"Privacy Mode" Access Policy Breaks Root

[Arkadiumx]

Describe what you noticed and did

This is behavior I experienced with my issues related to #3472 and #3475 although I don't know if they're related.

Having Privacy Mode access policy enabled in a black + red box makes the program blind to its own sandboxed directory and anything in it. Cannot run installers or anything.

I've made a video showing me reproducing the behavior and then resolving it by disabling Privacy Mode
https://www.youtube.com/watch?v=U64TxrjP1zY

How often did you encounter it so far?

Every time under the said conditions

Affected program

N/A

Download link

N/A

Where is the program located?

The program is installed only inside a sandbox (NOT in the real system anyway).

Expected behavior

Privacy Mode work pls y u no like black box?

What is your Windows edition and version?

Windows 10 22H2

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Windows Security

What version of Sandboxie are you running?

1.12.4

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

1.12.3

In which sandbox type you have this problem?

In an encrypted sandbox (black sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

#
# Sandboxie configuration file
#

[GlobalSettings]
FileRootPath=X:\Thumbs.db\Sandbox\%SANDBOX%
TemplateReject=OfficeLicensing
TemplateReject=WindowsLive
DefaultBox=Firebox
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%

[UserSettings_0C02020A]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
BoxGrouping=:Firefox

[Firefox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#0423ee,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UsePrivacyMode=y
UseSecurityMode=y
UseFileImage=y
ConfidentialBox=y
UseFileDeleteV2=y
UseRegDeleteV2=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ProtectHostImages=y

[offhub]

Can you try with:
NormalFilePath=*.paf.exe

[Arkadiumx]

Adding this to ini allows the installer to run, so technically a work around, but after Firefox Portable is installed, sandbox still can't see it.

Also worth noting when running the installer, it auto generates the install directory to a path that is outside the sandbox context, as in the installer initially wants to install to X:\Thumbs.db\Sandbox\Firefox\drive\X\FirefoxPortable when it should detect the directory as simply X:\FirefoxPortable. If I'm wrong about this please let me know.

[DavidXanatos]

UsePrivacyMode=y blocks access to all drives except C unless explicitly opened, so if you want to run an installer from X you need to open it in the ini first

[DavidXanatos]

EDIT: i see there is also an issue affecting opening non C paths that will be fixed in the next build as well

[Arkadiumx]

EDIT: i see there is also an issue affecting opening non C paths that will be fixed in the next build as well

For me it's also not working if the program is in the C:\Program Files directory either. No matter where it is the box says "the system cannot find the file specified (2)"

I think it's a problem between Privacy Mode access policy and imdisk volume because if Privacy Mode is on for a non-encrypted red box, programs will work fine and same for encrypted box but with Privacy Mode off.

Did you guys make any progress with that test build?

[DavidXanatos]

yes this particular issue should be fixed with 7954eab

[Arkadiumx]

Will that be out today? Or this weekend?

[DavidXanatos]

today not, probably on the weekend as other changes need the driver to be signed

[Arkadiumx]

Would installing sandboxie and red sandboxes inside a drive with bitlocker encryption also basically function the same as the black box technically? As long as it's locked after closing the program? Is the black box just providing the encryption like bitlocker would?

[DavidXanatos]

No, the sbie driver protects the ImDisk mounted volume from being accessed by not sandboxed processes, so
with bitlocker while using the box manware on the host can access the data of the box
in the black box case even when using the box actively malware on the host can not access the data.

[DavidXanatos]

also I might add the issue is not with the imdisk drive per se but with the hole process of redirecting a box root to a device which is not mounted to a drive letter at all

[Arkadiumx]

So no workaround then. Damn