posts: 605
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Mr.X » Wed Nov 21, 2018 9:00 am

Crazy wrote:
Wed Nov 21, 2018 8:55 am
What does mean that DR0?
I wonder same thing. I logged in just to ask the same question.

@curt I tried the wildcard feature but I couldn't figure it out.
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Barb@Invincea » Wed Nov 21, 2018 9:40 am

All,

Regarding the ransomware question, the problem in this thread was that closed file path would not also close low-level READ access to the drive.
At no point we discussed (or were able to prove) anything leaking outside the Sandbox (all files I recovered were Sandboxed, did you see something different?), so, this still stands:
https://www.sandboxie.com/FAQ_Virus

Regarding wildcards, here are some examples if you are trying to block low level READ access to all of your drives:
(Here's an example from our documentation: https://www.sandboxie.com/ClosedFilePath ).

ClosedFilePath=\Device\Harddisk0\DR*

Another option is:
ClosedFilePath=\Device\Harddisk*\DR*

And/or:
ClosedFilePath=\Device\Harddisk*\*

The above will depend on your computer setup, your partitions, etc.
If you do not know which is which, you may need to experiment to find out what works. Otherwise, doing 1 at a time, as covered, will also work. You may need to use CloseFilePath in tandem with these options in order to make it work as desired.

Hope this helps.

Regards,
Barb.-

Mr.X
Posts: 605
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Mr.X » Wed Nov 21, 2018 11:07 am

All sounds good and nice advice but so far no one has told me how to wildcard these lines:

Code: Select all

ClosedFilePath=D:\
ClosedFilePath=Q:\
ClosedFilePath=\Device\Harddisk0\DR0
ClosedFilePath=T:\
ClosedFilePath=\Device\Harddisk2\DR2
ClosedFilePath=P:\
ClosedFilePath=\Device\Harddisk1\DR1
Those above work as intended but as soon as I use wildcards they stop working.

Anyway it's not big deal to use without wildcards.
Windows 8.1 x64 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2858
Joined: Mon Nov 07, 2016 3:10 pm

Re: ¿Program being able to access a "Blocked Access" HDD?

Post by Barb@Invincea » Wed Nov 21, 2018 11:13 am

Hi Mr.X ,

If you can let me know what part wasn't clear from my previous post (the one I provided the wildcard examples), I will be happy to clarify.
Also, when you say doesn't work...what happens exactly, and what are the settings that you entered? Provide examples and I will test them.

Regards,
Barb.-

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 9 guests