Sandboxie-Plus v1.11.2

Release Notes - New Features and Enhancements

Sandboxie-Plus 1.11.x comes with a new component ImBox.exe which in combination with new service and driver mechanisms enables exciting new functionality. The ImBox.exe is a block device proxy for the ImDisk driver (which can be installed using the add-on manager introduced in 1.10.x) and is capable of creating dynamic RAMDisks as well as mounting Encrypted Box Images using DiskCryptor's robust and reliable AES-XTS implementation.

• The RAMDisks integration is available to all project supporters with a valid supporter certificate, it allows for seamless RAMDisk usage once configured on the add-on options settings page and enabled for selected sandboxes. The RAMDisk can be mounted without a drive letter providing a seamless experience, the appropriate Folders on the shared RAMDisk are linked to the default box root folder locations. The RAMDisk is NOT persistent this means that all data stored on the RAMDisk vanish once the system is rebooted, making such a sand box ideal to store transient confidential data.
  
  
• The Encrypted Box Image feature uses encrypted container files to store a boxes root directory (containing all files and the boxes registry hive) the mounted encrypted volume is by default guarded by the driver such that only processes runnign within the sandbox (and essential sbie+ components) can access the files stored on that volume. In combination with the "ConfidentialBox=y" option, host process read access to sandboxed processes memory is effectively blocked, ensuring no rogue process on the host can access confidential data in RAM belonging to sandboxed processes. The combination of this mechanisms creates secure enclaves, which ensure data processed within an enclave can not leak to the host (except for user configured OpenFilePath locations) and is protected even when the host would to be compromised (only adversaries which obtained kernel level privileges can bypass these mechanisms).
  

Note: As the new Box Encryption feature opens up a completely new branch of use-cases, which would merit being a separate product on its own, it requires a separate advanced encryption option which must be obtained in addition to a valid supporter certificate, except for the following certificate types: Contributor, Patreon, Huge and Large, all others need to be upgraded using a upgrade key which can be obtained on the web store and has to be entered on the support page.
Also for more clarity the available certificate scheme was restructured Small was renamed to Subscription, Medium to just Personal, Large was removed and a Family Pack subscription was added.

For a full list of changes and fixes please review the full Changelog.


Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.11.2

 

First observations on v.1.11.2:
All looking good so far.
Although some minor new inconvenience seems to having been introduced to the installer-part of Sbie-Plus.

After the installation has completed successfully (well, almost, that is) one is presented with the final window as usual:

Now if I tick that option-box Sandman will start-up full-windowed which I usually do not like unless I intend to declare any changes to the sandboxing-process. So on standard terms I would prefer Sandman to go to the SysTray immediately and that is why I hitherto chose to untick that option box. As a consequence the Sbie-tray-icon would close down again (amazingly enough) and Sandboxie would appear to be gone. But since I have my browsers (with one exception for testing purposes) configured to be forcefully run sandboxed that didn't make much of a difference as upon the next start of a browser the Sandman-tray-icon would re-appear in SysTray automatically and normal operations would take their course.

Then come installation of v.1.11.2 and suddenly things look a bit different. With that checkbox unticked the Sbie-tray-icon would vanish again after installation - much as expected. BUT on the next "box-forced"-browser-start to follow NO SysTray-icon will come up again and the browser will open without the usual (yellow) colored border indicating active sandboxing and after downloading a file no recovery-process will be invoked at all - neither "immediate-recovery" via notification-window as selected nor via the full recovery-window in the end once the browser would close down. Also an attempted "emergency-shutdown" via hotkey had no effect and so my first impression was that the browser would not be running sandboxed at all. But further inspection of the virtual-drive-letter would suggest that the box-content was to be found in there as it should, albeit without any recovery-offer for downloaded files.

Now the good news is that upon the next re-boot all strange phenomena will be gone and the Sbie-tray-icon will reside in the SysTray right from the start and things will be back to normal.

 

Interesting that this did happen already with v.1.11.1. on those machines.
For me I can definitely say that here this is a new phenomenon introduced with v.1.11.2. and did not show up on v.1.11.1 although this latter version had more severe issues on my system otherwise which now thankfully seem to having been resolved.

 

Even though it's pre-release, I installed it over the top anyway and looks encouraging so far. Firefox opens a bit faster with this one which is always welcome. Haven't had the issues others are describing to date but that doesn't mean much-- just that I"m not using it nearly to its fullest potential.

 

1.11.2 / 5.66.2 is Latest

 

How do I reverse "Encrypt sandbox content".
How do I disable "Encrypt sandbox content".
When I Unmount Box Image. I lose access to Sandbox Settings.
How do I regain access to grayed settings?

How do I remove Disk root:\Device\ImDisk0?
How do I release 2GB memory?

head scratch

 

Could you put a message letting everyone know that 'Box Protection' under 'Security Options' requires the purchase of an advanced upgrade certificate. I installed the latest stable version and noticed my apps wouldn't start. I'm sure others will come across this setting especially new users who don't know that you need to purchase an advanced upgrade certificate to use this feature.

 

@bjm_

• "Right click on the box > Sandbox Tools > Export Box"
• "Right click on the box > Unmount Box Image"
• "Double click on the box > Edit Ini > Remove the 'UseFileImage=y' setting."
• Extract the exported archive file into the Sandbox folder.
• You can also delete the .box file associated with that box in the Sandbox folder if everything is OK.

1. By unmounting the box image.
2. The encrypted box does not use a ram disk, but an encrypted image file.

 

Well, I had to install ImDisk to access Encrypt sandbox content.
Image (mouner) mounter required for encryption and ramdisk boxes

 

The ImDisk driver is required to mount an encrypted image file.
You can choose that file to be on a fixed disk or a ramdisk.

 

I did not opt Store the sandbox content in a Ram Disk. With the encrypted image file mounted. I didn't know how to get my Edge sbox back to before I installed ImDisk driver and opted Encrypt sandbox content. I went back to 1.9.8...for now.

 

Speaking of which, @DavidXanatos, I don't think it is a good idea that for certificate-holders now seemingly all "golden-bullet"-indicators marking exclusive content/features seem to be gone. They should on the contrary be visible in Sandman for everyone, anytime to provide comprehensive information about all the advanced features currently in use.

Those currently not being highlighted for certificate-holders any longer seems all the more regrettable as in case of loss or expiration of said certificate Sandboxie still does not fall-back automatically into a state where it would at least continue to run with minimal / free features - but would plainly refuse to start at all instead, just popping up a message that the current box-configuration would make use of ?one/some/many? certificate-restricted features. And then it's anyone's guess which features exactly might act as a deal-breaker for the time being.

 

I might have been wrong in thinking an advanced upgrade certificate is required to use 'Box Protection' but it seems the setting/feature is required to use the encryption feature where an advanced upgrade certificate is required. A little confusing from reading through many posts. Meanwhile, 'Box Protection' is a setting/feature which I can't find any additional info on how to use it and what extra protection it provides. Just spent hours reading through posts and visiting the Sandboxie website trying to find out how to properly use it. Always new settings/features but no link to what it is and how to use it. Kinda drives me nuts.

 

It's getting so that it would be nice if Sandman had a "search" feature so that we can find some of these more obscure settings.

Edit: tx for correction, bjm_

 

It's getting quite confusing, so I would like to clarify. I am currently running Plus 1.10.5 - I always update with a time lag waiting for some of the initial bugs to be ironed out. I had a supporter certificate which has just expired. I am using
the plus version with 3 sandboxes and while I have done minor configurations, these just relate to basic stuff like "forced folders", "forced programs" or autodelete. Anything else is default setting and I am not making use of any of the more sophisticated
features introduced more recently. I would like to support David for his great work but at the same time don't want to be in a position where I have to pay more and more for stuff I am not using.
If I still update will my basic use of the program still work or is updating only recommended for those that want to go with the new features. Would it not be easier to have a basic version and a Deluxe version where you pay for advanced features?

 

If you already had a supporter-certificate then you also have access to some advanced new features - that is within the 1-year-upgrade-period until the certificate expires.

From then on you have basically 2 options:
1. Stop upgrading and keep using the last version you're eligible to with all possibilities it offers until you may run into some future incompatibility of Sbie with updated OS- or browser-versions in the future. - Or
2. you upgrade to the latest version anyway (either because you want to or because you have to due to said incompatibilities) thereby losing all advanced capabilities. But be careful though! If it turns out that indeed you DID use some advanced features Sandboxie will as of now simply stop working instead of offering a fallback-option to basic functionality. And it will be up to you to find out which features to disable as they might have been the deal-breaker for Sandboxie no longer working without a current certificate.

So before starting the upgrade process you might want to temporarily delete/rename your certificate-file and see if Sandboxie would start normally even without it. You can then also inspect Sandman if any of the features you're currently using are marked by a "golden bullet" - which means you would need to buy a new certificate after the upgrade to keep using those. If no features in use are marked by such a bullet and Sandboxie would come up normally even without a certificate-file then you're good to go to upgrade to the latest version for free.

 

Is it the same issue, when you checked for updates were the instaled updates a full new version using the installer or only an incremental update?

Grayed settings in this group are only available when the box is empty, so to get access you need to delete the entire box content.
The image gets normally unmounted as soon as the last boxed process in that box terminates.
Except if you explicitly mounted it through the box context menu then it remains mounted until you manually unmount it using the same menu.
Its strange that it shows on your system 2 GB is your box folder not located on a NTFS partition? The Image file (2GB by default) should be created as a sparse file meaning it should only use as much HDD space as it has content.


this mechanism is not available on FAT partitions,
or you filled the entire 2gb?

it's there already:



even with a tool tip

The "golden-bullet"-indicators, were always hidden when an active certificate was found, this is not new behavior.

Also when a configuration is encountered which requires a (new) certificate the message popup/log indicates the setting name:



Such that the user knows what to disable.

About an automatically fall-back, first all boxes which don't use certificate bound features remain functional so there is nothing to fall back to for these.

Boxes which use certain features, com with an expectation of enhanced security/confidentiality, a fall-back here would pose a security risk as the additional protections would not be in place anymore which may expose the users to unwanted risks, its safer to outright fail then to run something insecurely while the user expects enhanced security.

I'm sorry about that, writing documentation is not my strong suit, that's why there is always the opportunity to earn oneself a never expiring max features contributor type certificate, by contributing like by writing documentation
Yea you need the advanced upgrade to use 'Box Protection' what it does is it prevents unsandboxed processes from reading the memory of sandboxed processes such that if you run something in a protected encrypted sandbox, other processes on the host can not access any of the data contain within the box.

The free features will remain working even when the certificate is no longer active, you loose nothing by getting a cert and letting it expire, only the more advanced features would stop working.
And as algol1 mentioned if you have a "Personal" type certificate (formally Personal-Medium or Personal-Large) its not a subscription but perpetual unlock for the current build + 1 year of updates (+2 in case of large) so only when you install a build compiled after that update period has expired it would lock out features, builds compiled before that date will remain unlocked forever.
With 1.11.2 the update mechanism was improved to disable automatic update installation and show a warning message when based on the dates it is likely that the new build will no longer work with a currently active personal certificate.

So there are 3 aspects to the "Personal" vs. "Subscription" (formally Personal-Small) decisions
1. Whomever wants to support the project more should get the more expensive option, obviously
2. One can gamble on not needing an urgent compatibility/security update for more than one year hence saving overall some $$
3. One gets the security that if a nuclear war starts tomorrow and one is living in a bunker for the next decades, without internet and means to obtain a new subscription certificate, the last version one got will remain working forever.

Isn't that how it is kind of, no cert == basic version, active cert == Deluxe version
Or what else do you have in mind?


Also PSA:
in the 1.10.x build is a bug when validating some new certificate types, if anyone sees a cert in this builds valid but the features not being unlocked please update to 1.11.2 its a final (no longer pre release) build and has this issue fixed.

 

When installing for the first time the default expectation is the UI of the installed app to open, that's what the checkbox does,
when upgrading perhaps we should check if it was a clean install or an upgrade and if it was an upgrade make that checkbox start in tray instead?
About the not starting at all issue will have to look into it.

Also since we are talking about installers, I was thinking to replace the installer on the website with some live installer, this way I don't need to update the download page each time, what do you think?

 

If your usage is the way you say you could consider just using the free version and donating (since you mentioned you wanted to support the dev). This way you always have the latest stable version with fixed bugs while still supporting the dev.

 

as I recall: invoking Delete Content against my Edge sbox...called "The Sandbox is already empty."

Does 2GB continue to display with all processes terminated?
as I recall: I tried Terminate All Processes. 2GB remained.

Maybe, I did mount my Edge sbox through the box context menu...not understanding it remains mounted until manual unmount using the same menu.
I'll try 1.11.2 again with a new Default Test sbox. Thanks

 

Maybe not new behavior - but for the purpose of better orientation perhaps they should have been there all the time and visible for everyone for the sake of transparency. I've activated my certificate only recently and so I couldn't see the different behavior before - but from my perspective there doesn't seem to exist any good reason for any different behavior in the first place.

That is certainly a welcome addition. I've just not stumbled into this one until now. Only have observed the total refusal from Sandboxie to start at all without being informed about the exact reason why so far.

That is understood. But as in my case the only active (default-)-sandbox had all of a sudden been declared to make use of certificate-bound-features (b/c of having the newly introduced RAM-Disk-feature activated for testing-purposes) with the upgrade to v.1.11.1 which had neither been obvious nor foreseeable under v.1.11.0.

So as for the proposal of an automated fallback-option perhaps the best solution would then be to declare some hidden basic-features-box in the background and right from the beginning (with, for instance, all necessary compatibility-options for auto-detected software-packages as well as all default-wise selected options for (auto-)-recovery still enabled, with all standard features inherited from the default-box) that would only jump to the foreground and take over just in case no other user-declared-box, not even the default-box, would be eligible to run without a certificate any longer. Of course as to avoid any misunderstandings about expected security-features no longer present in this basic-box some conspicuous warning-message would have to pop-up advising the user accordingly.

That of course would only be the case in any given situation after the successful implementation of a fallback-option as proposed above!

 

Yes, that's definitely the way it is supposed to work!

 

@DavidXanatos :
Question re: Security Options=>Box Protection=> "Protect processes within this box from host processes",
When enabling this setting, does it activate DenyHostAccess=*,y
If so, it does not appear in sandboxie.ini. If not, what is the setting that is actually applied? Thanks.