TL:DR - ability to allow program access to a limited, set number of folders on Windows PC. (Not sandbox, everything outside allowed folders and processes is invisible to program.)
Let’s imagine CAD software, where each new version converts all previous version files in new format.
And we need to have CAD2016 and CAD2020 versions functional at one PC.
When freshly installed CAD2020 is launched, permissions to acess program folder granted, we also grant permission for “Drawings2020” folder.
After allowing CAD2020 acess to “AppData\CAD2020” and “My Documents\CAD2020” folders, we ensure that CAD2020 is fully functional.
Last step - select “Block acess to other folders silently”.
Now we have CAD 2020 peacefully co-existing with CAD2016 - they just dont know another one is present.
Another example - EpicGames Store scanning your Steam library (or “-program-name-” scanning folders on your PC).
Being able to apply pre-defined set of rules for mass applications, limiting their access strictly to need-to-work folders is IMO beneficial.
Expected problems - from my level of know-nothing this positive intention may be ■■■■■ by Windows users logic, otherwise encriptors won’t stand a chance.
But, still - greater the challenge - greater the reward.
You already can with HIPS rules or with the container(sandbox) and add folders to protected data folders to prevent applications running in containment from any access to those protected data folders.
I did some testing before posting initial proposition.
It can be read as “Make HIPS more user-friendly”.
But HIPS proved unable to accomplish my task.
Just tested:
Win10, CIS. Programs tested - windows notepad, notepad++.
Hips in safe mode, program rules all set to “block” and “active” except “win hooks” for notepad++.
Folder “D:\SomeDocuments*” added to “Protected Data”.
Results:
Opening folder from editor - not working - good.
Drag-and-drop file on editor window from “D:\SomeDocuments*” - working, editing and saving - working - WTF?
Most important thing - “Protected Data” override application rules.
Setting “D:\SomeDocuments*” as exclusion\allowed files\folders does nothing. Still no access to folder.
Setting “D:\SomeDocuments\work*” as exclusion\allowed files\folders does nothing. No acess to folder, where it must be displayed as only folder in “D:\SomeDocuments”.
So I can’t just add “D:*” to “Protected Data” and then create specific rules for each application.
So, I am yet to be assured that HIPS in it’s current state can be used to “Isolate program within selected set of folders/processes”.
Also, adding folders into “Protected Files” does nothing to the scan and indexing of my files, I want complete hiding.
“If you want to totally conceal an item from contained programs, but allow read/write access to trusted programs, then add it to ‘Protected Data’.”
What must be done to allow acess to selected folders to specific program only, not running in container?
P.S.: if this topic gets way out of “New product/feature” discussion - fell free to move it into CIS HIPS section.