An option to block by default
Posted: Mon Mar 13, 2017 11:20 am
Similar to "Block network files and folders unless specifically opened" have a new option to "Block all files and folders unless specifically opened".
This would mean everything is blocked by default and you would have to explicitly allow every directory, such as c:\windows, and so on. Similar to how the network option works but then just for all files/directories.
I noticed other people have asked for "exceptions" to the blocking rule and this was rejected. One of the reasons (if I'm not mistaken) was the "change in logic" or "UI changes". So trying this feature request instead.
The benefit of doing it this way is that it would not require UI changes in the "File Access" configuration, everything can stay as-is there. Just the new option from above being added somewhere for advanced users. Or even an INI option somewhere without GUI option if you don't want it exposed to normal users.
Why? As other people pointed out Sandboxie is great for confining applications (and thus malware), but it does not provide (sufficient) protection against data leaks when we have to permit the entire system drive.
Yes, you can close down folders one by one but it's undoable - you would have to add 100 folders or more - and uses a flawed "allow by default" design.
As an example: I want my email client to only able to access my email and maybe fire up adobe acrobat for PDF viewing. Not able to access any private files. What use is confining applications if they can fetch all the data out of the system? This isn't just for documents and photos (which are blocked easily) but also for example appdata / localappdata from hundred applications and so on.. there's so much that is accessible otherwise and it's easy to overlook blocking something with the way things currently are.
I'm even willing to sponsor this feature (PM or mail me).
Thanks!
This would mean everything is blocked by default and you would have to explicitly allow every directory, such as c:\windows, and so on. Similar to how the network option works but then just for all files/directories.
I noticed other people have asked for "exceptions" to the blocking rule and this was rejected. One of the reasons (if I'm not mistaken) was the "change in logic" or "UI changes". So trying this feature request instead.
The benefit of doing it this way is that it would not require UI changes in the "File Access" configuration, everything can stay as-is there. Just the new option from above being added somewhere for advanced users. Or even an INI option somewhere without GUI option if you don't want it exposed to normal users.
Why? As other people pointed out Sandboxie is great for confining applications (and thus malware), but it does not provide (sufficient) protection against data leaks when we have to permit the entire system drive.
Yes, you can close down folders one by one but it's undoable - you would have to add 100 folders or more - and uses a flawed "allow by default" design.
As an example: I want my email client to only able to access my email and maybe fire up adobe acrobat for PDF viewing. Not able to access any private files. What use is confining applications if they can fetch all the data out of the system? This isn't just for documents and photos (which are blocked easily) but also for example appdata / localappdata from hundred applications and so on.. there's so much that is accessible otherwise and it's easy to overlook blocking something with the way things currently are.
I'm even willing to sponsor this feature (PM or mail me).
Thanks!