NOT logic in file blocking?

Ideas for enhancements to the software
Post Reply
est
Posts: 6
Joined: Wed Dec 24, 2008 7:08 am

NOT logic in file blocking?

Post by est » Sat Jan 02, 2010 10:54 am

Hi all,

I want to block certain programs from visiting all directories except only one, how can I do that?

I hope there's a NOT logic in file blocking in sandboxie

MitchE323
Posts: 2268
Joined: Thu Nov 02, 2006 9:32 am

Post by MitchE323 » Sat Jan 02, 2010 11:01 am


Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sat Jan 02, 2010 11:33 am

Also read about the "!" operator, in the description for Closed File Path.
(Blocks all sandboxed .exe's from accessing a folder, except the one that's specified in the line)
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

est
Posts: 6
Joined: Wed Dec 24, 2008 7:08 am

Post by est » Sun Jan 03, 2010 8:08 am

MitchE323 wrote:You can have a read here;
http://www.sandboxie.com/phpbb/viewtopic.php?t=6879
Thanks, I tried the ! mark

Code: Select all

ClosedFilePath=!cmd.exe,D:\Win\Sandboxie\*
ClosedFilePath=!start.exe,C:\
ClosedFilePath=C:\
ClosedFilePath=C:\
ClosedFilePath=E:\
But I can not get CMD started, what can I do?

Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sun Jan 03, 2010 9:47 am

I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

est
Posts: 6
Joined: Wed Dec 24, 2008 7:08 am

Post by est » Sun Jan 03, 2010 9:55 am

Guest10 wrote:I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?
Thanks for replying,

I want to block access to ALL directories, except needed system dll's and its own directory of a executable.

Mike
Posts: 592
Joined: Mon Nov 16, 2009 1:27 pm

Post by Mike » Mon Jan 04, 2010 11:50 pm


est
Posts: 6
Joined: Wed Dec 24, 2008 7:08 am

Post by est » Tue Jan 05, 2010 11:05 am

> So this will not be possible and will not be in the future, correct?


> Let's instead say that at this time, I have no plans to add this feature.


That's pretty sad :(

Username

Post by Username » Tue Jan 05, 2010 11:54 am

0) DropMyRights feature also restricts many folders
1) you can use NTFS permissions
2) you can use a separate SUBST or RAM drive
3) you shouldn't worry because SBIE works with a *COPY* of modified files and registry

Mike
Posts: 592
Joined: Mon Nov 16, 2009 1:27 pm

Post by Mike » Tue Jan 05, 2010 10:46 pm

@Username: The main concern in the related threads has been privacy, rather than protection of the system from permanent infection. It seems that your points wouldn't really apply, or would be impractical, in scenarios like SandboxieFan's example.

Username

Post by Username » Wed Jan 06, 2010 9:28 am

Hi Mike,

You're right that all this is but a lame workaround, yet it *does* work when used properly (at least - for me). Frankly speaking I don't often make use of such restricted software, but should Ronen find it worth doing we shall have a feature like this.

Happy 2010 and Xmas)
Cheers

Mike
Posts: 592
Joined: Mon Nov 16, 2009 1:27 pm

Post by Mike » Thu Jan 27, 2011 3:25 pm

Looking back at this old thread, just wanted to clarify some things to save people time.
Username wrote:0) DropMyRights feature also restricts many folders
Don't think so. Folders that normally require Admin privileges for write access, such as C:\Windows, can be freely written to in the sandbox, even with Drop Rights enabled.
Username wrote:1) you can use NTFS permissions
Might be hard. You would have to deny yourself access to those files, or else run sandboxed programs under a different user account, right?
Username wrote:2) you can use a separate SUBST or RAM drive
Not to solve the problem we're talking about. If you block D:\ and try to mount D:\Subfolder as a subst drive, the subst drive will also be blocked. There aren't any tricks to get around this (see here) because it's the final target path that matters (see here).

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest