Dokany/cppcryptfs mounted drive: Unexpected access in Data Protection (blue) sandbox, always denied in Hardened sandbox (red)

[ccchan234]

Describe what you noticed and did

1. Created a cppcryptfs container on Google Drive (G:)
2. Mounted the container using cppcryptfs+dokany as drive W:
3. Tested access in different sandbox types:
   a. Data Protection (blue) sandbox can read/write W: by default (i expect it's denied by default)
   b. Hardened (red) sandbox cannot access W: (correct action)
   c. Even after explicitly allowing W: in hardened sandbox settings, still cannot access W: (incorrect)

How often did you encounter it so far?

Every time when trying to access the mounted drive W: in these sandbox configurations.

Expected behavior

1. Data Protection (blue) sandbox should NOT have default access to W: drive as the data should be protected

2. Hardened (red) sandbox should be able to access W: drive when explicitly allowed in settings

Affected program

Not relevant - this is a sandbox configuration issue

Download link

Not relevant

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

sandboxie plus v1.14.10 64bit

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression from previous versions?

dont know

In which sandbox type you have this problem?

In a hardened sandbox with data protection (red sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

win10 pro 22H2 64bit

In which Windows account you have this problem?

A local account (Standard user).

Please mention any installed security software

default

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#0423ee,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UsePrivacyMode=y
UseFileDeleteV2=y
UseRegDeleteV2=y
AutoRecover=y
UseSecurityMode=y
OpenPipePath=W:\fav-01

[ccchan234]

cppcryptfs is a clone of gocryptfs, but written for windows in C++, and use dokany to make files into a emulated drive.

https://github.com/bailey27/cppcryptfs

thanks

[ccchan234]

so my encrypted volume W: indeed is always open to anyone from the blue DP boxes for a long time...... shocked.

[ccchan234]

hi, looks partially solved.

for a red box that allows W:\z-lv02\fm-to-AI

it wont allow explorer to explorer W: but can allow explore W:\z-lv02\fm-to-AI.

summary:
DP blue box wont protect data leak from the dokany mounted drives

red boxes works as expected however when you access the files, you can browse thru w: to xxx to the wanted level;
you should directly to that level e.g. W:\z-lv02\fm-to-AI

[ccchan234]

i'll from now on use the red boxes then,
i'll close this issue after 1 week so if the author will be informed the issue. thanks