New Feature Request

[street011]

Of course, I`m assuming it actually works, Street are you saying you had the line

ClosedFilePath=!firefox.exe,\Device\Afd*

in your config, but a cmd line could still get access?

correct

[MikeJ]

(decided to move my "edit" to a new reply since Street already replied above)

that would that make sense, because cmd is not using a process? Or is it? BTW, I would experiment myself, but I don't even know how to use cmdline for any but a few things, never use it in practice. If not for mouse I guess I simply wouldn't turn the computer on.

[MikeJ]

This thread is getting long, and I feel like my ramblings have hijacked it, sorry, but I guess to sum it up for me, I`ve learned (and verified to my abilities):

ClosedFilePath=!firefox.exe,\Device\Afd*

is exactly what I was looking for (and hopefully Mitch) to block access to internet for all but one process I designate in a given sandbox. (with minor exception cmdline may still access, as Street has said, but as far as I can tell if thats all that can do it, it's of little practical concern to me. Maybe I should have more concern?)

However, even this may be improved upon as implied below

I should probably extend it to accept a set of processes, as in "ClosedFilePath=!(iexplore.exe,notepad.exe),*", but that will have to wait.

yes this would be better, and yes we have to wait for it

So I think that raps it up for me, I`ll let Mitch have his thread back now LOL BTW, thanks for bringing this topic up, I think it definately needed diiscussed and could use a higher priority in the FAQs (unless i`m just blind)

[MitchE323]

Tzuk in your example you point out that "ClosedPipePath...." is the method, but you use ClosedFilePath in the setting - is that right?

We didn't get clarification on this yet, maybe that's the problem. I dont see an explanation area for ClosedPipePath, there is OpenPipePath and ClosedFilePath but alas no ClosedPipePath........

mitch

[MikeJ]

Tzuk in your example you point out that "ClosedPipePath...." is the method, but you use ClosedFilePath in the setting - is that right?

We didn't get clarification on this yet, maybe that's the problem. I dont see an explanation area for ClosedPipePath, there is OpenPipePath and ClosedFilePath but alas no ClosedPipePath........

mitch

I noticed that as well.

(So ends the only point that I can verify. Everything hereafter is opinion and/or thinking out loud).

But it sounds like from reading about OpenPipePath, perhaps everything is considered "ClosedPipe" unless otherwise opened? Hence ClosedPipePath would be redundant.

[tzuk]

MikeJ, you're right, ClosedFilePath is always applied, so there is no point to also have a ClosedPipePath.
Sorry for the confusion. To absolutely clarify: There is no ClosedPipePath, I meant ClosedFilePath.

[MitchE323]

Thanx, this really does it for me as I only use IE, but I can see where others are going to want to mix and match more than one program.

Earlier in this thread when Street pointed out that 50% of the bad guys use IE as access, well at least we are that much further along.

Thank you to all that helped formulate this into something we can all use, and of course as always, Thank You Tzuk.

Mitch

[tzuk]

MitchE323, you're welcome.

Street011, can you explain what you mean by cmd.exe having Internet access? I have no idea what you mean by that, as I don't know any scenario in which cmd.exe is going out to make a connection on the Internet.

Then you cant "exclude" any other processes, even the important SandboxieRpcss.exe process, BUT, could you use multiple ClosedIpcPath's in the ini to allow iexplore as well as SandboxieRpcss, or does it only allow one ClosedIpcPath hence only one process allowed?

I meant that when you have a config setting like

ClosedXxxPath=!iexplore.exe,SomeCrucialResourceNeededForAnyProgramToStart

then anything other than iexplore.exe will be denied that crucial resource and will simply not work. You can add other ClosedXxxPath statements to your heart's content, but none of them will negate the effect of that first ClosedXxxPath statement. I hope that makes it clearer.

[wraithdu]

Is there somewhere we could get a list of useful paths/resources such as \Device\Afd* that could be used to grant/restrict programs access? I think this might answer some questions before they're asked.

[SnDPhoenix]

You can add other ClosedXxxPath statements to your heart's content, but none of them will negate the effect of that first ClosedXxxPath statement.

OK, so you can add as many closed paths as you like but Sandboxie will only respect the first closed path in the ini. But, you can add more than one closed paths to your ini as long as there is only one closed path per sandbox right?

[wraithdu]

Not exactly. What he means is that if you add

ClosedFilePath=!something.exe,resource1

then your are excluding EVERYTHING EXCEPT something.exe. You cannot then use

OpenFilePath=somethingelse.exe,resource1

to try to allow somethingelse.exe.

You can however do

ClosedFilePath=prog1.exe,resource1
ClosedFilePath=prog2.exe,resrouce1

becuase these statements do not conflict. At the moment, lines in the INI file must be mutually exclusive (I'm hoping this will change when tzuk gets a chance). In the end this means that you cannot format a statement to exclude everything EXCEPT a list of programs. This was what tzuk was referring to with

ClosedFilePath=!(prog1.exe,prog2.exe,prog3.exe),resource1

Make sense?

[MitchE323]

Thats good wraithdu, I got it.

In the end this means that you cannot format a statement to exclude everything EXCEPT a list of programs.

That's why a set of separate boxes is the way to go. Each box taking care of one of the items you wish to allow.
mitch

[SnDPhoenix]

Not exactly. What he means is that if you add

ClosedFilePath=!something.exe,resource1

then your are excluding EVERYTHING EXCEPT something.exe. You cannot then use

OpenFilePath=somethingelse.exe,resource1

to try to allow somethingelse.exe.

You can however do

ClosedFilePath=prog1.exe,resource1
ClosedFilePath=prog2.exe,resrouce1

becuase these statements do not conflict. At the moment, lines in the INI file must be mutually exclusive (I'm hoping this will change when tzuk gets a chance). In the end this means that you cannot format a statement to exclude everything EXCEPT a list of programs. This was what tzuk was referring to with

ClosedFilePath=!(prog1.exe,prog2.exe,prog3.exe),resource1

Make sense?

Well wth, thats how i thought it worked in the first place, i guess i gave the wrong impression.