Sandboxie-Plus 1.0.8

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Jan 18, 2022.

  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,384
    Location:
    Viena
    @algol1 the function "run outside sandbox" the way its implemented in the driver already propagates the "run outside" state to child processes of the started process. I tested it and it works as it should.
    Probably the reason why for chrome updating this does not apply when you run the updater exe this way will be that it starts the browser in the end using some maintenance service or alike, resulting in the driver not being able to make the connection between the out of box started updater and the now started browser instance.
    Trying to make a connection here may not be easy at all depending on how exactly the browser is being restarted.

    In the long run I would ideally want to be able to run software updaters in the box without breaking anything, this however needs a loooot of further compatibility improvements.

    With regard to a nightly build for supporters, this is a good idea, but it would have to work with an unsigned driver, as its to cumbersome to submit the driver to MSFT each day. Would that under this limitation still be an attractive option?
    Alternatively the changes in the Nightly builds could be limited to exclude driver changes.

    @plat1098 No Sandboxie is not my day job, I'm a physicist by day, I research the quantum nature of mater, and software developer by night ;)

    @Peter 123 the reason the tray does not ask is to have a quick 2 click feature without the delay of a pop up window.
     
  2. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    504
    Location:
    Austria
    I see. Thanks.
     
  3. APMichael

    APMichael Registered Member

    Joined:
    Jun 17, 2020
    Posts:
    44
    Location:
    Germany
    I'm glad if I could help. :)

    Right, that's why I added the links to the manuals in my post.

    I think that's intentional. In the tray icon menu, this is supposed to be a quick action without having to confirm the time period again. (Otherwise it might be annoying in the long run if you have to confirm the time period every time).
     
  4. algol1

    algol1 Registered Member

    Joined:
    Aug 10, 2020
    Posts:
    235
    Location:
    Vienna, Austria
    Many thanks for looking into that matter. If that option includes child-processes, too, then this is all it should do.

    Besides I really have to apologize here. Because a hint by @APMichael taught me that what I've been asking for is already implemented in Sbie. Only thing is I completely misunderstood the meaning of the tray-icon-option "Disable Forced Programs" as prohibiting to running them at all.

    So two suggestions here: 1. Could you please rename that option to sound more precise. Perhaps into - as has been suggested - "PAUSE PROGRAM-FORCING".
    And 2. Perhaps you could also copy that option-box into that "Run Sandboxed"-right-click-dialog as an additional option to remedy cases like the chrome-update as this would obviously be a correlated measure there.[/QUOTE]

    How cool is THAT!? Research "Zeilinger-Style"!
     
  5. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    504
    Location:
    Austria
    You are right. As mentioned by David, it is indeed intentional to offer a quick handling.

    There is another thing I am not quite sure about:

    I have the impression that this command "Disable Forced Programs" (or in other words: "Pause Program-Forcing") is a general command (= affecting all forced programs) with more or less the same function as the option "Run Outside Sandbox" for an individual (forced) program in the context menu of this program (right click -> "Run Sandboxed" -> "Run Outside Sandbox")?

    Is this assumption correct?
    If yes, I do not understand what's the benefit of the general command as I think that users will usually be interested in disabling the forced start in a sandbox only for a specific program, typically to update it outside from the sandbox (e.g. a forced browser).

    O.k., some users will prefer to disable the forcing only for a certain time period - but this is something that anyway they cannot determine via the option in the tray icon menu but only via the Sandboxie Control Menu.

    So my conclusion is that it seems a little bit redundant to have the command "Disable Forced Programs" in the tray icon menu. In other words: Is it used so often (respectively by so many users) that it is justified to give this option its own position in the tray icon menu? (The more commands in such a menu, the more confusing the situation for users without knowledge about such special functions.)

    -----------------
    PS (off topic):
    For non-Austrian members:
    algol1 refers to the Austrian quantum physicist Anton Zeilinger:
    https://en.wikipedia.org/wiki/Anton_Zeilinger
    ;)
     
    Last edited: Jan 25, 2022
  6. algol1

    algol1 Registered Member

    Joined:
    Aug 10, 2020
    Posts:
    235
    Location:
    Vienna, Austria
    Well, as I've mentioned earlier for Chromium-browsers-upgrade "Run outside Sandbox" won't do the trick entirely. As DavidX has stated above he has looked into that matter meanwhile and concluded that "Run outside Sandbox" WILL include child-processes from the one executed outside the box. And yet after the upgrade, once the new browser-version is auto-started, it will come up sandboxed (if its parent-folder is in the "forced-folders"-list) - and therefore somehow seemingly cannot complete the upgrade-process successfully as the newly opened updated browser-version seemingly needs to perform some final tasks from within the new version on its first run which then presumably need to be written permanently to the browser-config-Dir.

    DavidX assumes that this behavior may be caused by the updated browser-version being launched by some type of update-service which again would run outside the control of that explicit "Run outside Sandbox"-option.

    The "Pause Program-Forcing"-tray-icon-option on the other hand pauses sandboxing of forced folders governed by a time-constraint. So even an updated browser-version launched by some type of external service after the upgrade will not come up sandboxed (given the pause-interval has been chosen to be long enough) and thereby will be able to successfully complete the upgrade-process. So the time-period-of-pause here will make the difference as it would affect any service as well.

    So from my point-of-view the justification for that prominent tray-icon-position of this menu-option is certainly there.
     
    Last edited: Jan 26, 2022
  7. APMichael

    APMichael Registered Member

    Joined:
    Jun 17, 2020
    Posts:
    44
    Location:
    Germany
    Correct, the "Disable Forced Programs" command always affects all forced programs or folders.

    As @algol1 has already written, it is often not sufficient for updates to start only the specific program outside the sandbox, because especially when using "Forced Folders" involved processes could start unintentionally in a sandbox and then an update fails.

    The time period is also observed when executing via the tray icon menu. (The time period that was previously set via execution by "Sandboxie Control" is used.)

    I use the command only from the tray icon menu. I can't remember the last time I executed it via "Sandboxie Control".
     
  8. Peter 123

    Peter 123 Registered Member

    Joined:
    Feb 1, 2009
    Posts:
    504
    Location:
    Austria
    algol1 & AP Michael, thanks for your explanations. :thumb:

    My intention is not to start another dispute about the importance or non-importance of a certain feature or - in this case - of its existence in the tray icon menu. Personally this "Disable-Forced-Programs-"/"Pause-Program-Forcing"-command remains a quite "exotic" feature for me which I definitely would not miss if it were removed from the context menu in the tray. But I acknowledge that there is the opposite opinion too:

    So if this is a general preference among the users, o.k. ;)
     
  9. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    240
    Location:
    uk
    I may be missing something and I haven't read all of the posts, but I don't bother to turn off "forced programs". Instead, I right click on the shortcut of the program I want to update eg Firefox, choose "Run Sandboxed" then "Run outside the Sandbox", update the program which restarts outside of the sandbox if necessary without further intervention.
     
  10. APMichael

    APMichael Registered Member

    Joined:
    Jun 17, 2020
    Posts:
    44
    Location:
    Germany
    @algol1 has described here why "Run Outside Sandbox" does not always work for this:
    Here also the description from @DavidXanatos:
    (This problem with updating Chrome had led to the current discussion).
     
  11. ggjfgh5

    ggjfgh5 Registered Member

    Joined:
    Jan 27, 2022
    Posts:
    1
    Hi. Using latest Sandboxie Plus. I have a question about sandboxing browser, and about the security implications of "default_browser".
    I think by default the sandboxed browser shortcut is
    "C:\Program Files\Sandboxie-Plus\Start.exe" default_browser
    "default_browser" just refers to the default application in your Windows settings (mine is firefox), including your default browser profile.
    Typically a default browser profile will contain sensitive data like cookies, bookmarks, passwords, etc.
    Now, if I understand correctly, running a potentially malicious webpage sandboxed ensures that it won't compromise/"write" to the rest of your system. This is good.
    But with the default "default_browser" shortcut, couldn't a malicious page still access/"read" that private data?
    This seems like an obvious security risk to me from my modest understanding, so why is "default_browser" the default shortcut?
    I have created a secondary Firefox profile titled "SandboxedFox" and created a different shortcut
    "C:\Program Files\Sandboxie-Plus\Start.exe" default_browser -p "SandboxedFox"
    Is this a good idea to mitigate additional risks or am I overthinking this?
    If so, wouldn't it better to have a warning about this and urge new users to create a secondary browser profile solely for sandboxing, or using a secondary browser, independent from their regular profile potentially containing sensitive data? Instead of letting vanilla users just rely on "default_browser" (which also just means default profile).
    Please feel to correct me or explain nuances I may be missing here.
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,768
    Location:
    UK
    When I go online in my sandboxed browser (default browser shortcut) I want to be able to use my bookmarks etc otherwise what is the point.
     
  13. SBMe

    SBMe Registered Member

    Joined:
    Aug 6, 2011
    Posts:
    8
    This Sandboxie-Plus 1.0.8 has been working very well for me.
    Been using yours from the start once I looked to update original one.
    I just go to GibHub direct ( bookmarked ) to see what the newest ones are. I guess I must of had issues with 0.xx versions with updating through app, haven't tried with newer 1.0x ones within the app.
    Started using original Sandboxie for many, many years ( 2008 at least ). Very happy with your work and your updates when you address issues. Thanks !!
     
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,384
    Location:
    Viena
    the issue with updating through the app is that i only update the server infos 1 or 2 weeks after a release on github if there were no issues, to avoid pushing people towards a potentially unstable version.
     
  15. camelia

    camelia Registered Member

    Joined:
    Nov 4, 2011
    Posts:
    348
    Location:
    Mexico City
    Win 10 21H2 (OS Build 19044.1503) (64-bit)
    Sandboxie Classic SBIE 5.55.8 x64

    Sandboxed apps
    Firefox 96.0.3 (64-bit)

    Firefox is still crashing, I don't know what to do

    I can only browse not using sandboxie

    Please help

    Thanks
    Camelia

    Firefox.jpg
     
  16. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,384
    Location:
    Viena
    @camelia is it working in older verions?
    what is the last build it works with?
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,166
    Location:
    .
    ~ maybe, you've tried already:
    Can you create new default Firefox profile [info] and use that profile -> Forced Box. Just curious....been some time since I ran Firefox daily rider. IIRC I was able to call new default profile sbox.
     
    Last edited: Jan 29, 2022
  18. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    24
    Location:
    United Kingdom
    I've just migrated from the last Sophos Sandboxie version and wow, it feels much more refined already!
    I'm currently sandboxing Firefox and Opera and everything is working well.

    I was hoping to use it on a number of apps to create a portable disc ripping setup, but it looks like sandboxed apps don't have access to the CD Rom, is there any way of allowing that, or does that open up access to hardware generally? Currently I'm trying with Exact Audio Copy.
     
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,406
    from here
    https://www.wilderssecurity.com/threads/sandboxie-plus-1-0-7.443250/page-4#post-3063936
    you can extend it to any security software with such moduls.
    i am running plain windows defender and firefox is working like charm in sandboxie, i never had some issue which was caused that way.

    Without knowing the modules (injected dll) David can do nothing.
    the next issue might be, that firefox is crashing, creates some crash reports which cant be send to mozilla for analysis because they are put into the sandbox, only accessible that way with firefox, but its crashing.

    you can try to copy the folder \crashes (and its sub folder) to the profile outside, same with
    Code:
    %APPDATA%\Mozilla\Firefox\Crash Reports
    and try to transmit it using about:crashes in firefox outside sandboxie.

    then ofc return the resulting links looking like
    Code:
    https://crash-stats.mozilla.org/report/index/...
    to us to see about the injections.

    https://support.mozilla.org/en-US/kb/mozillacrashreporter
     
  20. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    24
    Location:
    United Kingdom
    Ok so I've answered my own question by digging through all the options.
    The following option seems to work:
    General Options > File Options > Allow elevated sandboxed applications to read the harddrive​
    The option says "read the harddrive", I assume that means there's no chance of writing to harddrives? I assume this overrides any Resource Access Rules I have in place to close off drives/partitions. Is there any other way to block these e.g. \Device\XXXX?

    There's also the associated option:
    Warn when an application opens a harddrive handle​
    Is this to warn me of an application that is attempting to read directly from a disc, and will it give me the option to deny it?

    Apologies for all the questions but I can't find any documentation for this, and want to make sure it's not leaving any gaping security holes.

    Thanks again
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,384
    Location:
    Viena
    most sandboxie warnings only warn without the option to allow, thay deny and tell you about what just happened.

    with "Allow elevated sandboxed applications to read the harddrive" they will only be able to read but not write.

    Do you require the option to also allow writing?
     
  22. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,406
    in general, i would suggest you to create a separate thread for this.
    EAC need \roaming\ -> %appdata% and registry.

    BTW @david
    this is 5.55.8 and i noticed some not translated text in sandbox settings for "Beschränkungen" and i have a section "Ressource Access" ("Network Access") while it should be (existing) "Ressourcenzugriff" > "Netzwerkzugriff" - both are in english too.
    in special for EAC read-only is required (audio extraction)
     
  23. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    24
    Location:
    United Kingdom
    No I don't need the option to write.

    I have most of my drives/partitions Closed through 'Resource Acess Rules', does allowing applications to read the harddrive through raw disk access mean this is no longer protected? Sorry, I don't know what an application can do with raw disc access.
     
  24. simbun

    simbun Registered Member

    Joined:
    Jan 29, 2022
    Posts:
    24
    Location:
    United Kingdom
    Apologies, there are very few threads outside of the release ones so I assumed this was the right approach, but I'll create a new one in future if it's not related to a particular release.

    Was this directed to me?
     
  25. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,384
    Location:
    Viena
    With raw disk access the application (when started as admin) can read disks sector wise, meaning they can interpret the file system and read any file,
    for example you can start 7zip as admin in the box with raw disk access enabled open any HDD and extract any file, even when for that volume and or path the resource access rules say it should be closed.
    The reason is that sandboxie does not interpret any file system, hence when a program ready raw sectors from a disk sandboxie does nto know to which files they belong.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.