Safe to manipulate container folders directly? [SOLVED]

[predprey]

As per topic. Referring to an old topic here, it recommended not modifying the sandbox files and folders directly.

1. So to clarify is it safe to do so?
2. And if not, why, apart from PEBKAC issues such as deleting important files e.g. RegHive, DONT-USE.TXT?
3. If I were to copy a file directly into C:\Sandbox\%USER%\%SANDBOX%, would SBIEDRV allocate the disk space properly and into the sandbox's fragment block as in the GIF below?

[Syrinx]

Aside from potentially breaking something within the box I have never had issues manually altering stuff inside. Generally for me it's to remove stuff or edit the reghive to import something or clean it up. I usually don't do it while the box is active though. As far as moving files into a box goes its not any different from moving it elsewhere on the drive. Sandboxie works by keeping all changes in a box (folder)- If you delete the box, even the files you added manually will be removed as there isn't any record-keeping involved, it removes the entire box directory and anything inside goes away even if you put it in there yourself.

[predprey]

Thanks for answering. Referring to the GIF, Sandboxie also isolates the data blocks themselves on the hard drive as shown by the yellow box in the GIF, right? So specifically, I would like to know if the following cases are true:

1. Moving file into a sandbox's folder directly only modifies the file's record in the NTFS's MFT while the data blocks on the hard disk are left untouched outside of the sandbox's data cluster on the HDD.
2. Moving a file out of a sandbox's folder directly only modifies the file's record in the NTFS's MFT while the data blocks on the hard disk are left untouched inside the sandbox's data cluster on the HDD.
3. Copying and pasting a file into a sandbox's folder directly would write a new block inside the sandbox's data cluster on the HDD.
4. Copying and pasting a file out of a sandbox's folder directly would write a new block outside of the sandbox's data cluster on the HDD.

The issue I am concerned with is not file fragmentation, which would not be an issue on SSDs today. I was more curious whether Sandboxie's driver intelligently detects the raw manipulation of its sandboxed files and folders, and thereafter isolate everything within the sandboxed region on the drive by moving the entire block inside instead of just modifying the NTFS file table. Otherwise, it feels insecure and vulnerable as file fragments are just strewn randomly across the drive map and potentially malicious code might overflow into non-isolated regions.

[Syrinx]

Referring to the GIF, Sandboxie also isolates the data blocks themselves on the hard drive as shown by the yellow box in the GIF, right?

To my knowledge it doesn't do anything below the filesystem level as it only uses a simple rmdir command by default to remove the box directory. I believe that gif is more of an illustration on how easy it is to remove everything in the box.

Moving file into a sandbox's folder directly only modifies the file's record in the NTFS's MFT while the data blocks on the hard disk are left untouched outside of the sandbox's data cluster on the HDD.

As you would have to move it using an un-sandboxed application, this would be handled normally as if sandboxie was not even there.

Moving a file out of a sandbox's folder directly only modifies the file's record in the NTFS's MFT while the data blocks on the hard disk are left untouched inside the sandbox's data cluster on the HDD. Copying and pasting a file into a sandbox's folder directly would write a new block inside the sandbox's data cluster on the HDD.

Once again no as you'd have to use one of a few options in order to do this. First there is the recovery options within sandboxie that copies the file outside to the real location. Then there are OpenFilePath and OpenPipePath options that can be added in a box which allow a program to write to the actual locations outside of the box. Then there is a manual method of using an unsandboxed app to do the copy which is outside of sandboxies control.

Copying and pasting a file out of a sandbox's folder directly would write a new block outside of the sandbox's data cluster on the HDD.

Yes but only in the same sense as normal file creation.

I was more curious whether Sandboxie's driver intelligently detects the raw manipulation of its sandboxed files and folders, and thereafter isolate everything within the sandboxed region on the drive by moving the entire block inside instead of just modifying the NTFS file table.

I don't know all the internal stuff it does do but my take on it is that it exerts control only on the applications running inside of sandboxie where it then detects and redirects file access attempts. No intelligent detection of changes to the filesystem that exist outside of a sandboxed app or monitoring (not counting launch attempts from the sandbox location).

It's not setting aside X MBs for a virtual container in one block. It's guarding sandboxed applications so that changes they make are kept within the box folder instead of making actual changes on the system.

[predprey]

That clarifies it, thank you. I misunderstood that GIF as that depiction was just so reminiscent of the legacy windows defragment interface.