Sandboxie-Plus 1.0.8

@algol1 the function "run outside sandbox" the way its implemented in the driver already propagates the "run outside" state to child processes of the started process. I tested it and it works as it should.
Probably the reason why for chrome updating this does not apply when you run the updater exe this way will be that it starts the browser in the end using some maintenance service or alike, resulting in the driver not being able to make the connection between the out of box started updater and the now started browser instance.
Trying to make a connection here may not be easy at all depending on how exactly the browser is being restarted.

In the long run I would ideally want to be able to run software updaters in the box without breaking anything, this however needs a loooot of further compatibility improvements.

With regard to a nightly build for supporters, this is a good idea, but it would have to work with an unsigned driver, as its to cumbersome to submit the driver to MSFT each day. Would that under this limitation still be an attractive option?
Alternatively the changes in the Nightly builds could be limited to exclude driver changes.

@plat1098 No Sandboxie is not my day job, I'm a physicist by day, I research the quantum nature of mater, and software developer by night

@Peter 123 the reason the tray does not ask is to have a quick 2 click feature without the delay of a pop up window.

 

I see. Thanks.

 

I'm glad if I could help.

Right, that's why I added the links to the manuals in my post.

I think that's intentional. In the tray icon menu, this is supposed to be a quick action without having to confirm the time period again. (Otherwise it might be annoying in the long run if you have to confirm the time period every time).

 

Many thanks for looking into that matter. If that option includes child-processes, too, then this is all it should do.

Besides I really have to apologize here. Because a hint by @APMichael taught me that what I've been asking for is already implemented in Sbie. Only thing is I completely misunderstood the meaning of the tray-icon-option "Disable Forced Programs" as prohibiting to running them at all.

So two suggestions here: 1. Could you please rename that option to sound more precise. Perhaps into - as has been suggested - "PAUSE PROGRAM-FORCING".
And 2. Perhaps you could also copy that option-box into that "Run Sandboxed"-right-click-dialog as an additional option to remedy cases like the chrome-update as this would obviously be a correlated measure there.[/QUOTE]

How cool is THAT!? Research "Zeilinger-Style"!

 

You are right. As mentioned by David, it is indeed intentional to offer a quick handling.

There is another thing I am not quite sure about:

I have the impression that this command "Disable Forced Programs" (or in other words: "Pause Program-Forcing") is a general command (= affecting all forced programs) with more or less the same function as the option "Run Outside Sandbox" for an individual (forced) program in the context menu of this program (right click -> "Run Sandboxed" -> "Run Outside Sandbox")?

Is this assumption correct?
If yes, I do not understand what's the benefit of the general command as I think that users will usually be interested in disabling the forced start in a sandbox only for a specific program, typically to update it outside from the sandbox (e.g. a forced browser).

O.k., some users will prefer to disable the forcing only for a certain time period - but this is something that anyway they cannot determine via the option in the tray icon menu but only via the Sandboxie Control Menu.

So my conclusion is that it seems a little bit redundant to have the command "Disable Forced Programs" in the tray icon menu. In other words: Is it used so often (respectively by so many users) that it is justified to give this option its own position in the tray icon menu? (The more commands in such a menu, the more confusing the situation for users without knowledge about such special functions.)

-----------------
PS (off topic):

For non-Austrian members:
algol1 refers to the Austrian quantum physicist Anton Zeilinger:
https://en.wikipedia.org/wiki/Anton_Zeilinger

 

Well, as I've mentioned earlier for Chromium-browsers-upgrade "Run outside Sandbox" won't do the trick entirely. As DavidX has stated above he has looked into that matter meanwhile and concluded that "Run outside Sandbox" WILL include child-processes from the one executed outside the box. And yet after the upgrade, once the new browser-version is auto-started, it will come up sandboxed (if its parent-folder is in the "forced-folders"-list) - and therefore somehow seemingly cannot complete the upgrade-process successfully as the newly opened updated browser-version seemingly needs to perform some final tasks from within the new version on its first run which then presumably need to be written permanently to the browser-config-Dir.

DavidX assumes that this behavior may be caused by the updated browser-version being launched by some type of update-service which again would run outside the control of that explicit "Run outside Sandbox"-option.

The "Pause Program-Forcing"-tray-icon-option on the other hand pauses sandboxing of forced folders governed by a time-constraint. So even an updated browser-version launched by some type of external service after the upgrade will not come up sandboxed (given the pause-interval has been chosen to be long enough) and thereby will be able to successfully complete the upgrade-process. So the time-period-of-pause here will make the difference as it would affect any service as well.

So from my point-of-view the justification for that prominent tray-icon-position of this menu-option is certainly there.

 

Correct, the "Disable Forced Programs" command always affects all forced programs or folders.

As @algol1 has already written, it is often not sufficient for updates to start only the specific program outside the sandbox, because especially when using "Forced Folders" involved processes could start unintentionally in a sandbox and then an update fails.

The time period is also observed when executing via the tray icon menu. (The time period that was previously set via execution by "Sandboxie Control" is used.)

I use the command only from the tray icon menu. I can't remember the last time I executed it via "Sandboxie Control".

 

algol1 & AP Michael, thanks for your explanations.

My intention is not to start another dispute about the importance or non-importance of a certain feature or - in this case - of its existence in the tray icon menu. Personally this "Disable-Forced-Programs-"/"Pause-Program-Forcing"-command remains a quite "exotic" feature for me which I definitely would not miss if it were removed from the context menu in the tray. But I acknowledge that there is the opposite opinion too:

So if this is a general preference among the users, o.k.

 

I may be missing something and I haven't read all of the posts, but I don't bother to turn off "forced programs". Instead, I right click on the shortcut of the program I want to update eg Firefox, choose "Run Sandboxed" then "Run outside the Sandbox", update the program which restarts outside of the sandbox if necessary without further intervention.

 

@algol1 has described here why "Run Outside Sandbox" does not always work for this:

Here also the description from @DavidXanatos:

(This problem with updating Chrome had led to the current discussion).

 

Hi. Using latest Sandboxie Plus. I have a question about sandboxing browser, and about the security implications of "default_browser".
I think by default the sandboxed browser shortcut is
"C:\Program Files\Sandboxie-Plus\Start.exe" default_browser
"default_browser" just refers to the default application in your Windows settings (mine is firefox), including your default browser profile.
Typically a default browser profile will contain sensitive data like cookies, bookmarks, passwords, etc.
Now, if I understand correctly, running a potentially malicious webpage sandboxed ensures that it won't compromise/"write" to the rest of your system. This is good.
But with the default "default_browser" shortcut, couldn't a malicious page still access/"read" that private data?
This seems like an obvious security risk to me from my modest understanding, so why is "default_browser" the default shortcut?
I have created a secondary Firefox profile titled "SandboxedFox" and created a different shortcut
"C:\Program Files\Sandboxie-Plus\Start.exe" default_browser -p "SandboxedFox"
Is this a good idea to mitigate additional risks or am I overthinking this?
If so, wouldn't it better to have a warning about this and urge new users to create a secondary browser profile solely for sandboxing, or using a secondary browser, independent from their regular profile potentially containing sensitive data? Instead of letting vanilla users just rely on "default_browser" (which also just means default profile).
Please feel to correct me or explain nuances I may be missing here.

 

This Sandboxie-Plus 1.0.8 has been working very well for me.
Been using yours from the start once I looked to update original one.
I just go to GibHub direct ( bookmarked ) to see what the newest ones are. I guess I must of had issues with 0.xx versions with updating through app, haven't tried with newer 1.0x ones within the app.
Started using original Sandboxie for many, many years ( 2008 at least ). Very happy with your work and your updates when you address issues. Thanks !!

 

the issue with updating through the app is that i only update the server infos 1 or 2 weeks after a release on github if there were no issues, to avoid pushing people towards a potentially unstable version.

 

Win 10 21H2 (OS Build 19044.1503) (64-bit)
Sandboxie Classic SBIE 5.55.8 x64

Sandboxed apps
Firefox 96.0.3 (64-bit)

Firefox is still crashing, I don't know what to do

I can only browse not using sandboxie

Please help

Thanks
Camelia

 

@camelia is it working in older verions?
what is the last build it works with?

 

~ maybe, you've tried already:
Can you create new default Firefox profile [info] and use that profile -> Forced Box. Just curious....been some time since I ran Firefox daily rider. IIRC I was able to call new default profile sbox.

 

I've just migrated from the last Sophos Sandboxie version and wow, it feels much more refined already!
I'm currently sandboxing Firefox and Opera and everything is working well.

I was hoping to use it on a number of apps to create a portable disc ripping setup, but it looks like sandboxed apps don't have access to the CD Rom, is there any way of allowing that, or does that open up access to hardware generally? Currently I'm trying with Exact Audio Copy.

 

from here
https://www.wilderssecurity.com/threads/sandboxie-plus-1-0-7.443250/page-4#post-3063936

you can extend it to any security software with such moduls.
i am running plain windows defender and firefox is working like charm in sandboxie, i never had some issue which was caused that way.

Without knowing the modules (injected dll) David can do nothing.
the next issue might be, that firefox is crashing, creates some crash reports which cant be send to mozilla for analysis because they are put into the sandbox, only accessible that way with firefox, but its crashing.

you can try to copy the folder \crashes (and its sub folder) to the profile outside, same with

Code:

%APPDATA%\Mozilla\Firefox\Crash Reports

and try to transmit it using about:crashes in firefox outside sandboxie.

then ofc return the resulting links looking like

Code:

https://crash-stats.mozilla.org/report/index/...

to us to see about the injections.

https://support.mozilla.org/en-US/kb/mozillacrashreporter

 

Ok so I've answered my own question by digging through all the options.
The following option seems to work:

General Options > File Options > Allow elevated sandboxed applications to read the harddrive​

The option says "read the harddrive", I assume that means there's no chance of writing to harddrives? I assume this overrides any Resource Access Rules I have in place to close off drives/partitions. Is there any other way to block these e.g. \Device\XXXX?

There's also the associated option:

Warn when an application opens a harddrive handle​

Is this to warn me of an application that is attempting to read directly from a disc, and will it give me the option to deny it?

Apologies for all the questions but I can't find any documentation for this, and want to make sure it's not leaving any gaping security holes.

Thanks again

 

most sandboxie warnings only warn without the option to allow, thay deny and tell you about what just happened.

with "Allow elevated sandboxed applications to read the harddrive" they will only be able to read but not write.

Do you require the option to also allow writing?

 

in general, i would suggest you to create a separate thread for this.
EAC need \roaming\ -> %appdata% and registry.

BTW @david
this is 5.55.8 and i noticed some not translated text in sandbox settings for "Beschränkungen" and i have a section "Ressource Access" ("Network Access") while it should be (existing) "Ressourcenzugriff" > "Netzwerkzugriff" - both are in english too.

in special for EAC read-only is required (audio extraction)

 

No I don't need the option to write.

I have most of my drives/partitions Closed through 'Resource Acess Rules', does allowing applications to read the harddrive through raw disk access mean this is no longer protected? Sorry, I don't know what an application can do with raw disc access.

 

Apologies, there are very few threads outside of the release ones so I assumed this was the right approach, but I'll create a new one in future if it's not related to a particular release.

Was this directed to me?

 

With raw disk access the application (when started as admin) can read disks sector wise, meaning they can interpret the file system and read any file,
for example you can start 7zip as admin in the box with raw disk access enabled open any HDD and extract any file, even when for that volume and or path the resource access rules say it should be closed.
The reason is that sandboxie does not interpret any file system, hence when a program ready raw sectors from a disk sandboxie does nto know to which files they belong.