Sandboxie Plus 0.9.3

This build adds the new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
If the WFP support is not enabled the same rules still can be set and are used, but will be applied only by a set of user mode hooks, unlike the WFP implementation they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application.

The rational behind implementing this functionality in user and kernel mode (driver) instead of driver only is twofold for once it allows for debugging of the rule processing code as booth modes use the same code to make decisions based on the preset rules. Second the WFP callouts are global i.e. they are triggered for any process on the system whether its sandboxed or not, in the lather case they don't do anything and the use of a hash map to identify sandboxed programs that require action should provide optimal performance. That said users who run a 3rd party firewall which they may prefer may not want to many firewalls being active at once, while still wanting to use some per sandbox network rules for compatibility and not security reasons.

Also please note that with this build the old "BlockPort=..." functionality is completely dropped, the default port block rules are now implemented by the new user mode firewall component, if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=Block;Port=137,138,139,445"

The rules are applied based on a specific decision priority:

1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs
2. A rule with a Port or IP trumps a rule without
   2a. A rule with ip and port trums a rule with ip or port only
   2b. A rule with one ip trumps a rule with an ip range that is besides that on the same level
3. Block rules trump allow rules
4. A rule without a protocol means all protocols, a rule with a protocol trumps a rule without if its the only difference

The rule editing UI allows for testing rules, in the row below the rule list one can enter program name, port, ip and protocol to see which rules are in play and which rule will be applied in the end.

When configuring per process network access restrictions and WFP is enabled it is possible to choose between a WFP based approach and the old sandboxie way of blocking the network device end points. The later approach is more absolute, but is know for causing some application to crash.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.3

Changelog

[0.9.3 / 5.51.3] - 2021-08-08

added

• ability to us theh run unsandboxed option with sandboxie links #614

Fixed

• fixed open template does not load the edit tab #1054
• fixed issue with explore sandboxed #972
• fixed start directory for sandboxed processes #1071
• fixed issue with language auto detection #1018
• fixed issue with multiple files with same name, by always showing the extension #1041
• fixed multiple program grouping issues with the sandman ui #1054
• fixed no disk error #966
• fixed issue with 32bit build using qMake, the /O2 option resulted in a crash in teh QSbieDll.dll #995

[0.9.2 / 5.51.2] - 2021-08-07
Added

• added ability to reconfigure the driver, which allows enabling/disabling WFP and other features without a reload/reboot

Changed

• reorganized and improved the settings window
• improved the tray icon a bit, the sand is now more yellow

Fixed

• fixed issue with process start handling introduced in 5.51.0 #1063
• fixed issue with quick recovery introduced in 5.51.0
• fixed incompatibility with CET Hardware-enforced Stack Protection on Intel 11th gen and AMD Ryzen 5XXX CPUs #1067 #1012

removed

• commented out all Windows XP-specific support code from the driver

[0.9.1 / 5.51.1] - 2021-07-31

Added

• added tray icon indicating broken connection to the driver if it happens
• added option to customize the tray icon
• added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
• added localization support for Plus installer (by yfdyh000 and mpheath) #923

Changed

• reworked NtClose handling for better performance and extendibility
• improved tray box menu and list

Fixed

• fixed issue with fake admin and some NSIS installers #1052
• fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
• fixed issue with checking WFP status
• fixed issue WFP failing to initialize at boot
• fixed issue with tray sandbox options not being available just after boot
• fixed issue access changed flag not being properly set in box options #1065

[0.9.0 / 5.51.0] - 2021-07-29

Added

• added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
  -- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
  -- to use WFP for a specific sandbox, add 'AllowNetworkAccess=n'
  -- you can allow certain processes by using 'AllowNetworkAccess=program.exe,y'
  -- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
  -- in this case you can exempt entire sandboxes by adding 'AllowNetworkAccess=y' to specific boxes
  -- you can block certain processes by using 'AllowNetworkAccess=program.exe,n'
  -- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
  -- restricted boxed processes will still be able to resolve domain names using the system service
  -- however, they will not be able to send or receive data packets directly
  -- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
• added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
  -- the mechanism replaces the old "BlockPort=..." functionality
  -- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
  -- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
  -- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
• added new trace option "NetFwTrace=*" to trace the actions of the firewall components
  -- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
• API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
  -- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
  -- Note: a process must have administrative privileges to be able to use this API
• added a UI option to switch "MsiInstallerExemptions=y" on and off
  -- just in case a future Windows build breaks something in the systemless mode
• added sample code for ObRegisterCallbacks to the driver
• added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
  -- Note: these options are for testing only and disable core parts of the sandbox isolation
• added a few command line options to SandMan.exe

Changed

• greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
• reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination

Fixed

• added missing hook for ConnectEx function

 

Many thanks for fixing the grouping issue, the new UI is getting better and better

 

0.9.3 over 0.9.2

 

then reboot

 

Yes. Thanks

 

Um, is Release v0.9.3 / 5.51.3 deemed a Test build?
Email notifications from Wilders and GitHub

 

Isn’t everything before version 1.0.0 a test build?

 

not as I recall

started with .. https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.0a .. as I recall

 

not 0.9.3 is the final from the 0.9.x line i coped the text and forgot to remove that info initially

 

Okay. Thanks

 

Seems like the most stable build of the recent era so far. Even the sporadic, non-fatal "SBIE2101"-errors caused within Opera-browser with "CET/Stack Protection" activated seem to be gone for good! Excellent work, @DavidXanatos!

 

Sandboxing Mozilla Thunderbird 78.13 fails with

WerFault.exe (10036): SBIE2101 Object name not found: Unnamed object, error OpenProcess (C0000022) access=001FFFFF initialized=1

I've Googled the error with no solution, so any help would be appreciated.

 

Looking an awful lot like the error-messages I had to endure for months now on my "11th-gen-Intel"-machine, caused - as we now know - by one or more flawed code-statements stemming from primordial Sbie-code.

Are you on one of these machines with "CET/Stack Protection" as I am?

The strange thing though is that these flaws seem to having been straightened out completely by @DavidXanatos with his latest release of Sbie-v0.9.3.

Hence I am not seeing those errors here anymore. I am not a regular user of "Thunderbird" and don't run it sandboxed when occasionally connecting to my provider via Thunderbird for archiving purposes.

But following your observation I tried right away. I started "Thunderbird"-v78.13.0 (64-bit) both with and without admin-rights on my "11th-gen-Intel"-machine in my default-sandbox. Result: in both cases it opened normally and performed without any errors.

Therefore I am not able to confirm this issue. Maybe that hints to some individual configuration problem. If the sandbox you've used here should apply any special settings I would create a new one with standard settings and try running "Thunderbird" in there. Other than that I'm sorry to say that I'm running out of ideas either.

 

My Thunderbird does not sandbox if it is a forced program. The Sandboxie-Plus message says it is unable to start Thunderbird. If I use the run Default email Client menu in Sandboxie -Plus, it works correctly. If I have my forced Firefox open, the forced Thunderbird opens correctly.

 

I use an old i5 8500 in my desktop pc.

I'm using 0.9.3 too.

I generally don't run TB sandboxed, but it has worked in the past with no problems. I wanted to try a new extension without exposing the main setup.

I created a new sandbox based on the default settings, and it was the same.

 

Unfortunately, these don't work for me.

 

Weirdly, TB runs sandboxed on my laptop - same TB, SB and Windows versions on both, and same sandbox setups. AND an 11th gen i-7. I'll copy sandboxie.ini from my laptop to my desktop when I have time.

[Update]
I copied across my laptop's sandboxie.ini file, and got same problem. So I deleted the ini and let SB create a new one, and still the same problem.

Same AV program on my desktop and laptop, and disabling makes no difference.

I am at a total loss of where to go next.

Oops, Win 10x64 v21H1 (build 19043.1165)

Now tried TB 78 & 91 - no change

 

On W8.1 x64, werfault errors with Firefox 91, crashes most starts, Thunderbird runs fine SBIE 0.9.3.
On W7pro x64, SBIE classic 5.51.3 runs fine.

 

Feature request for sbie +

Add "Disable Sandbox" on right-click context menu, otherwise I need to go to the ini file and disable from there.

 

Is this prompt supposed to write a line into ini file?
I ask cause whether I click on any setting you see I highlighted there's no line added.

 

No this one is only for running processes and has no persistent state, the remember is rather for remember deny to prevetn pop ups for teh same process, remember allow is pointless as its allowed wont be asked again untill the process terminates

 

That was what I hoped always, but also learned it is the process only. Maybe with the new FW change it would be an option to say, make it permanent for internal FW or make it permanent even for WPF and IP only, make a choice dialog, optional. It would delay the start of the program however, for a fast allow, no issue, if you want it more detailed, you might not mind, as it fixes it for the future. Just some brainstorming ...

 

BTW, I'm not sure in which thread to post this, but is it true that Sandboxie might cause website loading errors? I can't load certain websites like the one from Hitachi for example, I get the ''website not private'' warning, see link. But I noticed that I don't get this when I run Vivaldi unsandboxed. I'm using Sandboxie 5.49.8, the classic version of course. BTW, the website from Hitachi is horrible, it loads quite slowly.

https://www.pandasecurity.com/en/mediacenter/panda-security/your-connection-is-not-private/
https://tv.hitachi.eu/bx/nl/product/77/32HE4100

 

https://tv.hitachi.eu/bx/nl/product/77/32HE4100 ... loads similar inside outside my Edge sbox 0.9.3 / 5.51.3