Restrict read access to whitelist programs
Restrict read access to whitelist programs
Uncle Ronen,will it be possible to introduce another roadblock to potential drivebys, by restricting read access to any sandboxed system folders/drives besides programs explicitly allowed (added to a whitelist.)?. I know you have the start/run restricition, but this would be another great safety net.
It should be possible by using negating on the ReadFilePath setting. Something like,
ProcessGroup=<TrustedPrograms>,firefox.exe,notepad.exe
ReadFilePath=!<TrustedPrograms>,C:\Windows
ReadFilePath=!<TrustedPrograms>,C:\Program Files
"!" meaning EXCEPT IF here, we're saying that C:\Windows and C:\Program Files are going to be read-only folders EXCEPT IF the program is firefox.exe or notepad.exe.
I'm describing this as INI settings raher than through the GUI because the GUI doesn't support the "!" at this time. (I should fix that.)
But why not use Start/Run Access and be done with it?
ProcessGroup=<TrustedPrograms>,firefox.exe,notepad.exe
ReadFilePath=!<TrustedPrograms>,C:\Windows
ReadFilePath=!<TrustedPrograms>,C:\Program Files
"!" meaning EXCEPT IF here, we're saying that C:\Windows and C:\Program Files are going to be read-only folders EXCEPT IF the program is firefox.exe or notepad.exe.
I'm describing this as INI settings raher than through the GUI because the GUI doesn't support the "!" at this time. (I should fix that.)
But why not use Start/Run Access and be done with it?
tzuk
Who is online
Users browsing this forum: No registered users and 1 guest