Page 1 of 1

Encrypted PGP Disk volume not protected by default

Posted: Tue Jan 16, 2007 11:53 am
by Stephan
I'm using an encrypted PGP Disk volume mountet as drive T:
notepad.exe running sandboxed is nevertheless able creating, deleting and editing files permantly on drive T: - breakthrough Sandboxie

Online help gives an example for an solution for another product "TrueCrypt":
[GlobalSettings]
HarddiskVolume=\Device\TrueCryptVolumeT
HarddiskVolume=T:
In my case I looked in the device manager and found a device named PGPdisk and added this line to my Sandboxie.ini.
HarddiskVolume=\Device\PGPdisk,asis
Now my PGP volume T: is protected and can't be modified by sandboxed programs.

Question:
I found many other devives listed in the device manager - which I do not exactly know . Example: ASPI32, FileDisk, mountmgr, pagedfrg, ...
Are these all possible security holes ?
Maybe there exists an device that can access the computer file system, or the disk at low level - and a sandboxed Programm will establish an connection to this device (that resides outside the sandbox) and then use this device to modify something outside the sandbox ? Maybe the topic "Paragon Partition Manager breakthrough Sandboxie" is the same problem - a device installed outside the sandbox is contacted from inside the sandbox ?

It it possible permitting all direct device access inside the sandbox, so that an encrypted PGP Disk volume and other products are protected by default ?

Posted: Tue Jan 16, 2007 4:45 pm
by tzuk
Maybe there exists an device that can access the computer file system, or the disk at low level - and a sandboxed Programm will establish an connection to this device (that resides outside the sandbox) and then use this device to modify something outside the sandbox ?
There isn't such a device by default, that I know of. And if you find out the next Windows Update install such a device, you can always add:

ClosedFilePath=\device\TheEvilDevice
Maybe the topic "Paragon Partition Manager breakthrough Sandboxie" is the same problem - a device installed outside the sandbox is contacted from inside the sandbox ?
This is entirely possible, in version 2.64, if the new device -- such as your PGP disk -- is mounted after Sandboxie has taken inventory of your drives, and noted to itself, what are the hard drive eligible for sandboxing.

But, similar to what I said in that other post: In version 2.7, there is no such inventory, there is no more HarddiskVolume setting, and drives become eligible for sandboxing as soon as they are mounted into the system.