Sandboxie-Plus 1.0.8

yep. can tell you because it investigated some time ago installing EAC into sandboxie for same reason. so you need that folder (contains cddb) and registry for settings. you need to extract those content from <sandbox>/RegHive

your questions concerning sandboxie is fine here, i wrote about creating portables -> new thread.
portableapps.com has some threads about early versions of eac, but not current. and they are not allowed to include lame because they dont have the permission to do so. for your private usage it is allowed, but you should not distribute your work later not to get into real big trouble.

 

That makes sense.

I've tried to replicate your example and no matter what I do 7zip can't access the drive I close through the Resource Access Rules. I've:
Created a new sandbox using 'Standard Isolation'
Checked 'Allow elevated sandboxed applications to read the harddrive'
Unchecked 'Drop rights from Administrators and Power Users groups'
Unchecked 'Make applications think they are running elevated'
Unchecked 'Block network files and folders, unless specifically opened'
Unchecked 'Drop critical privileges from processes running with a SYSTEM token'
Forced 7zFM.exe
Closed E:\

Then, when I right click on 7zFM.exe and 'Run as administrator' to try and browse E:\ it simply doesn't do anything, it can't even read the label/file system e.t.c. I also tried winhex with the same outcome.

Is this because I'm running as a non-admin Windows account?
In task manager 7zFM.exe is running under 'ANONYMOUS LOGON'.

I suppose I could log into the admin windows account and try it out but it'll probably create loads of profile related cruft I'll never need!

Don't get me wrong I'm happy with the result, but it doesn't sound like I'm getting the results I should be.

 

in my setup i set

ClosedFilePath=E:\
AllowRawDiskRead=y





when cliking in click on E:\


so far so good, but when click on PhysicalDrive0 you get all the partitions


E:\ is Basic data partition.img with 500mb and when you click on it here you get full read access




compare with the unsandboxed explorer.

Cheers
David X.

 

I don't get the nice labels you do, nor do I see all the partitions for some reason, but that's for me to work out, at least I have a test now.

Thanks for your help and generally for continuing the development of such a valuable product.

 

I created a new 'Hardened Sandbox with Data Protection', added Firefox as the 'Forced Programs' and enabled all the Firefox 'App Templates' but every time I open up Firefox I get the 'Welcome to Firefox' and 'Firefox Privacy Notice' tabs.
If I set an Open path of 'C:\Users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles' (where firefox tells me my profile is) which appears to be the same as the Tmpl.Firefox location under 'Template Folders' I get a clean start, but am prompted to make Firefox my default browser every time. I assume this is because it doesn't have read access to the relevant registry key?

I'm just wondering whether the 'with Data Protection' sandboxes are meant to be used for "safe" programs like browsers, or whether they impose too many restrictions....or whether I'm overlooking something?

EDIT: When creating a box with Data Protection you do get a warning that it 'prevents access to all user data locations, except those explicitly granted', does this mean those explicitly added template entries don't apply?

 

explicitly added exceptions should apply, the issue might be with parent folders/keys being missing
I'll try out that scenario and see if any fixes are nececery

 

Thanks for looking into it for me.

Thinking about those templates a little more with respect to Data Protected sandboxes...

When using a sandbox without Data Protection I'll typically only use the template 'Allow direct access to Mozilla Firefox phishing database' so it doesn't download it on every restart; this gives Firefox read access to everything and write access to the phishing database.

With Data Protection however, by enabling all the templates (so that Firefox can run without having to specify all the locations explicitly) you're actually giving over more write access (because the Access is Open, or at least that's what I assume it will be as I can't get it working at the moment), which doesn't really make sense.
I know it could get quite messy (programatically), but if templates were added to a Data Protected sandbox they should default to read only, but be modifiable - although the complication there is that you can easily switch between 'Box Type Preset'.

 

Firefox dont need registry to work, only a profile. if you dont have one and let the box delete after usage, sure, you create each start a new profile. but, firefox is secure enough not to need sandboxie

those granted folders are? list please!

 

Admittedly I put a full stop there rather than a comma, but I was talking about how Firefox was prompting me to choose it as the default browser every time I opened it, because I assume, it doesn't have access to the required registry key. Although Microsoft are making it harder and harder to really achieve a default browser that isn't Edge!

The browser is my biggest attack vector, so no, it's not secure enough. Out of interest, if you don't use it to sandbox your browser what do you use it for?

I actually said:

Which is nearly a direct quote from the Box Options screen when you select a Box with Data Protection. Do you really want me to list all the folders I could explicitly grant ;-)