Learning / Recording Mode

[dr3amcrush3r]

I wish there was a "learning" mode where sandboxie would permit the application to run completely trusted one time only but record or monitor all activity to a session log. Then, you could review what the application actually did and decide at that point to limit its access.

My thinking is that I'd like to lock down certain applications after I use them. For example, mediaplayers should not be writing to files. But some players, like GomPlayer are really hard to setup in Sandboxie.

I could record what Gom is doing then turn off access to anything I don't want it to do as well as limit access to drives, etc.

What do you think?

[tzuk]

I'm sorry but I think this feature request would be more appropriate for a malware analysis tool, and Sandboxie is not designed to be such a tool.

[MessageBoxA]

My thinking is that I'd like to lock down certain applications after I use them. For example, mediaplayers should not be writing to files. But some players, like GomPlayer are really hard to setup in Sandboxie.

It would not matter anyway... With operating systems >= x64 Vista malware can bypass usermode hooks using native system calls (SYSENTER/Int 0X2E). Microsoft took away the ability to hook this without problems. Something needs to be done at the OS level. I think applications should be allowed to register an 'Access Mask' which gives or takes away access to system calls.

Btw what you are suggesting can actually somewhat be accomplished with the SBIE SDK for usermode calls into ntdll, kernel32 and user32. You could even edit the sandboxie.ini from the SDK to allow/disallow specific file paths. But its alot of work.

-MessageBoxA