Sandboxie-Plus 1.0.18

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Apr 13, 2022.

  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

    Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
    To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
    By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

    To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

    Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.


    Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/1.0.18


    ChangeLog
    [1.0.18 / 5.55.18] - 2022-04-13
    Added
    • added minor browsers to BlockSoftwareUpdaters template (by APMichael) #1784
    Changed
    • Failed memory read attempts to unboxed processes will no longer cause message 2111 by default
      -- Note: the message can be enabled in the settings if desired with "NotifyProcessAccessDenied=y"
    • reordered BlockSoftwareUpdaters template (by APMichael) #1785
    Fixed
    • fixed pipe impersonation in compartment mode
    • fixed issue with box clean-up introduced in a recent build
    • fixed missing trace log cleanup command #1773
    • fixed unpin did not work #1694
    [1.0.17 / 5.55.17] - 2022-04-02
    Added
    • added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)
    Changed
    • improved OpenProcess/OpenThread logging
    Fixed
    • fixed crash issue with the new monitor mode
    • fixed issue with resource access entry parsing
    [1.0.16 / 5.55.16] - 2022-04-01
    Added
    • FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
      -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
    • Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe
    Changed
    • EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
    • the $: syntax now accepts a wildcard $:* no more specialized wildcards though
    fixed
    • fixed NtGetNextProcess being fully disabled instead of properly filtered
    • fixed reworked image name resolution when creating new processes in a sandbox
    • fixed regression with HideOtherBoxes=y #1743 #1666
     
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Having some issues/questions.

    1. When using Chrome, I get these messages from SBIE+:
    |Time| |Message|

    21:10:23.887 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: connect C0000022
    21:10:23.897 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 14 - chrome.exe [C0000080]
    21:10:23.907 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 14 - chrome.exe [C0000080]
    21:10:23.914 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 14 - chrome.exe [C0000080]
    21:10:23.923 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 14 - chrome.exe [C0000080]
    21:10:23.928 chrome.exe (9056): SBIE2203 Failed to communicate with Sandboxie Service: *GUIPROXY_00000001; MsgId: 14 - chrome.exe [C0000080]

    2. I have configured Chrome as forced to run in defaultbox. While Chrome is running in the sandbox, unsandboxed apps cannot launch/open links in existing sandboxed Chrome instance. i can see new chrome.exe process in the sandbox but no new tab opens.
     
  3. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
    Thank you @DavidXanatos , so far so good for me, using v1.0.18
     
    Last edited: Apr 13, 2022
  4. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    +1.
     
  5. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    402
    Location:
    uk
    Another update :thumb::thumb::thumb:

    With all the changes eg EnableObjectFiltering, while I have tried to keep up to date my sandboxes are essentially many years old and I wonder if their settings are still appropriate. I only use two.

    Would it be a good idea to delete & reinstall SB+ completely including all settings, then recreate my sandboxes? And if I copy the old ones in by manual editing, would that likely compromise any of the new protections?
     
    Last edited: Apr 14, 2022
  6. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    596
    Location:
    Austria
    First of all: Thanks, David, for v1.0.18. :thumb:

    Moreover I would like to second henryg1's above questions. My idea is: to replace my old settings (for using Firefox as sandboxed browser) - many years old too - simply by Sandboxie's current default settings.
     
  7. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Seems even when the other app is running in the same sandbox as Chrome links don't open either.
     
  8. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    596
    Location:
    Austria
    Maybe I don't understand correctly the situation but isn't this the desired behaviour (from the aspect of security)?
    E.g. when the unsandboxed app is your preferred pdf-viewer and the link leads to a pdf-file: Isn't it logical that as along as you do not allow the pdf-viewer to start within the sandbox, the link won't open?

    Only this behaviour looks strange for me too:
     
  9. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Sorry, I don't understand. I never said I didn't allow Chrome to start sandboxed. I'll try to clarify.

    Unsandboxed app tries to open a link when Chrome isn't already running in sandbox=> link opens in sandboxed Chrome since I force set Chrome to start sandboxed (no problems here)

    It's problematic when you have a sandboxed Chrome already running. 3rd party (un)sandboxed apps should have no issues sending inter process messages to Chrome to launch a website/open a link while it is already sandboxed, Chrome should just create a new tab with the link open.
    Inter process messages with sandboxed Chrome instance should be allowed in either case, either because the unsandboxed app runs on the host machine outside the sandbox and has higher privileges than sandboxed Chrome or because the sandboxed 3rd party app is executed in the same sandbox as Chrome and should also have free communication with it.
     
  10. against

    against Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    12
    Thanks David. Tested with Brave and Edge - no issues thus far.
     
  11. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I see what you're saying and am curious as to how the developer will respond.

    Installed 1.0.18 over the top. So far, so good. Only little thing: sometimes SandMan opens after first boot along with Firefox to the desktop. Doesn't happen consistently and I can't narrow it down so I'll keep putting up with it. Unless, of course, someone has an idea or a similar experience.
     
  12. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Just to add a bit more info, opening a PDF (Chrome is set as the default app for that) from an unsandboxed windows explorer opens the PDF in already running sandboxed Chrome in a new tab.
    Opening a PDF from an unsandboxed 3rd party app however doesn't open the PDF.

    So it seems windows explorer has a different treatment in this case.
     
  13. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
    Yes, I hope that is what the first post in this thread implies for v1.0.18.
     
  14. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    The first post said that sandboxed processes cannot do PROCESS_VM_READ on unsandboxed processes, not the other way around. (if PROCESS_VM_READ is at all related to my issue)
     
  15. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
    I see your point. Were previous versions of sbie immune (assuming you used any)?
     
  16. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    I haven't used the previous versions, I'll wait for David to comment before trying anything further for troubleshooting.
     
  17. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    I have tried this scenario i.e. instal chrome on clean VM with sbie+ 1.0.18 set chrome.exe to be forced opened it, created a link on the desktop pointing to a website, doubleckliking it opens a new tab in the already runnign sandboxed chrome.

    Also GUIPROXY_ issues indicate an otehr sort of problem MsgId 14 is GUI_FIND_WINDOW which is strange why that would fail, possibly some 3rd party security product is interfering.
     
  18. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Yes, I already mentioned in a later post explorer.exe doesn't have this problem, it can launch PDFs and links in sandboxed Chrome without issue. The problem is with 3rd party programs.
    Download XnView for example, open chrome sandboxed, open XnView either unsandboxed or sandboxed (in the same box Chrome is running), in XnView click on the Info option in the upper menu and click Visit XnViews website.

    I only have avast free installed
     
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
  20. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    ok. thx. anyway thats valid for that pc if win10 was applied. trust me ;)
     
  22. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    Did a fresh clean install including re-entering my settings and I noticed I now have a thin white line to the far left of Firefox and Thunderbird when sandboxed. I also have Microsoft Edge sandboxed but it doesn't have the thin white line to the far left.

    Windows 10 21H2 (64-bit)
    Sandboxie Classic 5.15.18 (64-bit)
    Firefox 99.0.1 (64-bit)
    Thunderbird 91.8.0 (64-bit)
    Screen Resolution: 2560 x 1440

    Line1.jpg

    Line2.jpg
     
    Last edited: Apr 15, 2022
  23. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    firefox always have a margin far left, black with default themes (windows and firefox). MSedge also has a black margin here. But i do not use a dark theme.
     
  24. DjKilla

    DjKilla Registered Member

    Joined:
    Oct 4, 2021
    Posts:
    208
    Location:
    Tampa, FL
    I've always used a dark theme for both Windows and Firefox. Unsandboxed, I don't have the white line to the far left. Previous versions of Sandboxie Classic didn't have this issue. I never copy over my Sandboxie settings when doing a clean install, never upgrade on top of a Sandboxie installation, my settings are always the same, my Firefox extensions are always the same and nothing has changed. So it's an issue with the latest version. I'm sure it's an easy fix and not a critical high priority issue but it's an issue that's annoying so I'm reporting it. By the way, thanks again to Dave for all his hard work and dedication. I have endless appreciation for everything he does in making Sandboxie a great app!
     
  25. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I have this skinny white line, also, on the left side. Firefox has to be in full-screen mode for this to appear, which is something I do very rarely anyway. Like you, it's not there otherwise, in dark mode. It's not there unboxed.

    Turning off all my extensions like what was suggested in a Mozilla post made no difference whatsoever.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.