Sandboxie Resource Access rules v2.0

Motivated by: https://github.com/sandboxie-plus/Sandboxie/discussions/2633 and a few other issues...

I'm thinking that it would be good to entirely re work how sandboxie's Resource Access rules work, the current scheme is very much evolved and there for limited to non breaking improvements. But IMHO as it is now its quite cumbersome to use. We need a revolution.
And behavior like applying only to not boxed programs by default, or prefixing a rule with | removing the by default added *, etc are not necessarily what users may expect.

So I would like to collect some input what features and behavior you may want in a new and improved mechanism?

 

So no one no ideas?
ok so let me start, most important change that we need is the ability to add options to any given resource access rule.

in the network access ruels we already use a more advanced scheme, we can create entries like this:
NetworkAccess=explorer.exe,Allow;Port="137,138,139,445";Address=192.168.0.1-192.168.100.255;Protocol=TCP
here, we can have any otherwise separator character within "" and we can arbitrate add/remove/reorder all the Name=Value tags

So for resource access we could have a scheme like this
FileAccess=cmd.exe,Open;"C:\Windows\TEMP\*";BoxImageOnly=y;Priority=1

So the scheme would be:
FileAccess=[ImageName.exe],Directive;Path;[Options...]

Directives:
Normal
Open
Closed (would rename it to Blocked)
BoxOnly (would rename it to Closed)
ReadOnly

Options:
BoxImageOnly=y|n
Priority=1,2,3,4,5 (3 default, lowest is best)
Syntax=Wildcard|Regexp
Type=Event|Mutant|Directory|SymLink|etc...

we could add an option to let selected rules be evaluated as a regular expression, not sure if that's a worth while improvement though, may complicate things to much

 

I am finding the multitude of options (generally) confusing, and I often don't understand their implications. So while I have no explicit suggestions, I would like options to be linked to explicit help files.

As a product, it has evolved beyond my knowledge/skill set, but so long as you keep on developing SB David and it works for me at a basic level

 

• Distinguish between files and folders:
  
  Options:
  File=<filename|pattern>
  Folder=<foldername|pattern>
  
  
  Spoiler: Example

  This pattern matches both files and folders:
  

  Code:

  C:\Windows\TEMP\*FileWithNoExtension
  

  will match:
  C:\Windows\TEMP\FileWithNoExtension [File]
  C:\Windows\TEMP\FileWithNoExtension [Folder]
  
  

  Code:

  FileAccess=cmd.exe,Open;"C:\Windows\TEMP\*";File=FileWithNoExtension
  

  will match:
  C:\Windows\TEMP\FileWithNoExtension [File]
  C:\Windows\TEMP\SomeFolder\FileWithNoExtension [File]
  
  will not match:
  C:\Windows\TEMP\FileWithNoExtension [Folder]
  C:\Windows\TEMP\SomeFolder\FileWithNoExtension[Folder]
  
  
• Depth levels for paths:
  
  MinDepth: The rule will not take effect before this depth. (Relative to First/Last non-wildcard matching path, starting point)
  MaxDepth: The rule will not take effect after this depth. (Relative to First/Last non-wildcard matching path, ending point)
  or
  Depth: The rule will take effect if it matches the selected depth. (Relative to First/Last non-wildcard matching path)
  
  Options:
  MinDepth, MaxDepth
  or
  Depth
  
  
  Spoiler: Example

  Code:

  FileAccess=cmd.exe,Open;"C:\*\TEMP\";MinDepth=1;MaxDepth=2
  or
  FileAccess=cmd.exe,Open;"C:\*\TEMP\";Depth="L,1-2"
  FileAccess=cmd.exe,Open;"C:\*\TEMP\";Depth="L,1,2,5-7"
  

  C:\Windows\TEMP\* (First=Last)
  C:\*\TEMP\* (First=C:\, Last=\TEMP\)
  
  will match: (1, 2, 5-7)
  C:\Windows\TEMP\depth0\depth1
  C:\Windows\TEMP\depth0\depth1.exe
  C:\Windows\TEMP\depth0\depth1\depth2
  C:\Windows\TEMP\depth0\depth1\depth2.ini
  .
  .
  .
  C:\Users\user\AppData\Local\Temp\depth0\depth1
  C:\Users\user\AppData\Local\Temp\depth0\depth1.exe
  C:\Users\user\AppData\Local\Temp\depth0\depth1\depth2
  C:\Users\user\AppData\Local\Temp\depth0\depth1\depth2.ini
  .
  .
  .
  
  will not match: (0, 3, 4)
  C:\Windows\TEMP\depth0
  C:\Windows\TEMP\depth0.tmp
  C:\Windows\TEMP\depth0\depth1\depth2\depth3
  C:\Windows\TEMP\depth0\depth1\depth2\depth3.tmp
  .
  .
  .
  C:\Users\user\AppData\Local\Temp\depth0
  C:\Users\user\AppData\Local\Temp\depth0.tmp
  C:\Users\user\AppData\Local\Temp\depth0\depth1\depth2\depth3
  C:\Users\user\AppData\Local\Temp\depth0\depth1\depth2\depth3.tmp
  .
  .
  .
  
  
• Custom rule priority (rule weighting):
  [already written by you in the previous post]

 

I agree! I'm patiently waiting for time to be taken to create a guide/manual to explain what each setting is and give an example. I've been using this program for years and it has reached the point of being too advanced. I know there's the simple view but I want to know how to properly setup and use the advance features. I've searched the internet, searched youtube videos and searched Sandboxies web site and github to find answers. I know there's a roadmap for lots and lots of new settings and features coming but I think there should be a roadmap for a guide/manual. At the very least, a pop-up when you hover your mouse pointer over each settings box to give some explanation. The majority of people just want to understand the settings that are already in the program but not go into editing the ini file.

 

I have also used Sandboxie for years and years. I must concur that I am less informed on the use of many choices that we can use. A help file or maybe a Youtube video giving us a better idea of how to use Sandboxie on an advanced level would be tremendously helpful.

 

There were a few "relatively" useful YouTube tutorials a while back that more or less effectively made the point of how to connect the dots with Sandboxie.
Nowadays I'm confident that there's at least some savvy tech wizards out there that can work out an hour or preferably a 2-hours YouTube tutorial to cover this priceless app from top to bottom.
Wishful thinking perhaps... but I'm an optimist. Not to mention that a well produced and thorough YouTube tutorial would trounce the heck out of an articulately composed "help file."

 

YouTube tutorials... I really don't think my voice is YouTube worthy, but I guess I may be could try.

 

It doesn't have to necessarily be YouTube videos but that would help. I was thinking more of a guide or manual which explains the settings and maybe gives an example of how the setting works. I know you have your hands full with all the programming, work and other stuff. Hopefully someone who understands Sandboxie very well could make a few short YouTube videos or create a guide. It doesn't have to be just one person but maybe someone who really knows some settings and can explain those settings while others who may know other settings really well could then add what they know about those other settings. I doubt many if anyone would do this but here's to hoping it does. Anyone out there willing to make a YouTube video or write a quick guide who can explain some or all of the settings in a clear and simple way?

 

I would be happy if development (except for major vulnerabilities) stopped, or slowed, to allow the help files to be provided. If I don't know how, or if I would like, to use a new feature it may as well not exist.

 

For me many of the new features seam kind of self explanatory, and i always add infos in the changelog what they do and which options to set.
Also writing manuals is not a skill of mine, i never know what i can assume the user knows and what not, so no idea whats worth mentioning and which infos can be skipped as not to repeat them for the 100th time.
I really hoped there would be a few volunteers to write the documentation.

 

That may be because you understand what everything does, making it hard to understand why others with lesser knowledge need (more) assistance..

And the changelogs are not available from within the program for a particular item; what is needed is pop-up on hover help IMO.

I understand this is not your area of expertise David, and I will happily continue to support SB but please keep this in mind.

 

David -- I get that you don't want to spend your time writing a manual for Plus -- it would be a large job, even for somebody who was good a it. Nevertheless I'd like to put in another plug for usage examples for the major features. For me it's about not only how to use by why I would want to.

Here are two specific questions in that vein regarding the WFP option offered on installation:

1) I continue to use "Windows 10 Firewall Control" (kind of a GUI for the WFP, not an independent firewall, that flags every new program requesting Internet access and asks what to do with it). Since this is a system-level component, do it's rules already reach inside boxes? Is its reach affected by whether or not I checked the WFP option on installation of Sandboxie Plus?

2) If I change my mind and decide not to check this option, is there a way to go back, or do I have to re-install Plus?

Sorry if I'm already confused beyond coherency. -- jclarkw

 

1) WFC does not conflict with sandboxie and can block sandboxed programs, but WFC is unaware of sandboxes so you can only have global rules based on program path.
Using sandboxies WFP implementation allows you per box rules which affect only processes within a given sandbox.

2) yea you can enable it at any time in the global options.

Also even if you don't enable it you can use the same rule set, but then its only enfoced at user level and not using the driver so its more for testing and comes without guaranties

 

Thanks! I finally found it.

Here's another one: Global Settings/Program Alerts/"Prevent the listed programs from starting on this system" --
Does this actually over-ride forcing a program into a specific sandbox ([Box] Options/Force Programs)? -- jclarkw

 

No, it doesn't over-ride forcing a program into a specific sandbox. Prevention is only for programs that will be launched outside the sandbox.

There are some exceptions to this:

1. Exclusively if you choose to run the program outside the sandbox. (ex. Run Outside the Sandbox, shortcuts with /dfp parameter)
2. If a program is set as a "Forced Program" and "Pause Forcing Programs" is selected, the program will be allowed to start outside of the sandbox.
3. If a program is set as a "Breakout Program".

 

Great! Thanks, busy!

 

I was thinking since I was recently considering what breaking changes could go into sbie 6.x (https://www.wilderssecurity.com/threads/sandboxie-roadmap.445545/page-7#post-3139266) about a new configuration scheme to allow more options.

I was first thinking that sbie 6.0 could use a sandboxie.xml instead of an ini that would give us all the flexibility we may ever need, however that would pretty much make all the existing documentation obsolete, which is not a good thing given how slow the progress is on new documentation.

So I thought a bit more and I think I came up with the best compromise, we could use optionally JSON formatted entries, this way we can use where suitable simple Key=Value ini entries but where we need extra parameters we can use something more advanced like
FileAccess={ProcessImage: "cmd.exe", Action: "Open", Path: "C:\\Windows\\TEMP\\*", BoxImageOnly=y, Priority=1}
So when we encounter a { in the ini line value we parse the json payload else we go with the old format.

What do you think about that in comparison to the early suggested custom format

FileAccess=cmd.exe,Open;"C:\Windows\TEMP\*";BoxImageOnly=y;Priority=1

 

I prefer JSON-formatted entries within the INI file rather than a new XML configuration. Manually making changes to the XML-formatted configuration file will be a hassle.

Code:

FileAccess={ProcessImage: "cmd.exe", Action: "Open", Path: "C:\\Windows\\TEMP\\*", BoxImageOnly: "y", Priority: "1"}

 

Many users are still coming to grips with the intricacies of the plus version.
Old farts like me have grown used to handling the ini format for over fifteen years.
We now have the ability to edit all ini files (sandboxie, sandboxie-plus, templates).

The new format (whatever shape it might take) will be a shock to the system.
My gut says KISS (keep it simple stupid, no disrespect to David ).

I suggest you create a poll to how users feel about this proposed change.

Of course, the bottom line is that sandboxie is open source and you have
been at its helm as the developer, doing a GREAT job (in my opinion).

 

Perhaps off-topic (but perhaps related):
It is my hope that @DavidXanatos develops the WFP component of sandboxie
into a separate full-fledged PORTABLE firewall (which stores settings in an xml file)

 

something along these lines is already in planing since a while.

 

Cool! Thank you. Hope it can also be used on Windows 7

 

That will remain to be seen, most kernel API's did not change much since 7 but the WFP component did so on 7 some useful features may not be available.
Also Qt 6.x does not support windows 7 and I don't think its a viable route to keep maintaining an own Qt fork with patches for windows 7 compatibility.
When I look on the windows 7 usage numbers: https://gs.statcounter.com/os-version-market-share/windows/desktop/worldwide and how steeply they fall of when the ESU support ended I'm not sure if its worth the extra afford.

 

As a more or less casual user of Sandboxie I have to admit I just use the same setting I had years before. A lot of the options added are above my level of understanding/interest. E.g Ipc, Wnd, Com tabs...
Thanks for all your time and work on sandboxie just please don't lose the casuals on the way