There is more to say about the ProtectHostImages feature than I wrote in the GUI initially (and failed to update it later), while it started out as a mechanism to block sand boxed dll's it spiraled a bit out of control and now also prevents box located sandboxed processes from writing to memory of host located sandboxed processes, which as its inevitable consequence also prevents box located sandboxed processes from starting host located processes at all. For the process start issue we could implement a proxy mechanism, somewhat like breakout processes. So in a way we now have in each sandbox two zones one containing processes executing only code loaded from outside the sandbox and one containing processes executing also code loaded from inside the sandbox. That said this is still not a 100% separation, a infected file / network payload leveraging some unpatched code execution vulnerability inside a host located sandboxed process can still get its code to execute as the victim process. At this point the responsibility falls to that programs author to enable DEP and CET support to prevent this. That said writing suitable payloads is hard and usually malware strategy is to try to load some dropped file rather sooner then later and this will be mitigated by this new mechanism. The motivation behind this feature was to make an old annoying sandboxie behavior actually a true security improvement. As you may know sandboxie has two settings to open file access OpenFilePath and the more cryptically named OpenPipePath booth do pretty much the same just that the former applies only to programs located outside the sandbox, while the later applies to all. But wait there is more ClosedFilePath while the documentation says it applies to box located as well as host located programs, it fails to mention that ClosedFilePath directives defined through negation (that is for example "close access for all programs except my_trusted.exe" defined like this 'ClosedFilePath=!my_trusted.exe,C:\users\me\documents\my_super_secret_path') will still block my_trusted.exe if it is located within the sandbox and not on the host. And of cause there is an similar mechanism for the registry. As it was, there are a couple issues, first of all you can't use close directives defined through negation when you wan to install something to a box and exempt it. So you can not use "Start Restrictions" options in a white list mode to allow execution of a program installed to a box. And secondly most templates as defined use OpenFilePath, hence are ineffective when an application is installed into a sandbox. But more important, without ProtectHostImages=y, using trivial code injection techniques those limitations could be bypassed if trusted.exe is allowed to do something untrusted.exe running in the same box can start trusted.exe and force it to load some untrusted.dll and whatever that dll does it does with the permissions of the hijacked process. So while these behaviors are annoying when wanting to install something to a box, they were also ineffective, hence they can be disabled on the "Access Policies" tab on the "Resource Access" page, and in compartment type boxes they are boot disabled as to provide best compatibility with app compartmentalization usage scenarios. ProtectHostImages=y finally putts up a proper security boundary around this behaviors making them actually truly beneficial.
@DavidXanatos , 1.91 runs great with Firefox, Edge, and Thunderbird. Thanks very much. I have now tested Protectthostimages = y in these boxes, and : Give a message 1305, .. not attached! Edge works without any reports, Firefox and Thunderbird but there are reports, example: 13: 20: 07.006 Firefox Portable.exe (1254: Sbie1305 blocks that sand -boxed image was loaded - \ User \ Current \ Appdata \ Local \ Temp \ nsv14ab.tMP \ System.dll 13: 20: 07.051 Firefox Portable.exe (1254: Sbie1305 blocked that sand -boxed image was loaded - \ User \ Current \ Appdata \ Local \ Temp \ NSV14AB.TMP \ Registry.dll 13: 20: 07.079 Firefox Portable.exe (1254: Sbie1305 blocked that sand -boxed image was loaded - \ User \ Current \ Appdata \ Local \ Temp \ nsv14ab.tMP \ Newadvsplash.dll.dll I also tried "HideMessage =1305" in the box, the messages are still displayed. How can I deactivate the messages?
If sbie is used for sandboxing only programs installed on the host (for all boxes): Q1. Can ProtectHostImages=y be placed in global settings? Q2. Do box start-run restrictions become more "effective" with ProtectHostImages=y?
@Glitzersternchen apaprently firefox portable ir rather the portable launcher unpacks soem dll's and then tryes to inject them into the process. @soccerfan A1. yes like most options when set globaly it wil apply to al lboxes A2. yes, as then you also prevent the load of sandboxed dll's
Yes, that's right, Protectthostimages =Y runs in the installed Firefox without a message 1305. How can I hide the SBIE1305 message in sandman for portable firefox and Thunderbird, is there a possibility ?
@Glitzersternchen Sandboxie-Plus > Options > Global Settings > General Config > Notifications > Add or Edit: 1305 Code: \User\Current\AppData\Local\Temp\ns*.tmp\*.dll
@busy Is there a way for hiding all messages? I recall seeing SbieCtrl_HideMessage=* but not sure of the correct syntax.
@busy, thank you for the answer. I entered the data as in the screenshot. The reports when starting and closing from the portable programs continue to come. Did I make a mistake in the notifications?
@DavidXanatos, I had already taken into account, in the boxes of the portable Firefox and Thunderbird: NotifyImageLoadDenied=n ProtectHostImages=y Unfortunately, there are still 10-20 reports with SBIE1305 at the start and end best regards Sabine Win11, SB 1.91
@Glitzersternchen It looks like it's a case sensitive match, so you have to type it as it appears in the popup. This should work. Code: *\AppData\Local\Temp\ns* EDIT: This settings only suppress popup alerts. (not sure about NotifyImageLoadDenined=n)
@DavidXanatos Broken characters at the end of the line. Code: FirefoxPortable.exe (2648): SBIE1305 Blocked sandboxed image from being loaded - \drive\C\Users\user\AppData\Local\Temp\nsaEੴ EDIT: Also, setting NotifyImageLoadDenied=n does not prevent messages from appearing.
@busy, unfortunately the reports continue, I also tried a Windows variable in the syntax. It's no use. It might be helpful if * \ AppData \ Local \ Temp \ ns * can test someone in his portable program, maybe I will make a mistake when entering.
"General Config > Notifications" settings for popup messages only. Setting NotifyImageLoadDenied=n does what you want, but it doesn't work as far as I've tested.
hmm... indeed the setting fails when set in a box, but setting it globally works fine, so that will need fixing also about the notification options setting a message ID without a string should block all messages of that type no mater the string parameter
The SBIE1305 messages are gone now: I had copied "NotifyImageLoadDenied=n" into the individual boxes. However, if this syntax is added to the global setting, the start and end messages are gone. Thank you @busy, @DavidXanatos for your help!
ProtectHostImages=y and NotifyImageLoadDenied=n are in global settings of my sandboxie.ini I can confirm this works as expected (with LibreWolf portable and Firefox portable).
I find it surprising that the portable version needs those helper dll's but then apparently everythign works without them, i assume that the perhaps the portable version is not storing its data where its suposed to, but than since everytign is sandboxed anyways it probably does nto mater LOL
For FireFoxPA ( and other PortableApps) the general directory structure has three sub-directories: Main Directory --App --Data --Other The FireFoxPortable.exe is in the main directory
