Add option to evaluate sandbox rules in file order

Ideas for enhancements to the software
Post Reply
Posts: 129
Joined: Sun Nov 14, 2010 9:21 pm

Add option to evaluate sandbox rules in file order

Post by Binky » Thu Oct 20, 2011 11:02 am

After researching Windows security for 11 years, I have relied for the last year on Sandboxie for my primary security. Really great software!

There is something I have been wishing for over the last year. Other security software (HIPS I used to use, firewall I still use) achieves surgical precision and simplicity by evaluating rules in the order they appear in file. According to tzuk (see, Sandboxie evaluates all ClosedFilePath rules, then all ReadFilePath rules and then all OpenFilePath rules. If none of these *FilePath rules apply to a file I/O, then a read is allowed and a write is sandboxed. Thus, the order of these rules doesn't matter.

I would like a new Sandboxie.ini setting that tells Sandboxie to evaluate these rules in the order they appear in file. Without the new setting, Sandboxie would work as today for backwards compatibility. I propose that this new evaluation mode would speed up execution because 1) only one pass through is needed for the three *FilePath rules compared to three passes today, and 2) I can reduce the number of rules to achieve the same effect. More importantly, the new setting provides more surgical precision in achieving security. Here is a good example:

I further propose adding a new rule/setting, maybe called NormalFilePath, that specifies that file I/O matching the path is allowed to read, but writes are sandboxed. Today, this behavior applies if file I/O doesn't match any *FilePath rules. This new setting, which would only when rules are evaluated in file order, could be inserted between *FilePath rules to provide more flexibility in file I/O rules. I suggest that NormalFilePath behavior would still apply if no *FilePath rules match a given file I/O.

Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Oct 20, 2011 2:17 pm

Since I've had this discussion too many times already, you'll have to forgive me for being brief this time. The answer is no.

Posts: 1
Joined: Wed Nov 02, 2011 10:29 am


Post by gnasirator » Wed Nov 02, 2011 10:37 am

I might suggest a simpler alternative here:

Sandboxie - as it works right now - prefers denying rules over allowing ones.
Thus it is impossible to block acces to whole drives while still allowing acces to some handpicked important files.

Suggestion: Change the priority the other way round - or better: Include a checkbox that let's the user decide wether he wants to priorize the block or the allow rules.

By the way - that's a feature I really miss.
I just found sandboxie very handy to block the Origin spyware from scanning my private files (Origin - Battlefield 3). But Blocking every single sub folder and file in a specific directory just to allow the one which is necceary to run the game is VERY complicated.
This would be an (i guess) easily programmable solution which offers a BIG extra in usability.


Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest