Page 1 of 1
NOT logic in file blocking?
Posted: Sat Jan 02, 2010 10:54 am
by est
Hi all,
I want to block certain programs from visiting all directories except only one, how can I do that?
I hope there's a NOT logic in file blocking in sandboxie
Posted: Sat Jan 02, 2010 11:01 am
by MitchE323
Posted: Sat Jan 02, 2010 11:33 am
by Guest10
Also read about the "!" operator, in the description for
Closed File Path.
(Blocks all sandboxed .exe's from accessing a folder, except the one that's specified in the line)
Posted: Sun Jan 03, 2010 8:08 am
by est
Thanks, I tried the ! mark
Code: Select all
ClosedFilePath=!cmd.exe,D:\Win\Sandboxie\*
ClosedFilePath=!start.exe,C:\
ClosedFilePath=C:\
ClosedFilePath=C:\
ClosedFilePath=E:\
But I can not get CMD started, what can I do?
Posted: Sun Jan 03, 2010 9:47 am
by Guest10
I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?
Posted: Sun Jan 03, 2010 9:55 am
by est
Guest10 wrote:I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?
Thanks for replying,
I want to block access to ALL directories, except needed system dll's and its own directory of a executable.
Posted: Mon Jan 04, 2010 11:50 pm
by Mike
In case anyone missed the other recent threads on this:
Posted: Tue Jan 05, 2010 11:05 am
by est
Mike wrote:In case anyone missed the other recent threads on this:
> So this will not be possible and will not be in the future, correct?
> Let's instead say that at this time, I have no plans to add this feature.
That's pretty sad
Posted: Tue Jan 05, 2010 11:54 am
by Username
0) DropMyRights feature also restricts many folders
1) you can use NTFS permissions
2) you can use a separate SUBST or RAM drive
3) you shouldn't worry because SBIE works with a *COPY* of modified files and registry
Posted: Tue Jan 05, 2010 10:46 pm
by Mike
@Username: The main concern in the related threads has been privacy, rather than protection of the system from permanent infection. It seems that your points wouldn't really apply, or would be impractical, in scenarios like
SandboxieFan's example.
Posted: Wed Jan 06, 2010 9:28 am
by Username
Hi Mike,
You're right that all this is but a lame workaround, yet it *does* work when used properly (at least - for me). Frankly speaking I don't often make use of such restricted software, but should Ronen find it worth doing we shall have a feature like this.
Happy 2010 and Xmas)
Cheers
Posted: Thu Jan 27, 2011 3:25 pm
by Mike
Looking back at this old thread, just wanted to clarify some things to save people time.
Username wrote:0) DropMyRights feature also restricts many folders
Don't think so. Folders that normally require Admin privileges for write access, such as
C:\Windows, can be freely written to in the sandbox, even with Drop Rights enabled.
Username wrote:1) you can use NTFS permissions
Might be hard. You would have to deny yourself access to those files, or else run sandboxed programs under a different user account, right?
Username wrote:2) you can use a separate SUBST or RAM drive
Not to solve the problem we're talking about. If you block
D:\ and try to mount
D:\Subfolder as a subst drive, the subst drive will also be blocked. There aren't any tricks to get around this (see
here) because it's the final target path that matters (see
here).