Sandboxie-Plus v1.0.11

Start Restrictions with 'Allow only selected programs to start in this sandbox' selected - which I'd imagine is the common use of this feature - tells Sandboxie the programs that are allowed to run in the sandbox. Sorry I should have made the choice clear.

You wouldn't have the browser as a leader-process, you'd just have it as a forced program (and in the Start Restrictions), and whenever both apps are closed, only then would the box be deleted.

But you're right in that it would stop any other programs from starting in there, like your video player, so that would need to be added too, as well as any other processes that your browser uses internally. My Start Restrictions for Firefox are:

ProcessGroup=<StartRunAccess>,rundll32.exe,pingsender.exe,igfxsrvc.exe,firefox.exe,crashpad_handler.exe​

It's basically having a whitelist instead of blacklist (or no list at all like you currently do).
You also don't need to know these processes up front, Sandboxie will pop up a message stating that they can't run, so it's only a 5 minute job to add them.

I don't think I've had any problems with the other processes failing to stop once Firefox is closed, but if you do that's what Stop Behaviour is for (lingering programs) - although Sandboxie covers most of these by default if you have the 'Default list of Lingering Programs' template selected (which it is by default).

 

At startup getting white screen with Edge ( 98 ). Other browsers are OK ( Firefox 97 and Chrome 98 ).
Win10, Sandboxie-Plus v1.0.11

 

Not quite, I'm afraid. This way the box would only be deleted whenever ALL apps, including unforeseen (child-)processes, would be closed.

The point is that I want to start the browser (even unforeseen) child-processes unrestricted as long as they run within the box and cannot damage my outside-system.

How clumsy is that - as compared to allowing them all up front and taking care of them later automatically by the "Leader-Process-method"?

With the "Leader-Process-method" now under Plus all other processes not explicitly entered as leaders are considered to be lingering. So this seems to be some pretty elegant way to handle the priority of (even unknown new) processes in an appropriate manner. And using it I can equally state that I, too, have not run into any problems with unfinished processes after browser-shutdown or with auto-deleting the box-content.

So while I will admit that you can achieve similar results by the measures and methods you've suggested I simply cannot see any advantage in your preferred modus-operandi over mine. But thanks for the effort to explain.

 

OK I see, I'm sure that David will be able to fix this with a new template.

 

Yes, I probably forgot about it. But it sure was a brilliant idea from Tzuk, I believe it even inspired Google to implement a built-in sandbox into Chrome, that's why they bought GreenBorder. I have been using Sandboxie since 2004, can't believe it's still alive after 18 years LOL. With the help of Invincea, Sophos and now David Xanatos of course.

 

Without HWA it works but i can use Chrome/Firefox with HWA enabled.

 

That's what lingering processes are for, and it can only be one from the list of the programs you've let start of course (if it's not already catered for by SandboxIE).

I guess that's the fundamental difference between the two methods; I'm only letting trusted processes open, whereas I believe you're letting any processes open, be they malware, ransomware or anything else, and hoping that SandboxIE can contain them. If those undeclared processes also have internet access then (depending on how you've locked your storage down) they could be transmitting all your personal data without the need to infect your real system. I have no idea if this is a realistic threat, but it was always the recommended way to protect from scenarios like this.

Going back to the old SandboxIE, because this was the recommended approach (to limit the programs that can open) you were able to click on the message and it would add the rule automatically to the sandbox for you, but that's no longer the case, so it's a little more work yes.


There have been some pretty nasty comments on this board over the last few days, so I just wanted to say that I wasn't trying to tell you how to do things, I was just offering a different approach. Along those lines, I'm now going to take a look at leader processes as I've never even come across them before


EDIT: Oh, specifying a leader process is just another way of identifying the lingering ones, which I guess could be a shorter list if it's needed.

 

An additional single wildcard (*) in OpenWinClass works, but cannot be the solution.
I had tried all values from the WinClass Resource Access Monitor, of course with substrings and wildcards, but none of it worked.

 

Please explain how and why, in your opinion, this should be the case with Sandboxie. In spite of the fact that this application may not be as popular nor ever was compared to a multitude of "security suites," (Kaspersky, Avast, Bitdefender, Malwarebytes, yada, yada,); each and every successful program has decisively gone the route of simplifying the configuration and usability of the app to the end user. Sure, ka-ching, ka-ching all the way to the bank, but why not? Apparently AV-Comparatives, AV-Test, or whoever whenever reviews published recently can't find any fault with that in terms of the efficacy of protection. With a few missteps along the way, Sandboxie was and still remains one of the few apps true as a stroke of genius and mass appeal to the common user to remain protected. Maybe a bit of a boring drag, but AV-Test rates from "Protection"-- "Performance" to, get this--- "Usability". And with or without AV-Test to tell us so, the longevity and appeal to any app is its usability. So, again, the questions begs to be asked again, "Sometimes sophisticated is much better than overly simplistic!" Please indulge us all accordingly.

 

you missed the importing point that chromium based browser childs run as untrusted, firefox childs as low. and you dont have any option to change this. this is real meaning of the "windows sandbox", putting this into sandbox can work, but also fail. David accomplished it to make it work.

and the outbreak of a chromium browser is very special and need a minimum of 3 attack vectors of different kind - project zero found it 1 or 2 years ago, and google fixed it asap.

sandboxing a browser do not make it more secure

this is still possible, but not really with current browser builds (read above). please dont mix it up with new builds and new fixed security issues which are present in every browser. but in most cases its new unknown software, malware, adware bundled or not - and very sure started by user, not by a browser. firefox is not able to run executables by default, for chromium based you should let ask where to save each download. drive-by infections are a very high level of attacks - are you worth to be a victim?

 

Some interesting considerations in the above postings. If I have understood it correctly, my own setting is a combination of two methods:

a) for starting/using the sandboxed browser (Firefox): "method simbun":

*) [Note: In my case the exe-files are partly different but the principle is the same.]

b) additionally for finishing an internet session (= closing the browser): "method algol1": auto-deletion of sandbox contents plus defining firefox.exe as leader process. [Note: In my case there is no need to have a sandboxed editor, therefore only the firefox.exe as leader process.]

My reason for method a) is the security argument described by simbun:

My reason for method b) is the argument mentioned by algol1: to reliably and comfortably get rid of child-processes (as of all other processes too) when closing the browser:

It's a kind of positive Domino-effect:
I close my browser -> firefox.exe is terminated -> therefore all other programs/processes within the sandbox are automatically terminated too (because of the option leader process) -> therefore the contents of the sandbox is automatically deleted (because of the option auto-delete).

Maybe you are right (I am not enough expert for internet security to say yes or no). But I got so accustomed to use my browser sandboxed (= in Sandboxie) - with the above mentioned specific settings - that I would not like to use it outside of it. And the fine thing is that you have to do these settings only one time and you are done (perhaps apart from some rare cases when you have to allow an additional child process [which had happened to me the last time years ago]).

PS:
Perhaps some settings like those could be the core of a possible Basic edition of Sandboxie as suggested above by StillBorn?

 

Can one feel honored yet scary at the same time @Peter 123 in the previous? Major omission--- Bo Elam. Suffice it to say the man knows his way around Soundboxie.

 

I'm absolutely satisfied with the complexity Sandboxie-PLUS currently offers and have no further major expansions to request for. That having said I also strongly disagree with those who have recently expressed their concern or even disdain for IMHO most valuable additions by @DavidXanatos to the Plus-project, at times even coming close to denigrating the Plus-project as evolving into some kind of "bloatware".

Sbie-Plus currently has IMHO reached a balanced level of complexity so that average users can run their SW/browsers right out of the box while at the same time allowing more IT-savvy users to making more advanced adaptions to a tailored use of (multiple, dedicated) Sandboxes.

<Start OT>My general plea for complexity was not directed in particular towards Sandboxie but rather generally speaking towards the most spectacular pieces of 3rd-party-software out there. My personal "crown-jewel" for instance, "Total Commander" by Mr. Christian Ghisler (www.ghisler.com), a brilliant file-manager and practically my main frontend/user-interface on top of Windows, can be considered the epitome of positive complexity. While all the possibilities and tweaks it offers may seem daunting to the newbies and they will never exhaust its true potential right from the beginning they can start "simple" and then over the upcoming months, even years, grow into the sheer endless possibilities and tweaking-opprtunities this file-manager has to offer.<End OT>

 

Now these security-related concerns are well understood. But one of the main-reasons I use sandboxed browsers is to not having to shrink or shy away from suspicious or untrusted content on the Internet. So if some malicious site would start a child-process that's not on my white-list and Sbie would therefore block it - then chances are that the browser couldn't go there and I would miss possibly valuable information sometimes given only there in "exchange" for leaving behind some hidden spyware and the like. I certainly wouldn't want to whitelist such malign child-processes for the future either - I just let them start once and see what happens and if that site turns out to be a fraud (as it often does) or tries to leave some spyware (as sometimes shown and blocked by AV-security also being active within the sandbox) then I trust Sandboxie to get rid of all that stuff after the browser would close down while possibly and at times indeed retaining the desired/promised info or download (reg-serials, software, videos and so on).

I'll admit that this approach so far and to many may sound mightily starry-eyed and naive. But not so as I can argue.
1) In more than 10 years of such risk-prone use I haven't seen one successful outbreak from Sbie! Bravo for that!
2) All valuable or personal data on my system are saved/stored on a separate SSD-drive to which the sandboxed browser wouldn't even have reading-access (but may write out to after explicit individual immediate-recovery-user-confirmation). So even if the malware could make outgoing contact through the firewall there wouldn't be many secrets to tell/exploit other than the contents of the OS-partition.
3) And if the outbreak should happen one day and some ransomware (in a worst case) would start encrypting my SSD-drive - no big deal either. Within 6 to 10 minutes I would have booted from an outside-USB-stick via the BIOS-startup-menu and replaced the entire partition(s) affected by a weekly disk-image-backup. I've had to do this for some times over the years after the OS had messed up during some botched (driver-)update but NEVER because of a virus-infection.

 

Well, maybe someone can shed some light on this. Today, I noticed an odd entry in Event Viewer, namely this:

Spoiler: event id 6033

After looking around on the net, I came up with something that made some sense but had no conclusion.

https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html

Now this dates from 2017 and is likely the old Sophos build but could Sandboxie conceivably have anything to do with this in Windows 11? I mean as a troubleshooting measure, I could always uninstall it and look for fresh events but I really don't want to. Anyone think there's a connection? Sandboxie Plus 1.0.11/Firefox 97.01/Windows 11 v. 22000.527.

Plus is running great at the moment; that's why I really don't want to disrupt anything. And unlike the thread, I don't manually start Sandboxie but a few times the UI mysteriously showed up on the desktop without prompting.

 

I know I seen LSA Errors or Warnings before. The one you posted a picture of, looks very familiar. Likely, what I gotten before is what you got today. Every time I seen this type of errors, they are a one time Event. IOW, I dont keep getting them. The way I treat errors or warnings that I only get once and then perhaps again about a year later, is to ignore them. That is what I suggest you do. If you get them back tomorrow, and keep getting them, then I would try to figure out what I am doing at the time the Event is logged. You probably wont see this Event again for a while, so you don't need to uninstall anything or worry about anything.

Bo

 

Yes, that's right, it's an isolated error. There was one other, like three days ago, so it's kind of impossible to determine what was happening at the time. It just seemed odd as I've never spotted it before; then again, I don't routinely read the Event Viewer like a newspaper.

OK, well it seems benign enough, guess I'll just keep an eye out for any developments.

Thanks, Bo.

 

Just upgraded to v1.0.11 and with no other settings changes FireFox will no longer open sandboxed.

FireFox 97.0.1 (64-bit), runs fine not in sandbox and Chrome opens fine sandboxed just as always has. When Firefox does try to start in the sandbox it just sits there and says Application is not responding after a few seconds.

Any ideas?

 

Try:
1. Delete contents if you don't have your Firefox sandbox set to delete on closing of Firefox.
2. Run Firefox in a new default settings sandbox (don't change settings).

Bo

 

Have done that a few times, deleted all contents.Still won't load.

Created several new sandboxes and changed no settings and still won't start. Runs fine outside of the sandbox.
Not sure what the problem is or what else to try.

Never had an issue with it starting before.

Thanks

 

You are welcome. You could also try creating a new Firefox profile, and try running Firefox sandboxed afterward. Also, sometimes AV signature updates can generate issues running Firefox under SBIE. When this things happens, they are usually fixed by another signature update the next day or so and you end up not knowing why your "issue" got fixed. The AV theory would be a great coincidence (happening the same day you updated SBIE) but it can happen. Sometimes fixing issues like yours you have to go out of the box and try solving the problem with solutions that don't make sense (like testing with a new Firefox profile, You can ask yourself why would this fix the problem?).....because sometimes this things work.

Bo

 

I was not going to expand on this but I think I will. Here is an example. A couple of days ago, I updated to Firefox 97.0.1 from Firefox 95.0.2. Before doing the real update outside the sandbox, I tested sandboxed to see if everything would be OK with the update. First, I updated Firefox and it worked, after rebooting the browser, I tried to update NoScript. NoScript would not update, it would not work, the option to uninstall was not visible in the Extension menu, and it could not be updated. It didn't make any sense. So, I deleted the sandbox, and tried something different (always under SBIE). This time I updated NoScript first, and after rebooting the browser, I updated Firefox, and all was perfect. Afterward, I did the update outside the sandbox using the update sequence that worked. Why doing the update worked one way but not the other, I don't know, but it worked. HTH someone some day.

Bo

 

Do you use ESET as your antivirus program? This is currently causing problems with Firefox:

https://www.wilderssecurity.com/threads/sandboxie-plus-1-0-10.443919/page-3#post-3069199

 

Absolutely amazing, and much appreciated that it is still alive. Even though I was always ambivalent towards Sophos they deserve great credit for not killing it off and making it public domain.