Encrypted confidential box with red box preset blocks box access to its own root directories

[Arkadiumx]

Describe what you noticed and did

I'm trying to create an encrypted confidential box via imdisk with the "Hardened Security With Data Protection" red preset.

With these presets, I cannot launch anything, even from inside the box.

The installer is at this directory, and spoofed admin rights are on. I've also tried installing the program without the hardened box without any issues and even just trying to run Firefox after its already installed, still produces this error if red box is on.

How often did you encounter it so far?

Whenever Security Hardened with Data protection is on

Affected program

Any

Download link

N/A

Where is the program located?

I tried to install it only inside a sandbox, but I wasn't able to achieve it.

Expected behavior

Create Confidential Encrypted box and under box settings select "Security Hardened Box with Data Protection" red preset.

Mount Encrypted Box with "protect box root" temporarily disabled.

Move Firefox installer into C:\Program Files directory of encrypted confidential box (Sandbox\%Sandbox%\drive\C\Program Files under context outside box)

Run installer via sandbox run prompt, this time with root protection enabled, and invoke the isntaller via it's path C:\Program Files\FirefoxPortable_120.0.1_English.paf.exe

My intention is to install the browser within the sandbox, and block the host from reading or writing in and block the sandbox from reading or writing outside the box.

What is your Windows edition and version?

Windows 10 22H2

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Windows Security

What version of Sandboxie are you running?

1.12.3

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

N/A

In which sandbox type you have this problem?

In an encrypted sandbox (black sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

I do have TPM Virtualization-Based Security with Memory Integrity enabled and running on my system, but I tried disabling them both and I still encounter the same problem.

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

#
# Sandboxie configuration file
#

[GlobalSettings]
FileRootPath=X:\Sandbox\%SANDBOX%
TemplateReject=OfficeLicensing
TemplateReject=WindowsLive

[UserSettings_0C02020A]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
BoxGrouping=:DefaultBox,Firefox

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10

[Firefox]
Enabled=y
BlockNetworkFiles=y
BorderColor=#0423ee,ttl,5
Template=SkipHook
Template=FileCopy
Template=BlockPorts
Template=LingerPrograms
Template=BlockTelemetry
ConfigLevel=10
UseFileImage=y
ConfidentialBox=y
UseFileDeleteV2=y
UseRegDeleteV2=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
DropAdminRights=y
FakeAdminRights=y
ProtectHostImages=y
DenyHostAccess=audiodg.exe,n
UseSecurityMode=y
ClosePrintSpooler=y

[offhub]

bugfix: 8222b62

This fixes the "The system cannot find the file" error, but this time it gives an "Access is denied" error when root protection is enabled.

create and mount encrypted box with root protection:

UsePrivacyMode=n
UseFileImage=y

from sandboxed cmd:

cd /d "C:\Program Files (x86)\Microsoft\Edge\Application"
copy msedge.exe msedge2.exe
msedge2.exe

Result:
Access is denied.

[DavidXanatos]

wow that one was fun 3 bugs breaking this use case all at once

[Arkadiumx]

wow that one was fun 3 bugs breaking this use case all at once

Will these be fixed in a new version? or a hotfix?

[DavidXanatos]

will be fixed in 1.12.4

[Arkadiumx]

will be fixed in 1.12.4

Few days? Or week+ you think?

[DavidXanatos]

very soon, may be before the end of the weekend

[offhub]

[1.2.5] "The system cannot find the file" problem is back.
[1.2.4] When you install or run some applications from the sandbox folder, these applications sometimes use the sandboxed UNC path, and therefore the applications fail to install or run successfully.

1. Run sandboxed browser
2. Download https://portableapps.com/apps/internet/firefox_portable
3. Run the downloaded file and install it
4. Run FirefoxPortable.exe

[DavidXanatos]

the fix in 1.12.5 is broken when FileRootPath is not set and the default value is used by the driver, setting FileRootPath to the default value fixed the issue, as a workaround

[offhub]

After I added the FileRootPath, I tried it again and this time I get a different error message.

cd /d "C:\Program Files (x86)\Microsoft\Edge\Application"
copy msedge.exe msedge2.exe
msedge2.exe

Result:

via sandboxed cmd: The current directory is invalid.
via sandboxed explorer: The directory name is invalid.

CMD:

1. Open sandboxed CMD
2. type whoami (success)
3. type cd ..
4. type whoami (The current directory is invalid.)

Explorer: (Windows 11 only)

1. Open sandboxed Windows Explorer
2. Go to the C drive and then to Program Files (success)
3. Go back to a subfolder (The path that appears in the address bar changes, but the content section does not change when you go back)

[DavidXanatos]

hmm... strange i cant reproduce these, please try the attached sbiedll.dll
sbiedll.zip

do you still get those errors with it?

[Arkadiumx]

the fix in 1.12.5 is broken when FileRootPath is not set and the default value is used by the driver, setting FileRootPath to the default value fixed the issue, as a workaround

What's the default value of FileRootPath that will make this work? Mine is set to the active box directory.
FileRootPath=X:\Thumbs.db\Sandbox\%SANDBOX%

[DavidXanatos]

any value should work the issue was that when its nto set at all the driver picks a default but the dll reads an empty string from the config.

[Arkadiumx]

any value should work the issue was that when its nto set at all the driver picks a default but the dll reads an empty string from the config.

I left the FileRootPath set to the default it generated when I started the program for the first time, but I'm still getting the same error. I made another demo showing my box and it's settings if you have a minute, I just wanna know if I'm doing something wrong. https://www.youtube.com/watch?v=dDrTotrsJqU

[offhub]

@DavidXanatos Can you try with black + red box

Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#0423ee,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
AutoRecover=y
UseFileDeleteV2=y
UseRegDeleteV2=y
UseSecurityMode=y
UsePrivacyMode=y
UseFileImage=y
ConfidentialBox=y

sbie3475brb01.mp4

[DavidXanatos]

seams UsePrivacyMode=y seams to break it working on it

[offhub]

Does the latest (731a579) CI build include this fix? Because when I tried it with it, I got the same error.

[DavidXanatos]

that one you linked was not complete, this one should work: 8d82b43
please note that you need the new unsigned driver for the fix to work

[offhub]

It's fixed in Windows 11, but I'm still getting the same error in Windows 10.

[DavidXanatos]

It's fixed in Windows 11, but I'm still getting the same error in Windows 10.

this is very strange I was debugging it on windows 10,
could you please check if all the settings are the same between 10 and 11 and if no which one causes teh issue

[offhub]

I tried again after resetting the virtual machine (with 8d82b43) and it works now. However, if you try to run an application located in the sandbox folder from the sandboxed Windows Explorer, you will get an error. (Windows cannot find ...) [Windows 10 and 11]

sandboxed CMD.exe can run applications from sandbox path
sandboxed START.exe can run applications from sandbox path
sandboxed EXPLORER.exe can NOT run applications run from sandbox path

Also, some applications use the sandbox path as the target/image path when running from the sandbox. (e.g. Firefox.exe, FirefoxPortable_121.0_English.paf)

[DavidXanatos]

@offhub please test build: 2f60095 it shoudl fix explorer and other path issues in combination with box root redirection

[DavidXanatos]

@offhub i would like to release the build soon could you please verify if this fix works for you as well
i could install firefox portable and run it from the box just fine

[Arkadiumx]

I could verify it for you if thats ok with you

[DavidXanatos]

sure just grab the latest CI build, don't forget to enable test signing on your system, and you can test https://github.com/sandboxie-plus/Sandboxie/actions/runs/7298502176

[Arkadiumx]

sure just grab the latest CI build, don't forget to enable test signing on your system, and you can test https://github.com/sandboxie-plus/Sandboxie/actions/runs/7298502176

Confirmed. Thank you for being so attentive with the recent bugs 👍

Just to be sure, is this expected behavior? Still works, just this error each time I click browse. Is it because explorer.exe is trying to access the sandbox when its protected?

[wilders-soccerfan]

Perhaps NormalFilePath=|%Desktop% or NormalFilePath=|%UserProfile%\Desktop in your box will make that message go away.

[offhub]

I haven't had time to test it extensively, but it seems to be fixed.

[Arkadiumx]

Perhaps NormalFilePath=|%Desktop% or NormalFilePath=|%UserProfile%\Desktop in your box will make that message go away.

What does NormalFilePath do?

[DavidXanatos]

1.12.6 is out can we close this

[offhub]

The main problem seems to be solved, but there seems to be a problem caused by the use of OpenFilePath.

[DavidXanatos]

that one is now solved to with the latest CI build so I'll close this