Page 1 of 1

An option to block by default

Posted: Mon Mar 13, 2017 11:20 am
by syzop1
Similar to "Block network files and folders unless specifically opened" have a new option to "Block all files and folders unless specifically opened".
This would mean everything is blocked by default and you would have to explicitly allow every directory, such as c:\windows, and so on. Similar to how the network option works but then just for all files/directories.

I noticed other people have asked for "exceptions" to the blocking rule and this was rejected. One of the reasons (if I'm not mistaken) was the "change in logic" or "UI changes". So trying this feature request instead.
The benefit of doing it this way is that it would not require UI changes in the "File Access" configuration, everything can stay as-is there. Just the new option from above being added somewhere for advanced users. Or even an INI option somewhere without GUI option if you don't want it exposed to normal users.

Why? As other people pointed out Sandboxie is great for confining applications (and thus malware), but it does not provide (sufficient) protection against data leaks when we have to permit the entire system drive.
Yes, you can close down folders one by one but it's undoable - you would have to add 100 folders or more - and uses a flawed "allow by default" design.
As an example: I want my email client to only able to access my email and maybe fire up adobe acrobat for PDF viewing. Not able to access any private files. What use is confining applications if they can fetch all the data out of the system? This isn't just for documents and photos (which are blocked easily) but also for example appdata / localappdata from hundred applications and so on.. there's so much that is accessible otherwise and it's easy to overlook blocking something with the way things currently are.

I'm even willing to sponsor this feature (PM or mail me).

Thanks!

Re: An option to block by default

Posted: Sun Apr 02, 2017 7:29 pm
by user96531
Agreed. I really don't understand why this kind of stuff isn't just built into the OS.
I had some ideas that could make this more convenient as well:
-When programs allow you to open files with the explorer "Open File..." dialog, that ought to allow the the program to either read/write it (there could be an option in the dialog as well).
-The program could automatically be given access to any directory it creates itself.
I noticed other people have asked for "exceptions" to the blocking rule and this was rejected. One of the reasons (if I'm not mistaken) was the "change in logic" or "UI changes".
I find the access control UI confusing as it is already, especially the allow by default design. A setting to make it block by default wouldn't hurt.

I'm more interested in something like Sandboxie as a security model for running any application, not just 'testing' them or running untrusted ones exclusively.