Sandboxie-Plus v1.3.0

No, I'm the same. The options have gone beyond my level of comprehension, so I just continue to use my old sandboxes (2) with each new version.

 

Reinstalled Sandboxie 1.3.0 on my daily Windows 10 drive and it's doing alright so far (no excessive cpu use in FF) Found out last nite one of my passwords was pwned from a prepaid account but no money was stolen and the email assoc. w/it was not affected.

It seems ATT was involved in at least one data breach but isn't talking about it. Don't know if my password theft was a direct result of that either. I don't know if my browser was accessed or if it was on ATT's side but I'm gonna try to limit things the best I can.

Thought about a password manager. I'll see, not too gung-ho though.

 

i would bet NO sandboxie issue. could be blacklist hacking or accidental -> weak password. you probably get no answer from ATT then they have to admit a breach - pain in their ***

anyhow - passwords with less than 16 token are not acceptable.


concerning MSI installer again
https://www.oo-software.com/de/download/archive/index.html
"O&O driveimage" break installation with message to MSi installer. any help appreciated.

 

I am almost positive it's on the ATT side and fault--simply b.c none of my other passwords was pwned. Also, I did not re-install Sandboxie until after this small mess. Just re-adding another layer on my end--as long as it doesn't impact the machine. So far so good.

Yes, 16 tokens..., will debate whether my extremely low threat model would justify changing the others. But if it occurs on the corporate side, even a 100 character password could be pwned, I guess.

 

if 100 is accepted
16 or more is ok. but i use (one?) services where 8 ix max, pity, but i cant change it.

with a lot of time and tables and hardware you can break any password. in the past 25 i had no local breach, but malwarebytes forum and adobe forums have been leaked years ago but using unique passwords did not harm me so i changed those. some servers stand more in focus to steal CC infos. glad you have no loss.

some users think that sandboxie can prevent breaches for sure - it cant. it cant by design. its not possible. even firefox in the box was vulnerable in the past, the used attack vector was closed within a day. whats in the box stays in the box, thats true, but with web access firefox could have sent any data in that attacked moment.

on my android phone i use a password manager, for convenience. any used browser here is safe enough. site isolation, extension isolation, main password ("Hauptpasswort") for browsers.

 

I am having intermittent Vivaldi issues. I do not think this is related to a recent version but I am not sure if anyone else is noticing the same or if there are some settings I just need to change. I was running version 1.26 Plus without issues (straight out of the box, no fiddling with settings). The other day Vivaldi was not opening sandboxed. Clicking the icon in the task bar led to a second of trying and then nothing happened. The Sandboxie icon was filled for a brief moment but cleared out again shortly afterwards. I was able to open Vivaldi unsandboxed. Doing a restart of my pc "fixed" the isssue. This has happened previously from time to time in older versions. This morning it happened again, so I installed Version 1.3, rebooted and the issue for now is gone. Vivaldi is running again sandboxed but I am still wondering if I need to add something in the settings to prevent this issue.

 

Hey there, I found a possible bug in version1.28b and not sure it carries over to new version. In config protection
section, I am unable to clear "password must be entered to make changes". Hitting apply just asks for the pw
and then going back to the config protection setting - it is still checked! Tried it on Win 7 and Win 10 install of SB
and both act the same. Also, I haven't tried the new 1.30 version yet, but since you are changing the security name
from security hardened to normal, will this lower any of my protections, or is this merely syntax? Anyhow, thanks!!

 

This is only syntax,
previously any box with DropAdminRights=y was considered hardened.
now only boxes with UseSecurityMode=y are displayes in the UI as hardened
internally this setting enables the following mechanisms:
DropAdminRights=y, ofcause plus SysCallLockDown=y and RestrictDevices=y

 

This is how I normally update but in this case, it was already updated. The fix after reboot makes me think that something was still going in the background.

 

Trying v1.3.0 (portable mode). My portable programs are on drive D. Some observations:

CASE 1 (New Privacy Box - blue): Data Protection shows this line in sandboxie.ini

Code:

UsePrivacyMode=y

This box gives errors finding programs on drive D: unless the following line is added

Code:

NormalFilePath=D:

Then all my programs on D: run fine in this box.
_______________________________________________________

CASE 2 (New Security Hardened Box - orange) includes the following code

Code:

UseSecurityMode=y
UsePrivacyMode=n

This works fine for running programs on D: without a "NormalFilePath" line
________________________________________________________

CASE 3(New Secure+Priv Box - red) This shows the following in sandboxie.ini

Code:

UseSecurityMode=y
UsePrivacyMode=y

This box gives errors finding programs on drive D: unless the following lines are also added

Code:

NormalFilePath=D:\Program1.exe
NormalFilePath=D:\Program2.exe
.
,

Using "NormalFilePath=D:" (as in Case 2) does not work here (but worked in the "privacy only" box).
_______________________________________________________

Question: Are these related to "even stricter" rule specificity in v1.3.0 (and if so, how)?

 

hmm... strange, dont think its related to rule specificity as this is always only on or of there are no variouse levels of specificity and mearly enabling privacy mode turns it on already,
it seams RestrictDevices=y which is part of UseSecurityMode=y is responsible for the issue, perhaps one of the built in filter rules is making trouble

EDIT:
So the problem is that
NormalFilePath=\Device\HarddiskVolume6\*
conflicts with
WriteFilePath=\Device\HarddiskVolume*\*
And write file path being more restrictive wins out
pfff... not sure how to elegantly fix this

do you need access to the drive root?
putting your programs in D:\Programs\ and adding NormalFilePath=D:\Programs
overrules and allows them to run

EDIT 2:
Muhahahahah..... I have an idea! We will make the rule specificity even more specific, we will count the count of wildcard's (*) and make the rule with the least wildcard's win.

 

To be honest I think the amount of things to think about when creating access rules might be getting slightly out of hand.
I think its time to think about some fool proof UI, like some sort of tree view that displays the path options in different collors based on the real filesystem, so applying the rules to the existing folder hierarchy and painting the view in the right colors...

what do you think?

 

Cool
Just to edit my own post:
In Case 3 (secure+priv), the correct lines should be
"NormalFilePath=D:\program1" (a folder) and not "NormalFilePath=D:\program1.exe" (a process)
"NormalFilePath=D:\program2" (a folder) and not "NormalFilePath=D:\program2.exe" (a process)
This still does not explain (to me) why just "D:" in priv box vs "D:\programpath" in secure+priv box.

 

When you do decide to look into/implement this, I think
it would help us choose/allow the appropriate paths for resource access.

 

I see one major problem with the idea namely that we will need to render a good portion of the file system, so having that in the otherwise small option window will not be a good user experience.
I think it might be best to locate this feature in the main window, make it a function of the file browse panel, perhaps make the panel contain a couple of tabs to browse different views

• Box Root (current view)
• File system, the entire file system showing a merged view of real files and boxed files, as well as somehow with colors showing the path presets based on the access rules. With some switch to show mixed view, box only, or host only
  
• Same for the registry view
• And for the experts a browser view of the entire NT Object Manager Name Space

That will be quite some work to make it right, but it would be nice as it would allow the user to track changes boxed programs do in a nice graphical way basically offering a sort of comparison between original and boxed value whenever there are booth present.

 

I have updated SB+ from 1.26 to 1.30 and run Firefox and Thunderbird in a default box.
Does it raise the security as a home user especially when Extra Security Enhanced Box mode is added by purchasing a support certificate ?

 

Yes with a support certificate you can switch the box in to Security Hardened mode (Orange/Red box icon) which significantly enhanced security.

 

thank you David,
where can I then acquire the certificate, what would it cost me as a private user and may I apply it to my two laptops?
Sabine

 

You can pick one here: https://xanasoft.com/product-category/sandboxie/ there are various options, you can see a comparison of which each certificate does here: https://sandboxie-plus.com/feature-comparison/

Long story short, private users can use one certificate on all machines they personally use.
The Small certificate is a subscription so needs to be renewed every year.
The Medium certificate is perpetual for the current version + 1 year of updates, for later builds it will need to be renewed.
The Large certificate is like the Medium one but with 2 years of updates + you can use it for family member's PC's in one household.
And there is a Huge option for a appropriately huge price that never expires, which is the best way to support sandboxie development

 

thanks David, a last question:
To minimize start,- and internet connection in my box(only Firefox and Thunderbird) I configured it like this:

NotifyStartRunAccessDenied=y
OpenFilePath=%UserProfile%\PORTABLES\Thunderbird Portable\Data\profile\Mail\
OpenFilePath=%UserProfile%\PORTABLES\Thunderbird Portable\Data\profile\calendar-data\local.sqlite\

OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\cert*db*
OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\bookmark*
OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\blocklist*
OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\cookies*
OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\favicons.sqlite
OpenFilePath=%UserProfile%\PORTABLES\Firefox Portable\Data\profile\places.sqlite
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices
ClosedFilePath=!<InternetAccess>,InternetAccessDevices[/FONT]

Is this not enough security for a private user, or is the safety-hardened mode better than this ?

Sabine

 

Oh that's really useful; hadn't seen it before