Mio sockets blocked by default?

[soleera]

Describe what you noticed and did

Not sure if this is working as intended, but Mio sockets now seem to be blocked by default in security enhanced sandboxes. You can see this in action if you try to install Discord; you'll get an "Update failed - retrying in # sec..." message which will just keep looping. I managed to resolve this by adding "OpenPipePath=\Device\Afd\Mio" to my sandbox ini file, but I'm not sure if this is the best way to deal with the problem.

How often did you encounter it so far?

Consistently

Affected program

Discord, and probably anything else that uses Mio sockets

Download link

https://discord.com/

Where is the program located?

The program is installed only inside a sandbox (NOT in the real system anyway).

Expected behavior

Mio sockets seemed to work automatically in older versions of sandbox-plus, although I'm not sure if this should be considered a bug or a feature.

What is your Windows edition and version?

Windows 11 Home Build 22000

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Microsoft Defender

What version of Sandboxie are you running?

Sandboxie Plus 1.6.6 (x64)

Is it a new installation of Sandboxie?

I just updated Sandboxie from a previous version (to be specified).

Is it a regression?

Since at least 1.6.4

In which sandbox type you have this problem?

In a security hardened sandbox (orange sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[offhub]

I believe this is working as intended, since you are using "Hardened" type box.

From the changelog**:

This build adds 2 new isolation mechanisms to increase security of hardened boxes ...
...
The second isolation mechanism "RestrictDevices=y" leverages rule specificity to limit the accessible driver/device endpoints to a list of known required endpoints plus whatever the user opens using the resource access rules.

replaced the "DeviceSecurity" template with a dedicated setting "RestrictDevices=y"
-- Note: when needed more "NormalFilePath=..." entries can be added to open specific devices

[isaak654]

@offhub

There is no NormalPipePath, only NormalFilePath: 4d3e630

This is one of the many typos that have already been corrected in the changelog.md file, also I don't understand why @DavidXanatos doesn't want to put a link in the releases instead to repost the same notes in three different places. This system does not facilitate my corrections and is counterproductive.

[DavidXanatos]

it was not intended to block mio sockets as we have a separate setting to block networking, I'll review this and make it open by default in future.

@isaak654 if you think a link is really enough and the users dont want to read the relevant changelog there in place than I'll in future add a link to the apropriate changelog section instead.

PS: the change will be active in build 1.7.1 as it needs the driver to be re signed