Feature to retain files

[SJ2571]

One feature I'd like to see for Sandboxie (which is dead-easy to implement!) is to NOT delete files after creation in the sandbox. So for example, an app might create a temp file but on exit it deletes it. Sandboxie could allow the creation, but not deletion, of such files. Would be very handy to retain those files sometimes.

All Sandboxie needs to do is deny access to any DeleteFile API calls and so on. Easy. How about it?

(PS. Yes I know an app could always use CreateFile with 0 length to "delete" a file, but still...).

[tzuk]

My first rule of thumb for adding a feature is that the feature has to be useful to more than one person.

[SnDPhoenix]

My first rule of thumb for adding a feature is that the feature has to be useful to more than one person.

Haha GOLD!

But yeah, not just that, but this is possible without any modifications needed anyways.

[tzuk]

I guess SJ2571 will ask you to elaborate that last statement.

[SnDPhoenix]

Haha, not much to say really, just think about it.
When he runs this program sandboxed, it creates these temp files in the sandbox. When he closes the program, it deletes the temp files from the sandbox.
So obviously, the work around, would be to run the program sandboxed, then explore contents of sandbox, grab the temp files you want, then you can close the program and/or delete the sandbox and you'll have your temp files.

[Buster]

Sometimes it´s not as simple as SnDPhoniex comments to retain temporal files.

Anyway I would be interested in this feature too.

[SJ2571]

Haha GOLD!

And this is funny, why? There may indeed be others wanting this feature, so one has to publically post it to judge a response. Or is tzuk a mind-reader and knows my request before I post it?

I would be interested in this feature too.

Thank you! See, we've now proven that more than one person would like it.

run the program sandboxed, then explore contents of sandbox

Fair enough. But what about apps that create temp files and delete them before exiting? I'm interested in retaining those too, but didn't mention that specifically in my original post (sorry), as my original post used the create-and-delete-at-exit as just one simple example.

[SnDPhoenix]

Haha GOLD!

And this is funny, why?

It is funny for reasons only Mitch, Oneder and I would know about.

But what about apps that create temp files and delete them before exiting? I'm interested in retaining those too, but didn't mention that specifically in my original post (sorry), as my original post used the create-and-delete-at-exit as just one simple example.

Ok fair enough, but I was thinking and I just remembered something, I dont remember the exact details, but didn't tzuk and some other members mention that when a file is deleted from the sandbox, it isn't actually deleted, it is just marked deleted?
If thats the case then regardless whether the program deletes the files before exiting, or after exiting, they should still be in the box?
Otherwise, I see what you mean then, but I still dont think enough people want this feature for it to be incorporated by tzuk.

[Buster]

The feature may be useful for more people but they didn´t notice it yet.

If it´s not difficult to add I consider it would be a good addition.

[tzuk]

SJ2571 and Buster, my initial response was tongue-in-cheek, but I did not expect it to be taken as a call for more compelling arguments why this feature should be added to Sandboxie.

I consider this request to fall in the category of requests for features about monitoring or analysing the behavior of other programs. That these programs may run under Sandboxie is a coincidental issue here. The way I see it, the request is really "I'd like to prevent a program from deleting files" rather than "I'd like to prevent a sandboxed program from deleting files."

I dont remember the exact details, but didn't tzuk and some other members mention that when a file is deleted from the sandbox, it isn't actually deleted, it is just marked deleted?

That has changed a while ago. Sandboxed files are now really deleted, unless there is a corresponding file outside the sandbox.

[Buster]

In my case I´ld like the feature because I want to have the possibility of preventing sandboxed programs from deleting files.

Why?

Some malwares, for whatever reason, during their installation on a system abort it and delete extracted contents.

For me would be pretty interesting to be able to keep the files that malwares create and try to delete.

I believe other malware researchers would find interesting too that ability in Sandobie.

[SnDPhoenix]

I had quite a bit of 10 cane rum, 3 vodka, grey goose and guiness beer a few hours ago already, seo excuse me -snipped...

*Edit*
Sorry guys, nevermind what I typed...

[Peter2150]

My question is how would you handle the problem if the program isn't sandboxed. Then do it the same way in the sandbox.

Since tzuk mentioned it being useful to many, I guess I would fall in the camp, that see little use for it.

Pete

[Buster]

My question is how would you handle the problem if the program isn't sandboxed. Then do it the same way in the sandbox.

API hooking.

Sandboxie does not allow it.

[tzuk]

Buster, Sandboxie does not block API hooking, what are you talking about.

I just tried running sandboxed StraceNT and it works fine.

There is nothing that prevents you from writing a similar utility that intercepts the DeleteFile API and cancels the calls in some cases.

And again, there is also nothing in this feature request that has anything to do with Sandboxie.