I got a question, you say that if you use
Code: Select all
ClosedIpcPath=!iexplore.exe,*New Feature Request
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
@tzuk,
I got a question, you say that if you use
Then you cant "exclude" any other processes, even the important SandboxieRpcss.exe process, BUT, could you use multiple ClosedIpcPath's in the ini to allow iexplore as well as SandboxieRpcss, or does it only allow one ClosedIpcPath hence only one process allowed?
I got a question, you say that if you use
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
Tzuk, I indeed missed that trick completely, which I believe is exactly what I was trying to describe above. I`m new to this, please forgive. Thats really good info (and programming of course!) that I will put to use.
As far as what Mitch had in mind to begin with, guess I got that wrong as well. Just bored today and making conversation that may or may not be relevant to any given topic
Don't worry, I start my new job in two days so boredom will be a thing of the past.
As far as what Mitch had in mind to begin with, guess I got that wrong as well. Just bored today and making conversation that may or may not be relevant to any given topic
Don't worry, I start my new job in two days so boredom will be a thing of the past.No, No, No, MikeJ you got it right exactly - New ideas are very hard to move from one brain to another but let's keep at this.
To explain what I want, MikeJ's post or SND's one sentence is it!
SND wrote "have Sandboxie block access to the internet for all sandboxed programs except what you add to the "Whitelist"
and MikeJ wrote "simply make SBIE stop everything outgoing by default, period"
If you only wanted to allow just one process outgoing access, you would only check that one box. If you wanted to allow IE, firefox and outlook, you would check those appropriate boxes. If you only wanted one process lets say IE as Lucas points out you would only check those boxes on both lists.
mitch
To explain what I want, MikeJ's post or SND's one sentence is it!
SND wrote "have Sandboxie block access to the internet for all sandboxed programs except what you add to the "Whitelist"
and MikeJ wrote "simply make SBIE stop everything outgoing by default, period"
If you only wanted to allow just one process outgoing access, you would only check that one box. If you wanted to allow IE, firefox and outlook, you would check those appropriate boxes. If you only wanted one process lets say IE as Lucas points out you would only check those boxes on both lists.
mitch
Last edited by MitchE323 on Tue Aug 14, 2007 9:38 pm, edited 2 times in total.
Lets say you want to test a program - but you are very suspicious of it so you force it to run sandboxed.
One of the things you want to prevent is damage to your system. We have that covered with Sandboxie.
Another thing you are worried about is this thing might just snapshot your whole system and send it somewhere. It currently can do that.
That program would be on my "forced list" but would not be on my "allow" list - thereby closing that hole.
mitch
One of the things you want to prevent is damage to your system. We have that covered with Sandboxie.
Another thing you are worried about is this thing might just snapshot your whole system and send it somewhere. It currently can do that.
That program would be on my "forced list" but would not be on my "allow" list - thereby closing that hole.
mitch
Ah, ok, good to know I got it right. I thought I was right-but then I know how easy it is for me to be wrong-so I doubted my interpretation.
It's just that sandboxing (if that term is appropriate) is so new to me, its hard to wrap my own head around it at times, let alone someone else's. Sounds like there is an answer here, with what tzuk said in the configuration, but I'll wait 'til morning after a bucket of coffee to really dive into it again. Right now I could read it 10 times and still not get it.
A challenge is good - I feel like I`m trying to understand something that is actually worthwhile. At least for my interests. Although it couldn't be a great topic at dinner parties LOL
It's just that sandboxing (if that term is appropriate) is so new to me, its hard to wrap my own head around it at times, let alone someone else's. Sounds like there is an answer here, with what tzuk said in the configuration, but I'll wait 'til morning after a bucket of coffee to really dive into it again. Right now I could read it 10 times and still not get it.
A challenge is good - I feel like I`m trying to understand something that is actually worthwhile. At least for my interests. Although it couldn't be a great topic at dinner parties LOL
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Yeah, as a matter of fact, i think thats one of the reason some ppl are reluctant to switch to Sandboxie, they know it protects (as you said) the front door (your pc) but it (currently) doesnt cover the back door (network), but we feel oh so close to covering the backdoor.Just seems like we have it so covered with Sandboxie regarding the "front door" (your system)
we might be just a step or two from equally dealing with the "back door" (the web)
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Going back and reading faqs and .ini settings again this morning, I feel stupid but I still don't understand how any of the settings can do what we are thinking, or at least what I`m thinking. Some processes may be blocked, but I may want a certain process to run, just not give it net access.
Here is a theoretical setting that would plug the hole, as in let me run ie.exe, yy.exe, and xx.exe, but allow net access to only ie.exe
ClosedNetAccess=!ie.exe
of course even better
ClosedNetAccess=!(ie.exe, xx.exe)
allows net access to ie.exe and yy.exe, but not xx.exe, even though xx.exe process is allowed to run ... Man that is hard to put in words
Maybe it's not as obvious as "ClosedNetAcess", but is there another way, such as restricting certain services or files to the processes
we want to restrict net access? It would make sense, but I do not pretend to know which services and files are completely necessary for net access.
Perhaps it would be:
ClosedFilePath=!ie.exe,%ImportantNetFile%
where %ImportantNetFile% is a file or service required by any process to access the internet. *whew*
Here is a theoretical setting that would plug the hole, as in let me run ie.exe, yy.exe, and xx.exe, but allow net access to only ie.exe
ClosedNetAccess=!ie.exe
of course even better
ClosedNetAccess=!(ie.exe, xx.exe)
allows net access to ie.exe and yy.exe, but not xx.exe, even though xx.exe process is allowed to run ... Man that is hard to put in words
Maybe it's not as obvious as "ClosedNetAcess", but is there another way, such as restricting certain services or files to the processes
we want to restrict net access? It would make sense, but I do not pretend to know which services and files are completely necessary for net access.
Perhaps it would be:
ClosedFilePath=!ie.exe,%ImportantNetFile%
where %ImportantNetFile% is a file or service required by any process to access the internet. *whew*
tzuk already mentioned it -
This will block net access for anything but iexplore.exe
Code: Select all
ClosedFilePath=!iexplore.exe,\Device\Afd*Wow! So straitforward and in-my-face and yet still managed to zip right over my head. Tzuk belated thanks for the answer and wraithdu thanks for bringing it back to my attention.wraithdu wrote:tzuk already mentioned it -This will block net access for anything but iexplore.exeCode: Select all
ClosedFilePath=!iexplore.exe,\Device\Afd*
Unreal, how much I thought about that and right there it was - more proof we sometimes overlook the obvious, see what we want to see, etc. Perhaps I assume it will be difficult, so I want to see it more difficult than it is?
Of course, I`m assuming it actually works, Street are you saying you had the line
ClosedFilePath=!firefox.exe,\Device\Afd*
in your config, but a cmd line could still get access?
(edit) - that would that make sense, because cmd is not using a process? Or is it? BTW, I would experiment myself, but I don't even know how to use cmdline for any but a few things, never use it in practice. If not for mouse I guess I simply wouldn't turn the computer on.
ClosedFilePath=!firefox.exe,\Device\Afd*
in your config, but a cmd line could still get access?
(edit) - that would that make sense, because cmd is not using a process? Or is it? BTW, I would experiment myself, but I don't even know how to use cmdline for any but a few things, never use it in practice. If not for mouse I guess I simply wouldn't turn the computer on.
Last edited by MikeJ on Wed Aug 15, 2007 9:56 am, edited 2 times in total.
Who is online
Users browsing this forum: No registered users and 1 guest
