I have two questions related to the Blocked Access settings.
1. I am a bit confused by the functionality of this feature when it states the following: "The following files and folders will not be accessible at all to programs running in this sandbox." I mean, I thought the very purpose of running Sandboxie was to isolate programs from the rest of the system (by creating an emulated environment for them to run instead). So, why am I now having to name specific files and folders to prevent them from getting accessed also?
2. While I was adding a few network folders to settings in Blocked File Access, I included this one for example
\\Computer-PC\Users\
Then I got the following message from Sandboxie:
"Windows file sharing can be used to circumvent blocked file access seettings. Adding resource to block access to windows file sharing."
And Sandboxie had added this setting also:
\Device\Mup
So, my question is, what exactly happened right there? Thanks.
Blocked Access settings
As to #1: Programs that are running sandboxed can read from any folder outside of the sandbox, unless a Blocked Access or Write-Only Access setting is used.
You can also apply these settings to individual .exe's, instead of to all .exe's that use the sandbox.
Or, you can apply these settings to all programs except for a specific .exe.
Blocked Access results in an error message if a program tries any access to the file or folder in the Blocked Access setting.
Write-Only access hides folders, making it appear that the folder outside of the sandbox does not contain any files.
Only folders can be specified in the setting; not files.
Sandboxed programs can write to the folder in the setting, but it's still writing inside of the sandbox.
You can also apply these settings to individual .exe's, instead of to all .exe's that use the sandbox.
Or, you can apply these settings to all programs except for a specific .exe.
Blocked Access results in an error message if a program tries any access to the file or folder in the Blocked Access setting.
Write-Only access hides folders, making it appear that the folder outside of the sandbox does not contain any files.
Only folders can be specified in the setting; not files.
Sandboxed programs can write to the folder in the setting, but it's still writing inside of the sandbox.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
[quote="Guest10"]As to #1: Programs that are running sandboxed can [u]read[/u] from any folder outside of the sandbox, unless a Blocked Access or Write-Only Access setting is used....[/quote]
If programs in the sandbox already have read-only access to everything, why is there another setting in the File-Access section labeled as Read-Only Access, stating that "The following files and folders will not be modifiable to programs running in this sandbox"?
If programs in the sandbox already have read-only access to everything, why is there another setting in the File-Access section labeled as Read-Only Access, stating that "The following files and folders will not be modifiable to programs running in this sandbox"?
Hi, Bo. Do I understand you correctly in saying that this setting allows me to protect files inside the sandbox from being changed by other programs running inside the sandbox?That's very interesting. Can you give me an example of why I might use this feature? Thanks.bo.elam wrote:That setting is to keep files (that you choose) from being modified in the sandbox.jw72253 wrote:why is there another setting in the File-Access section labeled as Read-Only Access, stating that "The following files and folders will not be modifiable to programs running in this sandbox"?
Bo
Normally, a sandboxed program can read a file outside of the sandbox, modify the file, and then "save" it back to that "same" folder inside of the sandbox.
(The file is not actually saved outside of the sandbox, unless you have created an exception that allows it)
Examples:
(Not using Read-Only Access)
Using sandboxed Notepad and DefaultBox, open C:\Temp\Test.txt
Modify the text.
Save it.
The file is saved to: C:\Sandbox\(user)\DefaultBox\drive\C\Temp\Test.txt
(Using Read-Only Access, and the same file)
Read-Only Access > All Programs > Navigate to and select the file 'C:\Temp\Test.txt'
Using sandboxed Notepad and DefaultBox, open C:\Temp\Test.txt
Modify the text.
Save it.
An error message appears: the file cannot be saved back to that folder, because it's specified as read-only there.
You are asked to save the file to a different folder. It will still be saved in the sandbox though, unless you have allowed files in that other folder to be saved out of the sandbox.
Read-Only Access can also specify a folder, instead of just a file in the folder.
You can read files from that folder but you cannot "save" the file back to that same folder in the sandbox.
The copy of the file that you save in the sandbox is not marked as read-only. Wherever you save it, other programs using that same sandbox could still modify it.
(The file is not actually saved outside of the sandbox, unless you have created an exception that allows it)
Examples:
(Not using Read-Only Access)
Using sandboxed Notepad and DefaultBox, open C:\Temp\Test.txt
Modify the text.
Save it.
The file is saved to: C:\Sandbox\(user)\DefaultBox\drive\C\Temp\Test.txt
(Using Read-Only Access, and the same file)
Read-Only Access > All Programs > Navigate to and select the file 'C:\Temp\Test.txt'
Using sandboxed Notepad and DefaultBox, open C:\Temp\Test.txt
Modify the text.
Save it.
An error message appears: the file cannot be saved back to that folder, because it's specified as read-only there.
You are asked to save the file to a different folder. It will still be saved in the sandbox though, unless you have allowed files in that other folder to be saved out of the sandbox.
Read-Only Access can also specify a folder, instead of just a file in the folder.
You can read files from that folder but you cannot "save" the file back to that same folder in the sandbox.
The copy of the file that you save in the sandbox is not marked as read-only. Wherever you save it, other programs using that same sandbox could still modify it.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
For example, if you are in XP, you can set C:\boot.ini as read only. Programs in the sandbox have no business modifying that file. In my XP, I have it as read only, doing so doesn't cause any errors or messages from SBIE and my computer is safer.jw72253 wrote:
Hi, Bo. Do I understand you correctly in saying that this setting allows me to protect files inside the sandbox from being changed by other programs running inside the sandbox?That's very interesting. Can you give me an example of why I might use this feature? Thanks.
Bo
Who is online
Users browsing this forum: No registered users and 1 guest
