Sandboxie with SRP

Discussion in 'sandboxing & virtualization' started by erim, Aug 23, 2019.

  1. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    I'm using SRP with a whitelist, which includes the Sandbox folder and all the standard locations on the system (Program Files...).

    When I run programs with Sandboxie it usually works, but often times it fails with the "This program is blocked by Group Policy..." error. This happens even if the Sandboxed program has been installed into the Sandbox to a location that is whitelisted on the system, like Program Files (x86).

    Any reason for why that is happening and how to make it work, without disabling SRP?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,435
    Location:
    Here
    What path is displayed in event viewer when block occurs. Sandbox (sub)folder or some other path?
     
  3. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    The Sandbox subfolder. Specifically, for example: "E:\Sandbox\Username\SBname\drive\C\Program Files (x86)\Steam\Steam.exe".
    (As I said, E:\Sandbox is whitelisted in SRP.)

    edit: This doesn't just happen to Steam.exe, by the way. I can drop a random independent .exe in that folder and it fails with the same error.
     
    Last edited: Aug 23, 2019
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,435
    Location:
    Here
    I've never encountered similar situation when I was using SRP. I would try adding "E:\Sandbox\Username\SBname\drive\C\Program Files (x86)\Steam\" to whitelist.
    Also do you have libraries (DLLs) enforced?
    Also check if you have variables used in your rules and replace them with absolut paths.
     
  5. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    I tried adding the full path to the whitelist, it didn't help.
    DLLs are not enforced.
    I have absolute paths in the rules.

    Oh and I just realized that any .exe file that I copy into the Sandbox folder doesn't run when I choose to run it sandboxed. It does run if I just run it normally.



    EDIT: and also I realized that I don't have to select "Run Sandboxed" for the program to run sandboxed when it's in the Sandbox subfolder. Even though I remember in the past it didn't always work and some programs ran unsandboxed. Maybe when they ran with UAC/Admin rights?

    Anyway, Steam itself does start sandboxed this way. But when I try to launch a game like CS:GO from within sandboxed Steam it fails with the SRP error. I can run csgo.exe directly, but then it doesn't work properly (no VAC).
    So I'm still looking for solutions.
     
    Last edited: Aug 23, 2019
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,623
    Location:
    Canada
    Just a thought, but are you blocking by default the path: "C:\Users\your_username" ? If you are, maybe this is causing the disallow on "E:\Sandbox\Username" path rules.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,593
  8. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    I tried unblocking that path, but it's still the same. I don't think there's any relation between those two locations, other than them sharing the same folder name.

    Sadly not. BTW, I used to use AppLocker too, but now it doesn't work with admin accounts anymore and it's a bit more limited than SRP for my needs.


    Just to sum up my current situation:
    I can run sandboxed programs with SRP, but those sandboxed programs (Steam) can't launch other programs (CS:GO).
    If I disable SRP (set it to "Unrestricted") then sandboxed Steam can launch CS:GO.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,435
    Location:
    Here
    Can you disable SRP, run CS:GO through Steam and then use Process Explorer to check what is a command line for CS:GO process?
     
  10. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    The command line is "C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe" -steam.

    (I thought I might be able to run sandboxed csgo.exe directly that way by just adding -steam, but I still get the VAC error.)
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,623
    Location:
    Canada
    I haven't used Sandboxie in a long time, and never combined with SRP, but isn't there a way to allow access to selected folders for sandboxed programs? Maybe you need to allow some additional access to some directories for the sandboxed programs that are being blocked by SRP? Just a theory, of course.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,435
    Location:
    Here
    Also, do you have Drop rights option enabled in sandbox settings? If so, try disabling it. Of course that's just a guess from my side.
     
  13. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    @wat0114: Do you mean in Sandboxie or in SRP settings? Anyway, I can't think of anything at this point that isn't already enabled/whitelisted.

    @Minimalist: Drop rights option is not enabled.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,435
    Location:
    Here
    I'm out of ideas at the moment. It seems that there is something in the way that sandboxed application launches new process that triggers SRP blocking it.
     
  15. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    1,593
    i thought elam would chime in by now, but i guess elam has no clue either. :ninja:
     
  16. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,744
    Location:
    UK
    His correct name is bo elam (but I'm sure you already knew that)
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,623
    Location:
    Canada
    It's somewhere in Sandboxie settings. Sorry, I can't remember where exactly or what it's called. It's really just a shot in the dark but you never know. @bo elam has expert level knowledge on Sandboxie, so hopefully he or someone can come up with something on the Sandboxie end that might work. Otherwise I'm also out of ideas.
     
  18. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    248
    Location:
    Brooklyn, NY
    I stumbled across this looking for something else. I was just a basic Sandboxie user and could never get my games managers, incl. Steam, to run properly. I assumed I wasn't going that extra mile configuring the sandboxes but it seems Steam recommends to shut off software like Sandboxie in order to avoid the VAC error. So, it seems one shouldn't even try to force it.

    https://support.steampowered.com/kb_article.php?ref=2117-ilzv-2837
    sbievacsteam.PNG
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.