Sandboxie-Plus v1.0.11

Thank you for the explanation and time. Unfortunately after trying all of this still no success. I do appreciate the effort.

And this was it! Never would have thought about it, but as soon as I disabled Banking and Payment Protection firefox worked right away with no other changes sandboxed. Hopefully bug fixed at some point but at least it's working sandboxed now.

Thanks so much, was going crazy.

 

I'm glad if I could help.

(Maybe the next Sandboxie version could show a message when ESET is used? Since this problem has been mentioned more often.)

 

This only affects Eset's Banking Protection and it has always been like this. For this reason, and also because it only works with the browser defined as the default (with only a few browsers supported), I have always turned it off.

With Banking Protection, Eset starts the default browser in its own sandbox. So this can't be fixed without making its sandbox more insecure, which is why you have to commit to one of these two.

 

Thanks for the info, it's odd because I did renew and it changed to Internet Security which must have turned this feature on.. But I did that days before and Firefox kept working fine until I upgraded Sandboxie. In any case works as before now and will just keep that off.

Thank you again

 

Yes exactly, thanks to Sophos and of course David Xanasoft it's still alive. However, I must say that I'm a but surprised that not more developers have interest in it, from what I understood anyone can develop their own version? Even if you had 2000 customers that are willing to pay $20 a year you could still make a total of $40.000, not bad right?

 

I figured it was either too hard for him, or he just didn't want to do it because it didn't affect anyone else. Probably both of these are true. He didn't even think it was necessary to correct the OpenIpcPath error in the template, i.e. just add a wildcard to ServiceMapping.
https://www.wilderssecurity.com/threads/sandboxie-plus-v1-0-12.444449/#post-3071403

 

To my understanding the additional * did not work fully i.e. the buttons were not visible?

Look I have a lot of things competing for my time, much more than I have time.
If you want to put high priority on your issue become a Patreon on the 25€ or 50€/month tier that buys you priority.
Else you have to wait until I have time to look into some fringe issue.
Or at least sponsor me a license for whatever tool you want me to fix, LOL

Anyhow I have installed the trail version of that thing on my dev VM and am looking if its a quick and easy fix.

 

adding the * and disabling adding programs to a job object (unchecking the marked option) fixes this Actual Window Manager, however jot restricting the programs to a job object disables some of the UI isolation enforcement, hence its not generally recommended, but its not a high risk setting.
As it stands I don't see any good fix at this point that would not require this workaround.

 

Thank you very much for your answer, David!

Yes, the wildcard in OpenIpcPath at the end of "*\BaseNamedObjects*\*_ServiceMapping" makes Actual Window Manager work again, but not completely. Its buttons in all windows are not visible and do not work (exception is the button for "always on top"; it is not visible either, but still works; all others do not).

You can test it by creating a rule for Firefox in AWM and setting it to maximize the window after startup.

Also create the following desktop shortcut for Firefox:
"C:\Program Files\Mozilla Firefox\firefox.exe" -private -safe-mode

Firefox never starts maximized with this shortcut, even if it is specified in its shortcut. Use this shortcut to open Firefox in a sandbox. AWM maximizes the window if the wildcard at the end of ServiceMapping is present, otherwise it does not. So AWM basically works.

But only another, but single wildcard at OpenWinClass, also makes the buttons appear and work.

 

Yes because that implicitly disabled the job object restrictions.

This is considerably less safe than just disabling job objects, as on modern windows a lot of what the job object isolates is also isolated by the UIPI

So your best option is to only disable the job object

 

I should really look into how much isolation is actually really lost when the job object is disabled,
one that I know of is clipboard isolation,
but it would be good to have a full list of what is not covered by UIPI, because possibly on modern windows we may opt for using the job object only for the enhanced isolation boxes.
I asked curt (one of the old sophos devs) about that some time ago but he did not know eider.

 

this is because of -safe-mode, and it makes no sense to use firefox in safe-mode, it's because of troubleshooting
https://support.mozilla.org/en-US/kb/diagnose-firefox-issues-using-troubleshoot-mode

and ofc firefox in safe-mode has to run in sandboxie although its not required.


if firefox do not run in sandboxie then either the profile is quirky or some issues from outside.

 

Sure, that's why I wrote before that this can't be a solution:

I don't use it. I just found it out in countless attempts.

Thank you very much for your answers and efforts!
I hope you can find a solution at some point.

 

I use this mode only for testing, if something does not work as expected! And I use it therefore also in Sandboxie, so that I can then also experiment to my heart's content in about:config! By the way, besides security, this is the second important reason why I use Sandboxie, namely that I always have the previous state of the browser after a browser restart and thus do not have to delete cookies, history and cache. Updates of the browsers and addons are basically done only outside the sandboxes and afterwards they are cleaned with CCleaner, which I use exclusively for this purpose and start and quit manually for this purpose.

 

Prudent move. I cannot recall ever reading posts/threads on Wilders with so many rapid revisions and tweaks by the developer to accommodate so many feature requests while addressing so many gripes.
Needless to say, the push and shove by some of the users here for a free product is more than a bit top-heavy to say the least.

 

Yes, but to be honest I can understand that it's sometimes a bit annoying if users feel like they getting ignored. For example, SpyShelter's keystroke encryption still doesn't work inside the sandbox, at least last time I checked. While KeyScrambler does work.

Cool that you took the time to try to fix this.