NOT logic in file blocking?

[est]

Hi all,

I want to block certain programs from visiting all directories except only one, how can I do that?

I hope there's a NOT logic in file blocking in sandboxie

[MitchE323]

You can have a read here;
http://www.sandboxie.com/phpbb/viewtopic.php?t=6879

[Guest10]

Also read about the "!" operator, in the description for Closed File Path.
(Blocks all sandboxed .exe's from accessing a folder, except the one that's specified in the line)

[est]

You can have a read here;
http://www.sandboxie.com/phpbb/viewtopic.php?t=6879

Thanks, I tried the ! mark

Code: Select all

ClosedFilePath=!cmd.exe,D:\Win\Sandboxie\*
ClosedFilePath=!start.exe,C:\
ClosedFilePath=C:\
ClosedFilePath=C:\
ClosedFilePath=E:\

But I can not get CMD started, what can I do?

[Guest10]

I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?

[est]

I think that I misunderstood what you want to do.
Do you want a sandboxed program to be able to access only one directory, and no other directories anywhere?
Or do you want only one sandboxed program to be able to access a certain directory, and no other sandboxed programs can access that same directory?

Thanks for replying,

I want to block access to ALL directories, except needed system dll's and its own directory of a executable.

[Mike]

In case anyone missed the other recent threads on this:

• Is there a way to use "ClosedFilePath" with an exception (posted above by MitchE323)
  False sense of security when online
  Blocking access/ClosedFilePath - can we "Block X, except Y"?

[est]

In case anyone missed the other recent threads on this:

• Is there a way to use "ClosedFilePath" with an exception (posted above by MitchE323)
  False sense of security when online
  Blocking access/ClosedFilePath - can we "Block X, except Y"?

> So this will not be possible and will not be in the future, correct?


> Let's instead say that at this time, I have no plans to add this feature.


That's pretty sad

[Username]

0) DropMyRights feature also restricts many folders
1) you can use NTFS permissions
2) you can use a separate SUBST or RAM drive
3) you shouldn't worry because SBIE works with a *COPY* of modified files and registry

[Mike]

@Username: The main concern in the related threads has been privacy, rather than protection of the system from permanent infection. It seems that your points wouldn't really apply, or would be impractical, in scenarios like SandboxieFan's example.

[Username]

Hi Mike,

You're right that all this is but a lame workaround, yet it *does* work when used properly (at least - for me). Frankly speaking I don't often make use of such restricted software, but should Ronen find it worth doing we shall have a feature like this.

Happy 2010 and Xmas)
Cheers

[Mike]

Looking back at this old thread, just wanted to clarify some things to save people time.

0) DropMyRights feature also restricts many folders

Don't think so. Folders that normally require Admin privileges for write access, such as C:\Windows, can be freely written to in the sandbox, even with Drop Rights enabled.

1) you can use NTFS permissions

Might be hard. You would have to deny yourself access to those files, or else run sandboxed programs under a different user account, right?

2) you can use a separate SUBST or RAM drive

Not to solve the problem we're talking about. If you block D:\ and try to mount D:\Subfolder as a subst drive, the subst drive will also be blocked. There aren't any tricks to get around this (see here) because it's the final target path that matters (see here).