Sandboxie-Plus 1.13.1, 1.13.2 (Experimental)

New experimental build is ready, please test it thoroughly, if no critical issues appear, I'll push it to the updater tomorrow evening.

Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.13.2
Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.13.1

[1.13.2 / 5.68.2] - 2024-03-07
Added

• added menu entry to restart SandMan as admin #3581 (thanks Yeyixiao)
• added option to block taking screen capture/screenshot of sandboxed processes (thanks Yeyixiao)
  • it can be enabled with "IsProtectScreen=y"
  • see the sandbox option "Prevents getting an image of the window in the sandbox" in SandMan UI
• added option to prevent sandboxed processes from interfering with power operations #3640 (thanks Yeyixiao)
  • it can be enabled with "BlockInterferePower=y"
  • see the sandbox option "Prevents processes in the sandbox from interfering with power operations" in SandMan UI
• added new pattern mechanism using a ** as a placeholder to indicate an arbitrary path element not containing a \ 1ff2867

Changed

• reworked option for suspending all processes in SandMan (introduced in 1.13.1) #3582

Fixed

• fixed privacy mode, NormalFilePath and symbolic link issue #3660
• fixed access to Recycle Bin in an Application Compartment sandbox with data protection #3665

[1.13.1 / 5.68.1] - 2024-02-27

Added

• Sandman, suspend all processes #3582 (thx Yeyixiao)
• Add "On Terminate" trigger #3584 (thx Yeyixiao)

Fixed

• added missing checkbox for API tracing
• fixed incompatibility with Windows ARM64 Insider build 26052 and later
• fixed [1.12.6] Symlink and open path issue #3537
• In Application Compartment Box,There is a bug in file redirection,CreateDirectory Fail #3637
• fixed issues with appcompartment mode compatybility fallback
• fixed missing max password length check [#3639]#3639
• Can't launch executables from volumes without a drive letter in a sandbox (regression) on windows 1803 and earlier #3627

Changed

• changed DynData format to add flags
• Revert or provide a way to opt out of the new sandbox directory structure for volumes without drive letters #3632
  • guid usage can be re-enabled with "UseVolumeGuidWhenNoLetter=y"

Removed

• removed UseNewSymlinkResolver setting new mechanism is always used

 

Same here.

 

Up and running in portable mode on Win7x64SP1.

Will "UseVolumeGuidWhenNoLetter=n" be the default, starting with v1.13.1?

 

Yes this appears to be more in line with user expectations

 

I've been running Sandboxie Plus v1.13.1 for two days and everything is working good. No problems for how I use it.

Sandboxie Plus 1.13.1 (64-bit) ((Red box - Hardened Sandbox with Data Protection and Auto Delete on, Virtualization Scheme Version 2))
Windows 10 22H2 (64-bit)
Firefox 123.0 (64-bit)
Thunderbird 115.8.0 (64bit)
Microsoft Edge 122.0.2365.63 (Official build) (64-bit)

 

Next text build: 1.13.2

Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.13.2
Added

• added menu entry to restart SandMan as admin #3581 (thanks Yeyixiao)
• added option to block taking screen capture/screenshot of sandboxed processes (thanks Yeyixiao)
  • it can be enabled with "IsProtectScreen=y"
  • see the sandbox option "Prevents getting an image of the window in the sandbox" in SandMan UI
• added option to prevent sandboxed processes from interfering with power operations #3640 (thanks Yeyixiao)
  • it can be enabled with "BlockInterferePower=y"
  • see the sandbox option "Prevents processes in the sandbox from interfering with power operations" in SandMan UI
• added new pattern mechanism using a ** as a placeholder to indicate an arbitrary path element not containing a \ 1ff2867

Changed

• reworked option for suspending all processes in SandMan (introduced in 1.13.1) #3582

Fixed

• fixed privacy mode, NormalFilePath and symbolic link issue #3660
• fixed access to Recycle Bin in an Application Compartment sandbox with data protection #3665

 

@DavidXanatos Could you please explain the use of the new pattern match "**" in more detail.
For example: this code allows access to files in the root of D: but protects the subfolders (since v1.8.0):

Code:

UseRuleSpecificity=y
OpenFilePath=D:\*
WriteFilePath=D:\*\*

Now, what happens if we use "WriteFilePath=D:\**\*" (in v1.13.2)? When is this useful?

 

Lets say you have folders like this
D:\Dir1\Dir2\File1
D:\Dir1\File1b
D:\Dir11\Dir22\File2
D:\Dir11\File11b
D:\Dirx\Diry\Filez

OpenFilePath=D:\*\File*
will open access to all 4 files

OpenFilePath=D:\**\File*
will only open access to D:\Dir1\File1b and D:\Dir11\File11b

** matches a unspecified part segment but only as long as it does not contain a \
So ** means one arbitrary folder

while * just means anything any amount of folders with arbitrary names

 

Cannot figure out how to local print from sandboxie+ (1.13.2 - enhanced isolation, privacy enhanced, No INet (with exceptions) on my Win 10 box from Firefox. I have a duplicated box running on a Win 7 system and Firefox ESR prints fine with the exact same settings/config/ini as the one on Win 10. If someone has an idea how to help, I would be grateful (I suspect allowing some resource access; although I have tried allowing several possibilities with no luck).

 

I tried with the example you gave, but this new pattern doesn't seem to work.

"IsProtectScreen=y" As far as I tried, this setting does not work in browser and electron applications.

"BlockInterferePower=y" I don't know exactly what this setting blocks. It would be good if you give an example for this.

 

"IsProtectScreen=y" for firefox and other will be fixed in the next build 1.13.3

 

hmm there seams to be an issue with that looking into it right now

 

there was a but with that please test 1.13.3 once its done

 

DavidXanatos - Could you explain what 'BlockInterferePower=y' does exactly? I've got it turned on but I'm not sure if it's doing anything. I'm only using Firefox, Edge and Thunderbird so this might be for other apps that's sandboxed. I just want an example of what this setting does.

 

Just made a discovery today concerning what referrer is sent from the Firefox browser. I have the Firefox browser setup to spoof my referrer so when I visit a web site, it shows the web site I came from as the web site I went to. When I have 'BlockInterferePower=y' turned on, the referrer shows as 'No Referrer' when I go to a web site. When I turn off 'BlockInterferePower or set it to 'BlockInterferePower=n', then my spoof referrer works.

In my Firefox user.js, I have the following settings to spoof my referrer:
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref("network.http.referer.spoofSource", true);

I still don't know what 'BlockInterferePower=y' does but this is what I discovered so far.

 

The 'BlockInterferePower=y' setting is most likely not working due to a small bug in the code. (Fixed in 1.13.3) Also, it does not prevent the situation you describe.

This setting prevents the following situations:
1. Prevents sandboxed programs from putting the system to sleep or turning off the screen. (cmd: powercfg /requests)
2. Prevents sandboxed programs from setting system parameters that would prevent the system from shutting down or logging off the user session. (e.g. This app is preventing you from restarting)

 

Busy - Hopefully we'll get a better idea from David what kind of apps utilize the power setting. As for the referrer, it's strange that the setting interfered somehow with my personal setting. You're right that it should have nothing to do with it but either way, I left the power setting off since it probably doesn't apply to my use case with Sandboxie.