is this a hole in sandboxie?

m00nbl00d, this is not true. Being specific, if the downloads folder is forced and named "Downloads", a text file will certainly open sandboxed.
WMP, 7Zip wont but if these programs are forced, its files will open sandboxed in its own sandbox.

Bo

 

I mentioned *.txt as a pure example. I truly don't remember if *.txt would be affected.

Read this.

Also, please read what Tzuk and others mentioned here.

And, obviously if I'm forcing folder A to run sandboxed, and if the file is a text file, what the heck does WMP or 7zip have got to do with anything? I'm not understanding what you're trying to achieve with this.

The thing is, the file may not always open sandboxed. I still haven't come across such situations, but reading those threads it clearly shows others have, and it's a limitation of the "Forced Folders" feature, as Tzuk mentioned. Now, if you're saying they're not telling the truth... that's something totally different.

 

Exactly, you dont know but you are saying Txt is affected when is not. I mentioned WMP and 7Zip because THEY are affected. Other than Windows Picture and Fax viewer, WMP and 7Zip, nothing else is affected that I know.

Another thing that you don't know, as you are a SBIE part time user, is that files of those programs that are affected will still open sandboxed in its own sandbox if they are forced programs. JPGs is an exception, that's why I use a sandboxed Windows Explorer to open them.

Don't exaggerate, that's all.

Bo

 

First, I never mentioned that *.txt were affected. Have I ever said they were?

Second, I mentioned *.txt, because Tzuk mentioned it in one of his replies in the thread I pointed you to over Sandboxie's forum.

I'm more than aware that by forcing an application to run in sandbox, they will run inside the sandbox. No need to lecture me.

Exaggerate? Are you for real? I mentioned *.txt because I saw it mentioned by Tzuk, and I'm exaggerating?

Or, am I exaggerating for suggesting Page42 to always open Explorer sandboxed first (actually have a shortcut for that)?

Seriously, your definition of exaggeration is a bit "concerning", considering what I explained above.

Why it is then when something is said about Sandboxie, Sandboxie purist* users always feel like they got the need to fight back a non-existing fight?

*Users that use Sandboxie at all times, unlike those who used them for some specific stuff, like me. No intentions to be rude with the word purist.

 

Really? User ssj100 talked about something different, in the threads I mentioned.

And, no one in there contradicted him.

 

If you read what you said on a previous post by you, it sounds pretty clear that you are saying Text files are affected when they are not.

I think its a great idea to have a sandboxed Windows Explorer shortcut but I prefer, if possible, to have my programs open in its own sandbox or in a forced folder and that's how I do it.

"I recall now that with media and picture files, if Windows Media Player and Windows Picture and Fax Viewer are your default programs for running these file types respectively, running these files from a force sandboxed folder/drive will not work - they will always open unsandboxed"

Thats in the past m00nbl00d. One more time, you don't know what you are talking about as that situation for WMP it does not happen anymore. In my computer WMP files will open sandboxed in its own sandbox when the files are placed on a forced folder. They will not open in the forced folder but do open sandboxed in its own sandbox.

With all due respect to SSj, he should get that fix.

Bo

 

m00nbl00d, let me add, for JPGs, we can use the sandboxed Windows Explorer or right click on them as they wont open sandboxed otherwise. Thats what I use the sandboxed Explorer for but WMP will open sandboxed when it is a forced program, no matter what.

Bo

 

Because you got WMP forced to open in its own sandbox, correct?

I just gave it a quick test... because I do like to have evidence on which I can base what I say... and I set WMP as my default player (I usually have VLC), and I forced a folder with media files in it to open in a sandbox.

Guess what? WMP opened outside the sandbox. Why? Because WMP was not forced to run!

Don't come with such superiority crap on me, please. The fact is, as user ssj100 mentions, if these files are on a forced folder, they will still open outside the sandbox! And, once again, I'll say that they open outside of the sandbox, because, regardless of the folder being forced... WMP is not.

Forcing an application won't take away the fact that forcing a folder doesn't always work! And, that's all what I am saying. For some reason, you're failling to understand that.

We're talking about two distinct features: Forced Folders and Forced Programs.

I know my facts... You seem not to know yours. Quite an irony for such a full time Sandboxie user...

 

By forcing the program, you overcome the limitation. There is nothing wrong with doing that. You fail to see the point of doing so.

Bo

 

No, you are talking about the features while I am talking about how to make Sandboxie succeed, despite its limitations. Big difference.

Bo

 

we're trying to help fix the problem with forced folders here which we think is giving us false sense of security, while you shoving your workarounds (with the help of sandboxed explorer and forced program) which we already know how to do.


sandboxie's forced folder has limitations but those limitations might/can still be improved/fixed and I don't think your arguments help.

 

You're only revealing that you fail to understand the core issue here.

As an example, I'll mention a recent event with Sandboxie. Some person over Sandboxie's forum came with a PoC that would create a user account in the real system. Before that, another user had already mentioned that a legit application, that he/she installed in a sandbox, managed to do exactly the same thing.

Now, one of Sandboxie claims/features is that it allows us to install software in a sandbox and then ditch it, if we want so.

I got this from www.sandboxie.com

Now, YOU could argue that any user could enable the setting Drop Rights, but that would kill the purpose of being able to install software in Sandboxie, wouldn't it?

So, what was the solution to the problem that was brough to Tzuk's attention? The solution was to fix the damn problem. Why? Because enabling Drop Rights was not the solution, because users could no longer install software in a sandbox.

Now, let's bring in Forced Folders. It is an independent feature from Forced Programs. One does not depend on the other, so they're independent.

Forcing a program won't take away the fact that there's an issue with the Forced Folders feature.

You're seeing this as YOU and only YOU and your workarounds... This isn't about you or me. This is about anyone using Sandboxie or that will use Sandboxie.

Sandboxie has a feature called Forced Folders. I may want to force a folder where I got media files I download from the Internet or that friends give me, and force that folder to its own sandbox, and since Sandboxie does have this feature, I'd expect and I'd wish that Sandboxie does force the media files to open in the sandbox.
But, I may not want the media player itself to be sandboxed, at all. I'd only like to have it sandboxed to this or that folder.

And, that's a feature that Sandboxie happens to have. The problem is it's not working as it should, and if Tzuk could do something about it, it would be great. And that would be the solution.

Workarounds are never the solutions, but only temporary fixes until the solution fixes the core problem.

 

Precisely...Big difference. I'm talking about apples and you're talking about oranges, and then you say that I'm wrong and exaggerating... when you're the one who's been wrong and exaggerating since the beginning.

 

Sandboxie 3.59.05 beta released.
can't find changelog

 

Can we ever?

 

@moonblood
When I said that you are exaggerating, I said it because you make it sound like any program at any time can fail to open in a forced folder and that moonblood it is an outrageous exaggeration. Yesterday, you did not even know whether Notepad is one of the programs that fail to open in a forced folder. moonblood, most of what I can tell you about SBIE, comes not from reading about it, but comes from my personal experience using this program and only three programs have EVER failed to open sandboxed in a forced folder in my PC. The workarounds are easy, work just fine and have been mentioned over and over on this thread so I wont mention them again.

This (Old)issue that affects WMP and Windows Fax and Picture Viewer, causing those programs not to open sandboxed in the forced folder, also affects other sandboxing programs. This is not a SBIE issue but a sandboxing issue.

Nothing in life is perfect, you should keep that in mind.

This is my last reply.

Bo

 

About this part of your reply, I have this to say - You totally lost your reason, and start to mention things I never mentioned. Never once I mentioned Notepad. I mentioned *.txt because I saw it mentioned by Tzuk (Sandboxie's author) as well. He mentioned such file type as well, so who am I to say that they weren't affected or can't be affected at some point, depending on what program the user uses to open *.txt files?

Again, I never once mentioned Notepad. You are simply assuming that anyone opening *.txt files is using Notepad... but whatever...

I never said this was strictly related to WMP, Windows Picture Viewer and Windows Fax. I mentioned those as the examples that were given in Sandboxie's forum.

You're totally right on that. The big difference is, if it's possible to make Sandboxie handle Forced Folders feature more efficiently, then why wouldn't I want it to be improved?

It honestly sounds like you got something against Sandboxie that makes you not want each feature to work flawlessly. Kind of an irony for a Sandboxie paid user, but OK... Guess what? If possible, I'd like for each Sandboxie feature to work flawlessly. Sue me for that...

Anyway, this is also my last reply to you, considering you're still having a hard time figuring out what's the core issue here.

If you truly believe that what you're saying really helps Sandboxie become more efficient...

Anyway, I'll say it again - Forcing a process name to run sandboxed won't solve the issue with Forced Folders, and that's something you're having a hard time to understand.

Yup... you're clearly failing to understand what the issue is... You keep talking about Forced Programs, while we're talking about Forced Folders, but it's useless to say anything to you, because you're still failing to understand this is not about you forcing an application...

See ya...

 

May the force be with you all~

so... any progress on the issue?

 

When using the forced folders, a user should be able to count on any file within that directory to become sandboxed upon execution. Period. That is what a "forced folder" is supposed to do.

The issue of WMP is a documented one. I wish it were seamless, but it is not. One must account for that. Full disclosure of all these "issues" would be nice, so one can take the steps needed to handle them. These are "annoyances" IMO, although I would like to see them fixed for good.

The issue of a certain subdirectory level or a certain character length directory causing an escape of the sandbox is, IMHO, a very serious issue. It "seems" to me like a code oversight, as if there were a statically assigned value there, or an older function/method/property that was used in the code. Don't know, doesn't matter. All that does matter is we know it exists, and hopefully Tzuk will be able to correct the situation.

I would like to know if it is possible for a sandboxed process to exploit this or not. My thoughts are it is not possible. If a browser is sandboxed, and it creates this long named directory, then executes a file within it, the new process should be forced into the same sandbox as the browser, as it should inherit this. I think the issue arises only when the user executes the file from the real OS.

It falls back to the user at this point to be aware of such a flaw until it is fixed. Being creative and making sandboxes or sandbox rules is really beside the point, as that is only covering the problem up with a temporary bandage. The author needs to correct the situation permanently for SBIE to retain its level of protection.

While I would not click willy-nilly in my forced folders, some might. I see this as a pretty critical flaw in SBIE, especially once malware authors find out about it. While the threat is not that great since it requires one to manually start the process, it is still a threat that is unchecked by default.

Sul.

 

Not worried. Still the best security program I've found.

 

No doubt about it.
Tzuk has always been responsive!

 

I guess a PDF exploit can do the trick. Although I haven't tested it against a real pdf exploit, but I found that if you randomly rename a folder to max and force it to run under sandbox and execute a PDF file inside it, then you will find that your pdf file will be executed outside sandbox, same with a docx file. So imagine if docx file have some kind of Macro-Virus then it may run outside a sandbox..

 

This is from Sandboxie's forum: