Sandboxie-Plus 1.0.17

Exited UI and installed 1.0.17 over the top. Sandman did not crash after enabling trace logging and then opening Firefox--over two times. I will try this after a cold start but it seems fixed just fine.

Awesome, thanks alot DavidXanatos.

 

I will add an option to disable the open process warning in the next build also it will be on by default.
I don't expect this security measure to really break anything, but just in case please test the 1.0.17 build thoroughly such that if there is somethign else that needs to be allowed read access to we can find it and add it to the default exclusion list before the message will be hidden by default.

 

Would it be ok if I do not allow software_reporter_tool.exe to start in the sandbox (start restrictions).
It won't break anything I hope? I will give this a shot in 1.0.17 (have not tried .16 or .17 yet).

 

yes thats perfectly fine software_reporter_tool.exe is a google spy and its only purpose it to spy on chrome users

 

Thank You. I am also hoping that WFP will soon be enabled by DEFAULT in sandboxie
(and block such spying and telemetry processes from network access directly from
within sandboxie). The landscape is littered with firewalls from A to Z and everyone
has his/her own favorite but I, for one, would prefer sandboxie to become a self-contained
security AND PRIVACY software. You may never convince personA to ditch firewallA
or personZ who cannot live without firewallZ. So, let them turn this option off.
In any case, I do believe sandboxie development is headed in the right direction. My 2c.

 

In addition it would be a good idea to block it in firewall, see, when one runs Chrome unsandboxed in order to update it, software_reporter_tool.exe is triggered as well. Been doing this for ages.

 

What is it? What does it mean? Is it a problem, a bug? Fresh installation. Firefox 98.0.2 (64 bit) Windows 11 Pro v.21H2 build:22000.593

 

Its the new memory read protection feature, I wonder why firefox wants to open explorer exe with the PROCESS_DUP_HANDLE permission hmm...
The strange thing is on my system it did not try that so it may be some extension or something.

 

+1.

 

I'm getting a message with Sandboxie-17 on Brave and Firefox on both computers.

 

due to the new isolation function such errors are expected

 

Trying the new sbie-plus version on Windows 7 Home, SP1 (64bit)
The switch to v1.0.17 (portable) from v1.0.15 was uneventful.

Played with the following browsers (all 32bit, and portable):
mypal(29.3.0), falkon(3.1.0), otter-browser(1.0.03), slimjet(33.0.0)
Vivaldi(5.0.2497.28 ), chromium ungoogled(95.0.4638.54)

For mypal, chromium and slimjet, UI shows "SBIE2111 Process is not accessible:"
messages and the process not accessible is always $:explorer.exe (as expected).
No such UI messages for falkon, otter-browser and vivaldi.

For slimjet there are two identical messages (duplicate handles) ??
Slimjet extensions are decentraleyes and ublock origin.

Spoiler: UI Messages for v1.0.17

Code:

22:06:46.969   mypal.exe (5084): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1    
22:18:00.102   chrome.exe (4136): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1
08:14:44.185   slimjet.exe (2368): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1  
08:14:44.188   slimjet.exe (2368): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1   

 

There must be a reason why Sandboxie never blocked sandboxed processes from reading process memory. I wonder if this will not break a lot of stuff, but I haven't read whole of the topic.

 

Well that's what we are trying to find out with the current pre-release build.
Currently the only reports were the log lines as expected but no actual loss of functionality.

My guess would be that the reason is the same as why sandboxie allows any sandboxed process to read all your files on your hard drive, that being they did not care, the goal they set out was to prevent infection not protect user data.

But well I have higher goals that that, sandboxie should keep the user safe not only from infection/damage but also from data leaks, imagine some malware runnign sandboxed reading you keepass's memory or your crypto wallet when its loaded, catastrophe!

Think about the fixes in 0.7.0 / 5.48.0 earlier builds allowed any sandboxed process, although with admin rights to read the raw volumes, meaning they could bypass any ClosedFilePath for reading.

Its quite apparent that the design goal was to confine writes to the sandbox but not protect from reads. I mean its not a total SNAFU, if you have a firewall and run some malware that is not smart enough to exploit a web browser to bypass the firewall it can read your data but not send them to its masters. But then exploiting IE to send some data and expecting it to already be open in the firewall is quite trivial.

Sandboxie was for a very long time developed for a very narrow usage scenario (1 sandbox, infection prevention only, no games, etc...), for example the inter box isolation is quasi non existent, as once the usermode hooks are off any boxed process (with the Anonymous SID) can read any other processes memory that runs under the same SID i.e. any boxed program no mater in which box its located. With the EnableObjectFiltering=y this is no longer the case using the ObCallback mechanism any process access is filtered by the kernel and the custom sbie syscall filters on process and thread handles are no longer needed. In build 1.2.x I'll introduce a new SID scheme Diversenok pointed me to, with that every sandbox will get an own virtual user meaning that we can use native windows mechanisms to isolate boxed resources from each other.

 

Curious, are we still testing "nested jobs".
https://www.wilderssecurity.com/threads/nested-jobs-enchanced-isoaltion-featuer-please-test.439066/

 

mmh... that seamed to work just fine so no more testing needed

 

So, enabled by default is _______?

 

And can be ignored (as I am doing)?

 

yes, if anything else seams working sure, also in the next build they will be hidden by default and to see them you wi.l need to enable the appropriate message

 

Hello,
I have now also updated SB to 1.17, and got the known messages for Firefox portable 99.0 and Thunderbird portable 91.8:
thunderbird.exe (2924): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1 firefox.exe (13072): SBIE2111 Process is not accessible: $:explorer.exe, call OpenProcess (C0000022) access=00000040 initialized=1

I have another security question: I use the standard Windows Firewall on my computer (Windows 11). Can I increase security by activating the two Sandboxie menu items: "Use Windows Filtering Platform" and "Enable kernel mode object filtering" ?
Best regards, Sabine

 

Hello,
does nobody know, if the security (isolation) is increased with a Windows11 computer with Defender if the two points "Use Windows Filtering Platform" and "Enable Kernel Mode Object Filtering" be selected? Is it perhaps better "Use Windows Filtering Platform" not to select, so that the Windows Firewall can work, or do I understand this wrong?
Sabine

 

The first post in this thread states:

So yes, enable it if it's not already.

"Use Windows Filtering Platform" is also I believe recommended, unless you run a 3rd party firewall and don't want multiple running.
Here's a bit more information about it from the 0.93 release.

 

For best security enable booth, "Use Windows Filtering Platform" does not compete with windows firewall, it only adds its own filtering of top of the windows firewall using the same mechanism windows firewall uses, so its quite light weight and coexists superb with windows firewall.

"Enable Kernel Mode Object Filtering" is not related to windows defender and it improves the security a lot as it prevents various exotic handle based exploits or potential lapses in sandbox isolation from being used for privilege escalation.

In the past a couple sbie security issues were caused by improper process handle filtering, would the old sandboxie have used windows's Object Filtering mechanism this issues would not have have happened.

In fact I'm looking forward to at some point making Kernel Mode Object Filtering the one and only handle isoaltion mechanism, at least on non xp/vista systems.