You all know ForceProcess and how it works right? Well currently, you can only specify the name of the executable and then that executable will always be forced, but what if you could also specify the directory that the specified executable must be located in? That doesnt make sense does it? Ok, let me use an example. For this example, i'll use Opera. Now, if you were to set ForceProcess=Opera.exe, then it would always force Opera, regardless of where or what directory it is located in. Now lets say though, that you have 3 different Opera's installed, in 3 different locations:
Opera1 in C:\Opera
Opera2 in C:\Program Files\Opera
Opera3 in C:\Program Files\Opera Beta
Now lets say you dont want every single Opera to be forced, you only want Opera 2 and 3 to be forced, but would like Opera 1 to stay unforced, well then, just goto your ini and instead of entering ForceProcess=Opera.exe (which would force all 3 Opera's), instead enter:
ForceProcess=Opera.exe,C:\Program Files\Opera
ForceProcess=Opera.exe,C:\Program Files\Opera Beta
That way it would only force the Opera's located at "C:\Program Files\Opera" and "C:\Program Files\Opera Beta", but the Opera located at "C:\Opera" would remain unforced.
A Force tweak?
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
A Force tweak?
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
Actually that is kinda interesting and I'll tell you why. Some folks have invented for themselves multiple means of using the same process already. What I mean is that I've read of a FireFox.exe being forced and a FireFoxSecure.exe being forced with the more secure settings. So the second one is used for banking and such. Also some image openers like PaintShopPro.exe forced (for security) and PSP.exe left unforced (for saving). And plenty of etc. etc. more examples. In all of these cases it was just the exe that was simply copied and renamed. The new exe even stays in the original folder.
I've never seen a problem doing it this way and seems to always work the way intended. But what bothered me in the back of my mind was that both sets of exe files were calling on the exact same other files. So you could call on FireFox.exe unsandboxed and at the same time call on FireFoxSecure.exe sandboxed and both would open correctly. But they would be calling on the exact same files within the FireFox folder - at the same time. This may in fact be no problem, but it just did not sit right with me.
Your new method, if I understand it correctly, completely separates the use of the programs. And that seems more right with me. That is, if it is possible to do.
mitch
ps; if it is not possible to do, one way that might accomplish the same thing is to go ahead and install those Opera programs in the differant locations as you said. Now go into one and rename it Opera2.exe and go to the next and rename it Opera3.exe and so on. Create your shortcuts. Create your ini file in the way that you want and I think you are good to go. Your new method is much 'cleaner' and professional though.
2ps; I can not see how a complicated method such as this could ever be set up in a GUI ..... and so the need to keep the program as flexable as possible ...... (I mean, you can have log files ......or something like this)
3ps; Internet Explorer users lose out big time here as you can't control the setup locations on install.
I've never seen a problem doing it this way and seems to always work the way intended. But what bothered me in the back of my mind was that both sets of exe files were calling on the exact same other files. So you could call on FireFox.exe unsandboxed and at the same time call on FireFoxSecure.exe sandboxed and both would open correctly. But they would be calling on the exact same files within the FireFox folder - at the same time. This may in fact be no problem, but it just did not sit right with me.
Your new method, if I understand it correctly, completely separates the use of the programs. And that seems more right with me. That is, if it is possible to do.
mitch
ps; if it is not possible to do, one way that might accomplish the same thing is to go ahead and install those Opera programs in the differant locations as you said. Now go into one and rename it Opera2.exe and go to the next and rename it Opera3.exe and so on. Create your shortcuts. Create your ini file in the way that you want and I think you are good to go. Your new method is much 'cleaner' and professional though.
2ps; I can not see how a complicated method such as this could ever be set up in a GUI ..... and so the need to keep the program as flexable as possible ...... (I mean, you can have log files ......or something like this)
3ps; Internet Explorer users lose out big time here as you can't control the setup locations on install.
Ok Snd you've mysteriously convinced me. Lover of IE that I am, I've never liked installing additional browsers. Doesn't matter if they were better or not, (so no browser war here), the key word is 'additional'. But since IE so loses in this set-up, I've had to choose another. And it was Opera. At least this way I am fighting Bill Gates, lol, as he has taken a simple thing like 'install directory' away from me. I set it all up and on first go around, everything seems fine. What this is able to do for me is add another setting for extra security. We all know about your four lines to limit keyloggers which are;
ClosedFilePath=!iexplore.exe,\Device\Afd*
ClosedFilePath=!iexplore.exe,\Device\Tcp
ClosedFilePath=!iexplore.exe,\Device\Udp
ClosedFilePath=!iexplore.exe,\Device\RawIp
but there is one more, less publicized one here; http://sandboxie.com/phpbb/viewtopic.php?t=1894 where Tzuk gave us another setting. This is the extra secure setting;
ClosedIpcPath=!iexplore.exe,*
This setting stops anything other than the exe file from even running at all. So the settings from before stop bad apps from phoning home and this one just kills them. The problem is that it is unusable for normal computer use, it's too restrictive. By running multiple instances of the same browser, your 'look' remains uniform - and you have performed an extra security function in your set-up by adding the extra setting to only one of the browsers.
And installing the browsers the way you described takes care of my concerns mentioned in the previous post.
mitch
ClosedFilePath=!iexplore.exe,\Device\Afd*
ClosedFilePath=!iexplore.exe,\Device\Tcp
ClosedFilePath=!iexplore.exe,\Device\Udp
ClosedFilePath=!iexplore.exe,\Device\RawIp
but there is one more, less publicized one here; http://sandboxie.com/phpbb/viewtopic.php?t=1894 where Tzuk gave us another setting. This is the extra secure setting;
ClosedIpcPath=!iexplore.exe,*
This setting stops anything other than the exe file from even running at all. So the settings from before stop bad apps from phoning home and this one just kills them. The problem is that it is unusable for normal computer use, it's too restrictive. By running multiple instances of the same browser, your 'look' remains uniform - and you have performed an extra security function in your set-up by adding the extra setting to only one of the browsers.
And installing the browsers the way you described takes care of my concerns mentioned in the previous post.
mitch
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Also though, it could even be used for paths you dont have any specific executables residing in. For example, say you have a folder completely dedicated to your music, we'll make the path C:\Music, so the only thing that should reside in that directory should be audio related extensions such as .mp3, .wav, .wma, .flac, etc right? There shouldn't be for example .exe files in that directory, so what you could do is enter "ForceProcess=*.exe,C:\Music", that way any executables residing in that directory would be forced in the sandbox, so if a virus infected executable happened to slip into that directory, it wouldnt matter cause it'd be isolated from your system.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
I'm not sure. Firefox, for instance, stores its settings in %APPDATA%, which is a folder specific to the current user, but not to the particular installation folder of the main application. So, each instance of firefox will still use the same data, at least if they are launched sandboxed in the same box.MitchE323 wrote:Your new method, if I understand it correctly, completely separates the use of the programs.
If complete separation of multiple program instances is the goal, perhaps the best way to achieve it is to set up a separate 'test' user on the system and install the alternative version in a different directory via the test user account. That way both the %APPDATE% path and the program directory are different for each user. I am not sure how any of this relates to the associated registry entries, therefore complete separation may not be possible.r0lZ wrote:I'm not sure. Firefox, for instance, stores its settings in %APPDATA%, which is a folder specific to the current user, but not to the particular installation folder of the main application. So, each instance of firefox will still use the same data, at least if they are launched sandboxed in the same box.
However, since Sandboxie's configuration is system wide and not user specific, SnD's request is still a valid one.
Dan
Well SND is asking for one thing, and my statement was one procedure that could benefit if that thing were possible. So I dont want to confuse the issue but a clarification is that my concern was on something else.
My goal with my setup is a look where you see no differance from just a normal installation of files. So that if I clicked a short-cut to MyBank, I would just know that I was in my most secure box. In the past I would close everything all down before starting anything and do things one by one. Now it's seamless.
mitch
ps; I just realized something that may confuse. When you are surfing, you have a drop menu of Bookmarks - I know that is a single html sheet. I am creating actual shortcuts in the Links folder. That's where I want the look to be uniform, but each shortcut goes to a differant sandbox. Sry.
These are the files I was referring to. I realize that files will duplicate, and at that level I'm not sure how many are overwritten. Duplicate files in the Windows folder or in System32 will be overwritten of course.But they would be calling on the exact same files within the FireFox folder
My goal with my setup is a look where you see no differance from just a normal installation of files. So that if I clicked a short-cut to MyBank, I would just know that I was in my most secure box. In the past I would close everything all down before starting anything and do things one by one. Now it's seamless.
mitch
ps; I just realized something that may confuse. When you are surfing, you have a drop menu of Bookmarks - I know that is a single html sheet. I am creating actual shortcuts in the Links folder. That's where I want the look to be uniform, but each shortcut goes to a differant sandbox. Sry.
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Yeah, also, even if it was incorporated, you wouldn't "see" it, it's something you would type into the ini file yourself.
For now, as a workaround, you could try using mitch's tip posted here Sure it doesn't work exactly the way I meant in this request, but it's the best alternative around until this request is considered (if it is even considered in the first place).
For now, as a workaround, you could try using mitch's tip posted here Sure it doesn't work exactly the way I meant in this request, but it's the best alternative around until this request is considered (if it is even considered in the first place).
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
I'm not sure if I'll do this feature exactly as requested, because it then invites changes to other process-based settings (like OpenFilePath and ClosedKeyPath) to account for the location of the programs. And those other settings are more difficult to change because it's all wired to the process name now (not the full path).
But there was another feature request for "force by folder", so it should be useful here too:
ForceFolder=C:\Program Files\Opera Beta
(Would apply to opera.exe, if it starts from C:\Program Files\Opera Beta)
Right?
And if ForceFolder is going to be (by definition) looked at before ForceProcess, then it also makes things simpler than having to decide which ForceProcess is the "best match" for a particular process that is starting.
But there was another feature request for "force by folder", so it should be useful here too:
ForceFolder=C:\Program Files\Opera Beta
(Would apply to opera.exe, if it starts from C:\Program Files\Opera Beta)
Right?
And if ForceFolder is going to be (by definition) looked at before ForceProcess, then it also makes things simpler than having to decide which ForceProcess is the "best match" for a particular process that is starting.
tzuk
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Hmm, actually, thats a pretty good idea too, maybe even better than my version of the feature. Tell me though, if you were to enter in something like:
ForceFolder=C:\Program Files\Opera Beta
How would it know to force Opera.exe out of all the executables in that folder? Would that setting work by just forcing every executable in the "C:\Program Files\Opera Beta" folder?
ForceFolder=C:\Program Files\Opera Beta
How would it know to force Opera.exe out of all the executables in that folder? Would that setting work by just forcing every executable in the "C:\Program Files\Opera Beta" folder?
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
Who is online
Users browsing this forum: No registered users and 1 guest
