Sandboxie-Plus v1.8.4

Yes, it was a chrome based browser. Also happened with LibreWolf (ff based) (but not with an older ff based mypal).

Applied. Thank you

 

Another question: In the blue box, the "Save As" gui (attachment, post #24)
shows just the filename (Sandboxie-Plus-x86-v18.4) but no extension (.exe).
Is this by design or a quirk of the access restrictions?

 

Yes, it is.

Code:

NormalKeyPath=HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Spoiler: default template for privacy enhanced boxes

Code:

#
# Access rules for privacy enhanced boxes
#

[TemplatePModPaths]
WriteKeyPath=\REGISTRY\USER\*
#
NormalFilePath=%SystemRoot%\*
NormalFilePath=%SbieHome%\*
NormalFilePath=%ProgramFiles%\*
NormalFilePath=%ProgramFiles% (x86)\*

 

Thank you again I'm out of questions (until the next time )

 

Question: Does sigcheck64 still work properly with vt checks upon file recovery?
Ref: https://www.wilderssecurity.com/threads/sandboxie-plus-v1-7-0-v1-7-0c.450127/#post-3129071

I downloaded a systeminformer nightly setup file from
https://www.systeminformer.com/nightly.php
Sbie Plus v1.8.4 and "OnFileRecovery=..." present in sandboxie.ini.
The informational message pops up when recovering and the file is saved.
However, virustotal shows two dozen out of seventy vendors flagging it!

 

What output does it give when you run from the command line?

Code:

powershell -exec bypass -nop -File "xxx.ps1" -bin "yyy\systeminformer-3.0.6522-setup.exe"

 

Here is the output:

Sigc heckFile.ps1, Sigcheck64.exe are in D:\SbiePlus (my sbie portable folder)
The systeminformer exe file is in D:\Download
My SigcheckFile.ps1

Code:

param ($bin)
$sigcheck="D:\SbiePlus\sigcheck64.exe" -vt -vs -accepteula $bin
if(-not ($sigcheck -like "*   0/*")){
    Write-Output $sigcheck
    exit 1
}
exit 0

 

Try this:

Code:

param ($bin)
$sigcheck = & "D:\SbiePlus\sigcheck64.exe" -vt -vs -accepteula "$bin"
if (-not ($sigcheck -match "VT.detection:.*0\/[^0].*")) {
    Write-Output $sigcheck
    exit 1
}
exit 0

 

Your .ps1 file, used directly in sandboxie, gives this:

This makes perfect sense and should be as expected, no?

 

Yes, it shows the Sigcheck output.

 

Thank you

 

By the way, if you don't want unknown files to be uploaded to Virustotal, change the -vs parameter to -v.

example:

Code:

param ($bin)
$sigcheck = & "D:\SbiePlus\sigcheck64.exe" -vt -v -accepteula "$bin"
if (-not ($sigcheck -match "VT.detection:.*0\/[^0].*")) {
    Write-Output $sigcheck
    exit 1
}
exit 0

 

Thank you. While recovering a ublock setting file the other day, the message showed "na"
for detection and submitted the file to vt (for analysis). I guess the parameter -v avoids that.
Edit: Confirmed! Message now shows "VT detection: Unknown" and offers to save file