Is there a way to make MO compatible with sandboxie?

[Mikiy]

Hey there,

 

I'd like to run Mod Organizer (and primarily mostly any tool that i run from inside MO, for security reasons) within sandboxie ( https://www.sandboxie.com/ ). The advantage of such setup (if it would work) would be that potentially harmful tools wouldn't have any access to the real file system aside of the skyrim files.

 

Some testing with that setup seems to show that this sort-of seems to work, i.e. i ran a cmd shell from inside a sandboxed MO and inspected the files and it looked like the hooking worked as expected.

 

However when running tools like LOOT or FNIS this seems to run into some issues, LOOT doesn't seem to recognize some files as beeing there and yields a lot of errors it wouldn't if ran non sandboxed.

 

As sandboxie configuration i used something rather simple like this (which gives unsandboxed access to related folders) :

 

[skyrim]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=BlockPorts
Template=LingerPrograms
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
NotifyInternetAccessDenied=y
DropAdminRights=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ClosedFilePath=\Device\Mup\
OpenFilePath=%Personal%\My Games\Skyrim\
OpenFilePath=D:\Soft\gametools\ModOrganizer\
OpenFilePath=D:\Soft\games\steam\SteamApps\common\Skyrim\
OpenFilePath=%Local AppData%\LOOT\
ProcessGroup=<InternetAccess>,modorganizer.exe
 

Question now is.. has anyone else tried to run a setup like this and got applications started from a sandboxed MO to work?

 

[GrantSP]

My take on this is, using a security sandbox on a gaming system is a bit 'over-the-top'.

All the tools used to mod games and their assets have been around for many years and some are even open-source, any potentially harmful code would have been found out by now and quickly rooted out by the gaming community.

Modders are a particularly obsessive bunch and I can't imagine any harmful tool still lurking around the traps.

 

ModOrganizer, LOOT, xEdit, FNIS, NifSkope, BSAopt, DDSopt, etc. are either in active development or have been left in a state that would expose any malicious code.

 

Now, having said that, probably the biggest obstacle that will confront you using Sandboxie is the fact MO 'tricks' any tools used in it to see a file structure that doesn't exist in the actual file-system of your computer.

Those tools will be looking at a 'fake' file-system, when Sandboxie is set to protect the 'real' file-system.

Is there a way to configure it to take this into consideration? Maybe, but I doubt it.

 

I think what will happen is Sandboxie's 'fake' file-system' will not be seen by MO's and in turn MO's will not be seen by Sandboxie.

 

Knowing the extent of your tool's reach might be the safest way to be secure on your game system. I don't know of any common modding tool that makes use of the registry to store hidden details about its workings, the only ones that do use the registry, like NifSkope are only following standard Windows protocols about setting application settings.

Any tool that stores settings outside its install folder details that location clearly in the documentation. LOOT is an example.

 

Frankly, I'm more wary of the way Steam goes about its updates than any tool I use. It just makes changes and has setttings stored in obscure locations that need a bit of Googling to find.

[DoubleYou]

I've tried sandboxie and don't like it. Much easier to test proggies in a virtual machine. Virtual machine blows up, big whoop. Besides, doesn't UAC already limit the amount of settings these things can touch anyway?