File Access Exceptions

Ideas for enhancements to the software
Post Reply
Iggiz
Posts: 7
Joined: Sun Feb 12, 2017 1:09 pm

File Access Exceptions

Post by Iggiz » Sun Feb 12, 2017 1:47 pm

Currently it doesn't seem to be possible to add exceptions, I had to add each path manually to sandboxie.ini to get google chrome working.
It took me 123 lines to archive a full "block", with exceptions I could have done the same with a lot less lines. Also, if I install a new program then I have to open sandboxie.ini again and add the path manually to each sandbox, it's a lot of work sadly.
A exception list could be added on top, I think the implementation would be very easy. It also doesn't break existing sandboxie.ini setups since it's fully optional.
It doesn't need GUI either, just allow us adding it to the .ini file manually, I'm sure a lot people would be using it since it saves a lot time.


If exceptions would be possible my sandboxie.ini could be looking the following way:

Basic block I would have in all my sandboxes:

WriteFilePath=C:\
WriteFilePathException=%SystemRoot%\


Let's make google chrome working:

WriteFilePathException=chrome.exe,%Local AppData%\Google\Chrome\
WriteFilePathException=chrome.exe,C:\Program Files (x86)\Google\Chrome\

Thats it! Much easier to setup, very user friendly



Here is how I make google chrome working currently:

Code: Select all

WriteFilePath=C:\Program Files (x86)\Random Program 1\
WriteFilePath=C:\Program Files (x86)\Random Program 2\
WriteFilePath=C:\Program Files (x86)\Random Program 3\
WriteFilePath=C:\Program Files (x86)\Random Program 4\
WriteFilePath=C:\Program Files (x86)\Random Program 5\
WriteFilePath=C:\Program Files (x86)\Random Program 6\
WriteFilePath=C:\Program Files (x86)\Random Program 7\
WriteFilePath=C:\Program Files (x86)\Random Program 8\
WriteFilePath=C:\Program Files (x86)\Random Program 9\
... 49 other programs inside C:\Program Files (x86)

WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 1\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 2\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 3\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 4\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 5\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 6\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 7\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 8\
WriteFilePath=C:\Users\Nutzer\AppData\Local\Random Program 9\
... 15 other folders in C:\Users\Nutzer\AppData\Local\

WriteFilePath=C:\Users\Nutzer\AppData\Low\
WriteFilePath=C:\Users\Nutzer\AppData\Roaming\
WriteFilePath=C:\Users\Nutzer\Videos\
WriteFilePath=C:\Users\Nutzer\Searches\
WriteFilePath=C:\Users\Nutzer\Saved Games\
WriteFilePath=C:\Users\Nutzer\Pictures\
WriteFilePath=C:\Users\Nutzer\OneDrive\
WriteFilePath=C:\Users\Nutzer\Music\
WriteFilePath=C:\Users\Nutzer\Links\
WriteFilePath=C:\Users\Nutzer\Intel\
WriteFilePath=C:\Users\Nutzer\Google Drive\
WriteFilePath=C:\Users\Nutzer\Favorites\
WriteFilePath=C:\Users\Nutzer\Downloads\
WriteFilePath=C:\Users\Nutzer\Documents\
WriteFilePath=C:\Users\Nutzer\Desktop\
WriteFilePath=C:\Users\Nutzer\Contacts\
WriteFilePath=C:\Users\Nutzer\3D Objects\
WriteFilePath=C:\Users\Nutzer\.Random Program 1\
WriteFilePath=C:\Users\Nutzer\.Random Program 2\
WriteFilePath=C:\Users\Nutzer\.Random Program 3\
WriteFilePath=C:\Users\Nutzer\.Random Program 4\
WriteFilePath=C:\Users\Nutzer\.Random Program 5\
WriteFilePath=C:\Users\Nutzer\.Random Program 6\
WriteFilePath=C:\Users\Nutzer\.Random Program 7\
WriteFilePath=C:\Users\Nutzer\.Random Program 8\
WriteFilePath=C:\Users\Nutzer\.Random Program 9\
WriteFilePath=C:\Users\Public\
WriteFilePath=C:\Users\Default.migrated\
WriteFilePath=C:\Users\Default User\
WriteFilePath=C:\Users\Default\
WriteFilePath=C:\Random Program 1\
WriteFilePath=C:\Random Program 2\
WriteFilePath=C:\Random Program 3\
WriteFilePath=C:\Program Files\
WriteFilePath=C:\System Volume Information\
WriteFilePath=C:\Recovery\
WriteFilePath=C:\ProgramData\
WriteFilePath=C:\PerfLogs\
WriteFilePath=C:\Logs\
WriteFilePath=C:\Intel\
WriteFilePath=C:\Config.Msi\

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1458
Joined: Mon Nov 07, 2016 9:10 pm

Re: File Access Exceptions

Post by Barb@Invincea » Wed Feb 15, 2017 11:40 pm

Hello Iggiz,

Is there any particular reason why you are blocking everything? What are you trying to setup, exactly?
By default, applications can run in the Sandbox without any need to open paths or block locations (unless you are trying to do a specific thing?).

Maybe you could try blocking Program files instead of the entire C: drive?

The devs have been made aware of this request. At this point it would involve a lot of work, but they will keep it mind maybe for the future (no promises right now).

Regards,
Barb.-

Iggiz
Posts: 7
Joined: Sun Feb 12, 2017 1:09 pm

Re: File Access Exceptions

Post by Iggiz » Thu Feb 16, 2017 2:06 pm

Hi Barb!


Let me explain you what I'm trying to do here, by default Sandboxie protects your system from modifications but it doesn't protect you from data theft.
Many applications store sensitive data inside of your appdata folder, a good example is FileZilla. FileZilla stores the passwords of all servers you connected to in plain text inside of the appdate folder, if I don't block/hide all files inside C:\Users\ then any applications could in theory steal my passwords.
Blocking C:\Users\ is a must, however, I can't just block the whole C:\Users\ folder since the application I'm trying to run won't be able to access its own data files. My example above shows that I blocked all folder except the data folder of the example application google chrome (%Local AppData%\Google\Chrome\ was excluded from my list).


The reason why I hide/block the Program Files folder is mainly about privacy, some program like to scan your system to collect information about you.

A good example about that can be found in your forums (see the links below). A new game came out but people were afraid to install it since the application is known to collect data about your installed programs and other things.

http://forums.sandboxie.com/phpBB3/view ... hp?t=11460
http://forums.sandboxie.com/phpBB3/view ... =5&t=11807
http://forums.sandboxie.com/phpBB3/view ... 17&t=19060



Also, I think sandboxie should show a warning message after the installation and tell people about the problems with data theft, people should be aware of this problem.



Thanks for taking your time and reviewing my request. Even if you can't make any promises right now, I'm still glad that there is a little hope!

SkyLink
Posts: 3
Joined: Mon Feb 20, 2017 1:05 pm

Re: File Access Exceptions

Post by SkyLink » Mon Feb 20, 2017 6:18 pm

Not ideal but you may be able to get around this by re-installing Chrome into a custom folder instead of program files. Tutorials from a google search suggest you can achieve this by using symbolic links as by default Chrome doesn't prompt you for the installation directory.

+1 for the request though, exceptions would come in useful.

JoSchu
Posts: 1
Joined: Sat Feb 25, 2017 5:01 pm

Block whole drive but with exemptions

Post by JoSchu » Sat Feb 25, 2017 5:17 pm

Hi

let's say I want to block access to my whole drive X: but allow access to the tree X:\temp\*.
With sandboxie 3.x, I had to explicitly block everything around X:\temp to accomplish that.
Is there a way with version 5.x to combine a minimal set of ClosedFilePath and Open[File|Pipe]Path statements (like 2 or 3) to do that?
You could also say that I would like to have a whitelist, not a blacklist.
The documentation still states that ClosedFilePath always wins (or has precedence), so I'm hoping for a trick ;)

(The above is just a minimal example. I actually want to profile all resource access of a specific program with procmon, use its' count occurrences function to build a path-whitelist and have everything else blocked...)

Thanks for any help and hints, SB is great!!
Regards

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1458
Joined: Mon Nov 07, 2016 9:10 pm

Re: File Access Exceptions

Post by Barb@Invincea » Mon Feb 27, 2017 7:16 pm

Hello JoSchu,

I have merged your post with this one.
Please see above for some options/ideas.

Regards,
Barb.-

Rasheed187
Posts: 212
Joined: Sat Jan 14, 2006 5:08 pm

Allow file access to certain folders

Post by Rasheed187 » Sun Apr 23, 2017 10:22 am

I currently have blocked access to all data on on my E drive, but I want to allow access to only certain folders. Of course I can make blocking rules for most folders on the drive, but that would be very unhandy. So a "block all except" feature per sandbox or system-wide would be cool. :)

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1458
Joined: Mon Nov 07, 2016 9:10 pm

Re: File Access Exceptions

Post by Barb@Invincea » Mon Apr 24, 2017 5:26 pm

Hello Rahseed187,

I have merged your post with this one.
Please see above for some options/ideas.

Regards,
Barb.-

DanM
Posts: 14
Joined: Tue Jun 06, 2017 10:36 pm

Re: File Access Exceptions

Post by DanM » Wed Jun 14, 2017 1:25 am

Adding this here per Barb. Would make Sandboxie the best virus program there is. My thread viewtopic.php?f=17&t=24529

By default, Sandboxie does not block Read access to files and folders. But, the restriction options (like Write-Only Access) should allow you to block a lot of things.
Here's an example of a user that blocked pretty much everything, except for Google Chrome:
viewtopic.php?f=4&t=24012&p=126526&hilit=chrome#p126368
Wow, I think that poster wanted exactly what I do. Wouldn't Sandboxie be much more powerful if all folders were by default Write only access enabled? Then as per the description all files and folders "will appear empty to programs running in the sandbox"? If said program needs access, Sandboxie would tell us exactly what it wants to read.

Most programs only need to "create new files within the folders" and have no need or business reading other files on my computer. So why give programs so much freedom? With that restriction, Sandboxie would be pretty much key logger proof. Any plans on doing that?

So if I am understanding correctly, Sandboxie by default allows a program to read whatever it wants in my drive, to make a duplicate virtual drive in Sandboxie. However, no change is made to my external. If that is correct, restricting internet should be enough but as I said above, most programs have no need or businesses reading any of my drives. Restrict write access by default would be a great addition to Sandboxie. If it can be done, I can see this being a software every household would need. However, I am sure it is much harder than I am making it.

THIS------------------------------------------
P.S From reading the forum, I noticed a lot of people misunderstood like I did due to the way it was worded, the difference between read only and write only access. Most of us assumed if "read only access" is left blank nothing can be read but that is what "write only access" is. Read only means "excludes the effects of sandboxing on a file" which should probably be called something clearer IMO.

Creave
Posts: 32
Joined: Sun Apr 02, 2017 1:32 pm

Re: File Access Exceptions

Post by Creave » Tue Aug 01, 2017 6:22 pm

+1!

I bought Sandboxie for privacy reasons in the first place! I was looking for a Windows alternative to Androids XPrivacy.

And the only reason I still don't recommend Sandboxie to coworkers, friends and family although I want to is because of the difficulty to maintain a secure configuration!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests