After researching Windows security for 11 years, I have relied for the last year on Sandboxie for my primary security. Really great software!
There is something I have been wishing for over the last year. Other security software (HIPS I used to use, firewall I still use) achieves surgical precision and simplicity by evaluating rules in the order they appear in file. According to tzuk (see http://www.sandboxie.com/phpbb/viewtopic.php?t=9427), Sandboxie evaluates all ClosedFilePath rules, then all ReadFilePath rules and then all OpenFilePath rules. If none of these *FilePath rules apply to a file I/O, then a read is allowed and a write is sandboxed. Thus, the order of these rules doesn't matter.
I would like a new Sandboxie.ini setting that tells Sandboxie to evaluate these rules in the order they appear in file. Without the new setting, Sandboxie would work as today for backwards compatibility. I propose that this new evaluation mode would speed up execution because 1) only one pass through is needed for the three *FilePath rules compared to three passes today, and 2) I can reduce the number of rules to achieve the same effect. More importantly, the new setting provides more surgical precision in achieving security. Here is a good example: http://www.sandboxie.com/phpbb/viewtopic.php?t=11714
I further propose adding a new rule/setting, maybe called NormalFilePath, that specifies that file I/O matching the path is allowed to read, but writes are sandboxed. Today, this behavior applies if file I/O doesn't match any *FilePath rules. This new setting, which would only when rules are evaluated in file order, could be inserted between *FilePath rules to provide more flexibility in file I/O rules. I suggest that NormalFilePath behavior would still apply if no *FilePath rules match a given file I/O.
Add option to evaluate sandbox rules in file order
-
gnasirator
- Posts: 1
- Joined: Wed Nov 02, 2011 10:29 am
Alternative
I might suggest a simpler alternative here:
Sandboxie - as it works right now - prefers denying rules over allowing ones.
Thus it is impossible to block acces to whole drives while still allowing acces to some handpicked important files.
Suggestion: Change the priority the other way round - or better: Include a checkbox that let's the user decide wether he wants to priorize the block or the allow rules.
By the way - that's a feature I really miss.
I just found sandboxie very handy to block the Origin spyware from scanning my private files (Origin - Battlefield 3). But Blocking every single sub folder and file in a specific directory just to allow the one which is necceary to run the game is VERY complicated.
This would be an (i guess) easily programmable solution which offers a BIG extra in usability.
Greetings
Sandboxie - as it works right now - prefers denying rules over allowing ones.
Thus it is impossible to block acces to whole drives while still allowing acces to some handpicked important files.
Suggestion: Change the priority the other way round - or better: Include a checkbox that let's the user decide wether he wants to priorize the block or the allow rules.
By the way - that's a feature I really miss.
I just found sandboxie very handy to block the Origin spyware from scanning my private files (Origin - Battlefield 3). But Blocking every single sub folder and file in a specific directory just to allow the one which is necceary to run the game is VERY complicated.
This would be an (i guess) easily programmable solution which offers a BIG extra in usability.
Greetings
Who is online
Users browsing this forum: No registered users and 1 guest
