Was running it with Drop Rights unchecked but forcing Chrome to run in the sandbox and using Start/Run/Internet restrictions. Just one sandbox, the Default Box. Might try again sometime.
Try it without ANY (Start/Run Or Internet) restriction. You should be OK after doing so. The DefaultBox is fine but is best to run Chrome in its own sandbox so you can set it up with its own settings. Bo
OK. Thanks for the tips. Will try that. Update: I think using separate sandbox for Chrome and removing Chrome as a forced app and removing the Start/Run/Internet restrictions is working. I no longer see the busy cursor. Rather than forcing Chrome to run in sandbox I created shortcut from within SBIE for the desktop. Did the same procedure for a separate sandbox for Outlook. I'm in business again!
On the latest Stable Chrome (67) and with the latest Nightly Build of Process Hacker (https://wj32.org/processhacker/nightly.php), PH now shows correctly that the Chrome security developers have enabled the Indirect Branch Prediction process mitigation on all chrome.exe child processes. This is only on the latest Windows 10 (1803 only, I believe) with the latest PH nightly and stable Chrome channel.
for google chrome or google chrome quantum do i need to do somthing speacial to enable built in sandboxing? also somthing i noticed till i seen this thread. Keyscrambler pro once i install it when i type in a google chrome window it automaticly closes the browser. anyways back to sandboxing. do i need to do anything to enable chrome sandboxing
Chrome's sandboxing is enabled by default and the strength of it depends on the underlying operating system. So there is nothing that you need to do. Have a look at the following details (https://chromium.googlesource.com/c...8946013eb812c6d3975bec/docs/design/sandbox.md) and you will notice that the Chrome developers take advantage of newer sandboxing mitigations in the latest Windows operating systems. That link also explains quite a bit more. The only thing that you could take advantage of (if on Windows 10) would be some newer experimental options in chrome://flags settings. chrome://flags/#enable-appcontainer chrome://flags/#enable-gpu-appcontainer I'm pretty certain that AppContainer is used by default regardless on Windows 10 now and so therefore the flag will likely be removed at some point and wont be necessary. But AppContainer for the GPU process is quite a new development and worth taking advantage of.
Thanks for the GPU-Appcontainer flag, WildByDesign! I didn't know about it. BTW it is now 30 pages since people said: "Maybe yes, maybe no" to running chrome sandboxed. Did you end on a different consensus?
Thank you for posting this information. I'm running latest Chrome beta Version 68.0.3440.68, and both of those flags were at "Default". I had renderers at "Untrusted", and now after enabling them both I have a gpu process and several renderer processes running at "Appcontainer". I'll see how things go.
For me all chrome processes (Sandboxed) are running as untrusted. Do you mean actual graphic renderer or just like "rendering a web page?
The first one running under Appcontainer is "type=gpu-process", the rest are "type=renderer". I've also got "Strict site isolation", "Top document isolation" and "PDF isolation" flags enabled.
Doesn't look like you run it sandboxed. If I do that there's a sandboxiecrypto.exe in the middle. BTW if you enable Top Document Isolation you're not isolating things, just increasing performance: That's why I disabled it. Thanks for the PDF isolation flag
You are right, I don't run a 3rd-party sandbox program. I believe Windows 10 already provides excellent sandboxing for Chrome. You're welcome for the flag.
You're welcome. Unfortunately, I don't know since I did not participate in this thread early on and only followed this thread more recently. You're welcome. I've been using these AppContainer flags for some time now and luckily have not experienced any issues whatsoever which is great. Same goes for the Strict Site Isolation; no issues there either. There is still more AppContainer development coming for Chrome and also Site Isolation is going to also become more thorough as well. Lots of solid security related developments coming.
BTW the potential issues involved with sandboxing Chrome only apply to light virtualization such as Sandboxie. The isolation method used by ReHIPS, on the other hand, does not diminish native Windows protection in any way. On the contrary, it is built on top of native Windows protection.
Sorry, I don't know what chrome firewall is. If you are asking about the firewall of Chrome OS, I don't know anything about it.
I don't like ReHIPS user interface. I wait till that has been overhauled. And Light Virtualization means it is also interfering with chrome stuff? And it sounds like it is "less secure" than sandboxie. Can you please elaborate Thank you
light virtualization : sandboxie, comodo, shadow defender, etc.. full virtualization: VMs at least it is the way i interpret it.
Oh, that makes sense. ------------------------------------------------ With Comodo Containment Chrome has three processes with Integrity: Medium, one with Low and a billion with Untrusted. Unfortunetaly,it appears to be impossible to copy-and-paste into Chrome if it runs in Comodo. What mitigation policies should I see in a best-security-scenario? (Since we just had this topic) This is for Untrusted processes: (Sandboxed) ASLR DEP (permanent) Images restricted (remote images, low mandatory label images) Indirect branch prediction Loader Integrity Module Tampering Non-system fonts disabled Signatures restricted (Microsoft only) Strict handle checks Win32k system calls disabled This for Low: (Not Sandboxed) ASLR (high entropy, force relocate) CF Guard DEP (permanent) Extension points disabled Images restricted (remote images, low mandatory label images) Indirect branch prediction Loader Integrity Module Tampering Non-system fonts disabled Signatures restricted (Microsoft only) Strict handle checks Win32k system calls disabled This for Medium: (Not Sandboxed) ASLR (high entropy, force relocate) CF Guard DEP (permanent) Extension points disabled Images restricted (remote images, low mandatory label images) Loader Integrity Module Tampering Strict handle checks It looks to be good to run Chrome untrusted or better low. Furthermore, it seems to be that Sandboxie increases protection, on top of virtualization, because it forces all processes to run untrusted. (No medium processes) Is that a correct observation? (Low processes inside Sandboxie have the same policies as Untrusted in Sandboxie) Is there a setting for this in Sandboxie? Can I enhance the policies somehow? ------ I got one other question regarding AppContiainer: Even though I have #enable-gpu-appcontainer, #enable-appcontainer and #enable-site-per-process enabled, I still don't see AppContainer in Process Hacker when I run Chrome normal, outside a Box. Does that not appear in the Integrity Column? It looks to be there in your picture, @wat0114
Apparently that is wrong? #enable-top-document-isolation's description if confusing. On Reddit I found a post which says: https://www.reddit.com/r/chrome/comments/8ivdwd/chrome_flags_to_improve_security_read_now_d/ I am still confused. Is it a good thing? But it sounds like it puts all iFrames together. Then why does having it disabled "defeat the purpose of #enable-site-per-process"