Appearance
WinSCP
Validate WinSCP behaviors under the Secure Sandbox.
Objectives
- Enforce network controls for SCP/SFTP connections.
- Verify file system isolation during transfer.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- WinSCP installed.
Controls Under Test
runtime.networking.egressDefaultAction.runtime.files.contexts.
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-TOOL-WINSCP-01 | NET-EGRESS-01 | Connection to Disallowed IP | Connect to <IP> via SCP/SFTP. | Connection blocked or proxy deny. |
| SCEN-TOOL-WINSCP-02 | HARD-FILES-01 | Download to Host | Download file from remote to C:\. | Write restricted to overlay/context. |
| SCEN-TOOL-WINSCP-03 | DM-DRAG-01 | Drag-Drop | Drag file from WinSCP remote pane to Host Desktop. | Blocked per policy. |
| SCEN-TOOL-WINSCP-04 | NET-ISOLATE-01 | FTP to localhost blocked | Start a local FTP server on the host; connect from sandboxed WinSCP. | Connection denied (loopback isolation). |
| SCEN-TOOL-WINSCP-05 | NET-ISOLATE-04 | FTP within named network | Start FTP in a sandbox on --network=test; connect from another sandbox on the same segment. | Connection succeeds within the same named segment; transfers write only to overlay/Storage Contexts. |
Evidence Requirements
networkevents: destination, action.fileOpevents: write attempts.
