Skip to content
Pre-release

@DavidXanatos DavidXanatos released this Jan 12, 2021 · 13 commits to master since this release

This build tests some driver changes improving on resource access tracing.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

Changed

  • improved access tracing, removed redundant entries
  • OpenIpcPath=\BaseNamedObjects[CoreUI]-* is now hardcoded in the driver no need for the template entry
  • WindowsFontCache is now open by default
  • refactored some IPC code in the driver

Fixed

  • fixed creation time not always being properly updated in the SandMan UI
Assets 7

@DavidXanatos DavidXanatos released this Jan 12, 2021 · 14 commits to master since this release

Urgent security fixes (thanks @diversenok)

fix

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Hotfix2 (5.46.2) Changelog

Added

  • added "CallTrace=*" to log all system calls to the access log

Changed

  • improved ipc logging code
  • improved MSG_2101 logging

Fixed

  • fixed more issues with ipc tracing
  • fixed SBIE2101 issue with crome and derivatives

Hotfix (5.46.1) Changelog

Added

  • added "RunServiceAsSystem=..." allows specific named services to be ran as system

Changed

  • refactored some code around SCM access

Fixed

  • fixed a crash issue in SbieSvc.exe introduced with the last build
  • fixed issue with sandman ui update check

Removed

  • removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults

Release ( 5.46.0) Changelog

Added

  • Sandboxie now strips particularly problematic privileges from sandboxed system tokens
    -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
    -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
  • added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
    -- those resources are open by default but for a hardened box its desired to close them
  • added print spooler filter to prevent printers from being set up outside the sandbox
    -- the filter can be disabled with "OpenPrintSpooler=y"
  • added overwrite prompt when recovering an already existing file
  • added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
  • added more compatybility templates (thanks isaak654)

Changed

  • Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
    -- use "RunServicesAsSystem=y" to enable the old legacy behavior
    -- Note: sandboxed services with a system token are still sandboxed and restricted
    -- However not granting them a system token in the first place removes possible exploit vectors
    -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
  • Reworked dynamic IPC port handling
  • Improved Resource Monitor status strings

Fixed

  • fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
  • fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
  • fixed issue with ipc tracing
  • fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
    -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
  • fixed hooking issues SBIE2303 with chrome, edge and possibly others
  • fixed failed check for running processes when performing snapshot operations
  • fixed some box option checkboxes were not properly initialized
  • fixed unavailable options are not properly disabled when sandman is not connected to the driver
  • fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
  • added missing localization to generic list commands
  • fixed issue with "iconcache_*" when runngin sandboxed explorer
  • fixed more issues with groups
Assets 7
Pre-release

@DavidXanatos DavidXanatos released this Jan 8, 2021 · 32 commits to master since this release

Urgent security fixes (thanks @diversenok)

fix

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Hotfix Changelog

Added

  • added "RunServiceAsSystem=..." allows specific named services to be ran as system

Changed

  • refactored some code around SCM access

Fixed

  • fixed a crash issue in SbieSvc.exe introduced with the last build
  • fixed issue with sandman ui update check

Removed

  • removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults

Release Changelog

Added

  • Sandboxie now strips particularly problematic privileges from sandboxed system tokens
    -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
    -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
  • added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
    -- those resources are open by default but for a hardened box its desired to close them
  • added print spooler filter to prevent printers from being set up outside the sandbox
    -- the filter can be disabled with "OpenPrintSpooler=y"
  • added overwrite prompt when recovering an already existing file
  • added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
  • added more compatybility templates (thanks isaak654)

Changed

  • Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
    -- use "RunServicesAsSystem=y" to enable the old legacy behavior
    -- Note: sandboxed services with a system token are still sandboxed and restricted
    -- However not granting them a system token in the first place removes possible exploit vectors
    -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
  • Reworked dynamic IPC port handling
  • Improved Resource Monitor status strings

Fixed

  • fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
  • fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
  • fixed issue with ipc tracing
  • fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
    -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
  • fixed hooking issues SBIE2303 with chrome, edge and possibly others
  • fixed failed check for running processes when performing snapshot operations
  • fixed some box option checkboxes were not properly initialized
  • fixed unavailable options are not properly disabled when sandman is not connected to the driver
  • fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
  • added missing localization to generic list commands
  • fixed issue with "iconcache_*" when runngin sandboxed explorer
  • fixed more issues with groups
Assets 7
Pre-release

@DavidXanatos DavidXanatos released this Jan 7, 2021 · 35 commits to master since this release

Urgent security fixes (thanks @diversenok)

fix

Build 5.46.0 resolves many box isolation issues some of them critical that could allow rogue applications to escape the sandbox. It is highly advised to upgrade quickly to the new builds. For further details please review the change log below.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

  • Sandboxie now strips particularly problematic privileges from sandboxed system tokens
    -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
    -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
  • added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
    -- those resources are open by default but for a hardened box its desired to close them
  • added print spooler filter to prevent printers from being set up outside the sandbox
    -- the filter can be disabled with "OpenPrintSpooler=y"
  • added overwrite prompt when recovering an already existing file
  • added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
  • added more compatybility templates (thanks isaak654)

Changed

  • Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
    -- use "RunServicesAsSystem=y" to enable the old legacy behavior
    -- Note: sandboxed services with a system token are still sandboxed and restricted
    -- However not granting them a system token in the first place removes possible exploit vectors
    -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
  • Reworked dynamic IPC port handling
  • Improved Resource Monitor status strings

Fixed

  • fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
  • fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
  • fixed issue with ipc tracing
  • fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
    -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
  • fixed hooking issues SBIE2303 with chrome, edge and possibly others
  • fixed failed check for running processes when performing snapshot operations
  • fixed some box option checkboxes were not properly initialized
  • fixed unavailable options are not properly disabled when sandman is not connected to the driver
  • fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
  • added missing localization to generic list commands
  • fixed issue with "iconcache_*" when runngin sandboxed explorer
  • fixed more issues with groups
Assets 7

@DavidXanatos DavidXanatos released this Jan 2, 2021 · 65 commits to master since this release

This is a maintenance release it brings some small new features and fixes many minor issues.

The plus installer was improved it now provides a extract function and creates the required Sandboxie.ini and Sandboxie-plus.ini for portable operations.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

  • added prompt to choose if links in the sandman ui should be open in a sandboxed or unsandboxed browser
  • added more recovery options, "recovery & ..." and more recver to options
  • added "ClosedClsid=" to block com objects from being used when thay cause compatybility issues
  • added "ClsidTrace=*" option to trace COM usage
  • added "ClosedRT=" option to block access to problematic Windows RT interfaces
  • added option to make a link for any selected process to sandman ui
  • added option to reset all hidden messages
  • added more process presets "Force program" and "allow internet access"
  • added "SpecialImage=chrome,some_electron_app.exe" option to sandboxie.ini, valid image types "chrome", "firefox"
    -- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
  • added german translation (thanks bastik-1001) to the sandman UI
  • added russian translation (thanks lufog) to the sandman UI
  • added portuguese translation (thanks JNylson ) to the sandman UI
  • added settings for the porteble boxed root folder option
  • added process name to resource log
  • added command line column to the process view in the sandman UI

Changed

  • changed docs and update urls to the new sandboxie-plus.com domain
  • greately improved the innos etup script (thanks mpheath)
  • "OpenClsid=" and "ClosedClsid=" now support specifyed a program or group name
  • by default when started in portable mode the sandbox folder will be located to the parent directory of the sandboxie instance

Fixed

  • grouping menu not fully working in the new sandman ui
  • fixed can't set quick recovery in sandman ui
  • fixed resource leak when loading process icons in sandman ui
  • fixed issue with OpenToken debug options
  • fixed chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync"
  • fixed issue connecting to the driver when starting in portable mode
  • fixed missing template setup when creating new boxes
  • fixed a few issues wiht group handling
  • fixed issue with GetRawInputDeviceInfo when runnign a 32 bit program on a 64 bis system
  • fixed issue when pressing apply int he "Resource Access" tab the last edited value was not always applyed
  • fixed issue merging entries in resource access monitor

removed

  • removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the aproproate values instead
  • removed suspend/resume menu entry, pooling that state wasts substantial cpu cycles, use task explorer for that functionality
Assets 8
Pre-release
  • v0.5.3a
  • 6fbc34c
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.5.3a
  • 6fbc34c
  • Compare
    Choose a tag to compare
    Search for a tag

@DavidXanatos DavidXanatos released this Dec 29, 2020 · 74 commits to master since this release

This is a maintenance release it brings some small new features and fixes many minor issues.

The plus installer was improved it now provides a extract function and creates the required Sandboxie.ini and Sandboxie-plus.ini for portable operations.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

  • added prompt to choose if links in the sandman ui should be open in a sandboxed or unsandboxed browser
  • added more recovery options, "recovery & ..." and more recver to options
  • added "ClosedClsid=" to block com objects from being used when thay cause compatybility issues
  • added "ClsidTrace=*" option to trace COM usage
  • added "ClosedRT=" option to block access to problematic Windows RT interfaces
  • added option to make a link for any selected process to sandman ui
  • added option to reset all hidden messages
  • added more process presets "Force program" and "allow internet access"
  • added "SpecialImage=chrome,some_electron_app.exe" option to sandboxie.ini, valid image types "chrome", "firefox"
    -- with this option you can enable special hardcoded workarounds to new obscure forks of those browsers
  • added german translation (thanks bastik-1001) to the sandman UI
  • added russian translation (thanks lufog) to the sandman UI
  • added portuguese translation (thanks JNylson ) to the sandman UI

Changed

  • changed docs and update urls to the new sandboxie-plus.com domain
  • greately improved the innos etup script (thanks mpheath)
  • "OpenClsid=" and "ClosedClsid=" now support specifyed a program or group name
  • by default when started in portable mode the sandbox folder will be located to the parent directory of the sandboxie instance

Fixed

  • grouping menu not fully working in the new sandman ui
  • fixed can't set quick recovery in sandman ui
  • fixed resource leak when loading process icons in sandman ui
  • fixed issue with OpenToken debug options
  • fixed chrome crashing on websites that cause the invocation of "FindAppUriHandlersAsync"
  • fixed issue connecting to the driver when starting in portable mode
  • fixed missing template setup when creating new boxes

removed

  • removed obsolete "OpenDefaultClsid=n" use "ClosedClsid=" with the aproproate values instead
  • removed suspend/resume menu entry, pooling that state wasts substantial cpu cycles, use task explorer for that functionality
Assets 7
  • v0.5.2
  • 9769589
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.5.2
  • 9769589
  • Compare
    Choose a tag to compare
    Search for a tag

@DavidXanatos DavidXanatos released this Dec 23, 2020 · 104 commits to master since this release

This is a maintenance release it does not bring any major new features but resolves a myriad of various bugs including a BSOD issue when "Core isolation" was enabled and a major compatibility bug with windows 10 build 2004 and later.
It also brings a few minor +UI Improvements and an entirely new set of Icons.

grafik

For Windows 7 unfortunately the signing process did not returned a working driver, a solution is being worked on.
Therefor, for the time being please download the "Provisional Windows 7 Drivers.zip" package and provide the driver to the setup when prompted for.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Change Log

Added

  • added advanced new box creation dialog to sandman ui
  • added show/hide tray context menu entry
  • added refresh button to file recovery dialog
  • added mechanism to load icons from {install-dir}/Icons/{icon}.png for UI customization
  • added tray indicator to show disabled forced program status in the sandman ui
  • added program name suggestions to box options in sandman ui
  • added saving of column sizes in the options window

Changed

  • reorganized the advanced box options a bit
  • changed icons (thanks Valinwolf for picking the new once)
  • updated Template.ini (thanks isaak654)
  • increates max value for disable forced process time in sandman ui

Fixed

  • fixed BSOD introduced in 5.45.0 when using windows 10 "Core isolation"
  • fixed minor issue with lingering/leader processes
  • fixed menu issue in sandman ui
  • fixed issue with stop behavioure page in sandman ui
  • fixed issue with Plus installer not displaying kmdutil window
  • fixed sandman UI saving ui settings on windows shutdown
  • fixed issue with Plus installer autorun
  • fixed issue with legacy installer not removing all files
  • fixed a driver compatybility issue with windows 20H1 and later
    -- this solves "stop pending", line messager hanging and other issues...
  • fixed quick recovery issue in SbieCtrl.exe introduced in 5.45.0
  • fixed issue advanced hide process settings, not saving
  • fixed some typos in the UI (thanks isaak654)
  • fixed issue with GetRawInputDeviceInfo failing when boxed processes are put in a job object
    -- this fix resolves isses with CP2077 andother PC Games not getting keyboard input (thanks Rostok)
  • fixed failing ClipCursor wont longer span the message log
  • fixed issue with adding recovery folders in sandman ui
  • fixed issue with office 2019 template when using a non default sbie install location
  • fixed issue settign last access atribute on sandboxed folders
  • fixed issue with process start signal
Assets 9

@DavidXanatos DavidXanatos released this Dec 12, 2020 · 139 commits to master since this release

This build resolves many issues with the last plus release, as well as updates many components.
It is now being compiled with Visual Studio 2019 using Qt 5.15.1.
Also the installer has been changed to use Inno Setup 6.

Therefore it is necessary to manually uninstall the previous build and clean install the new release.

For windows 7 users the provisional driver is now distributed separately, during install the setup will prompt to provide the required driver file which is to be downloaded and unpacked manually.

For the classical Sandboxie build please see the previous release: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v0.5.0

Changelog

Added

  • Added simple view mode

Changed

  • Updated SandMan UI to use Qt5.15.1

Fixed

  • fixed crash issue with progress dialog
  • fixed progress dialog cancel button not wokong for update checker
  • fixed issue around NtQueryDirectoryFile when deleting sandbox content
  • fixed dark theme in the notification window
  • fixed issue with disable force pograms tray menu
Assets 5

@DavidXanatos DavidXanatos released this Dec 7, 2020 · 153 commits to master since this release

This build is a major milestone in the development of Sandboxie, it marks the first open source release that has a driver properly signed for windows 10 and 8.
image_2020_11_30T08_59_50_639Z
For windows 7 unfortunately the signing process did not returned a working driver, a solution is being worked on.
Therefor please NOTE that due to this the "for windows 7" installers include the old provisionally signed driver for the time being.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

The new SandMan UI finally reached full feature parity with the old legacy UI, it has a new interactive notification window and brings many new features improving on many aspects of Sandboxie-Plus, the UI has a myriad of usability improvements. The snapshot management has been greatly improved as have been the debug options for tracing and resolving compatibility issues. The process start warning mechanism has been extended to a fully fledged system wide process start blocker, that now accepts executable names as well as folders. And last but not least this build also brings an optional Updater mechaism to keep Sandboxie (Plus and Legacy) up to date.

You can support my work through donations, any help will be greatly appreciated.

Change Log

Added

  • added new notification window
  • added user interactive control mechanism when using the new SandMan UI
    -- when a file exeeds the copy limit instead of failing, the user is prompted if the file should be copied or not
    -- when internet access is blocked it now can be exempted in real time by the user
  • added missing file recovery and auto/quick recovery functionality
  • added silent MSG_1399 boxed process start notification to keep track of short lived boxed processes
  • added ability to prvent system wide process starts, sandboxie can now instead of just alerting also block processed on the alert list
    -- set "StartRunAlertDenied=y" to enable prcess blocking
  • the process start alert/block mechanism can now also handle folders use "AlertFolder=..."
  • added ability to merge snapshots
  • added icons to the sandbox context menu in the new UI
  • added more advanced options to the sandbox options window
  • added file migration progress indicator
  • added more run commands and custom run commands per sandbox
    -- the the box settings users can now speficy programs to be available from the box run menu
    -- also processes can be pinned to that list from the presets menu
  • added more windows 10 specific template presets
  • added ability to create desktop shortcuts to sandboxed items
  • added icons to box option tabs
  • added box grouping
  • added new debug option "DebugTrace=y" to log debug output to the trace log
  • added check for updates to the new SandMan UI
  • added check for updates to the legacy SbieCtrl UI

Changed

  • File migration limit can now be disabled by specifying "CopyLimitKb=-1"
  • improved and refactored mesage logging mechanism, reducing memory usage by factor of 2
  • terminated boxed processes are now kept listed for a coupel of seconds
  • reworked sandbox dletion mechaism ofthe new UI
  • restructured sandbox options window
  • SbieDLL.dll can now be compiled with an up to date ntdll.lib (Thanks to TechLord from Team-IRA for help)
  • improved automated driver self repair

Fixed

  • fixed issues migrating files > 4GB
  • fixed a issue that would allow a maliciosue application to bypass the internet blockade
  • fixed issue when logging messages from a non sandboxed process, added process_id parameter to API_LOG_MESSAGE_ARGS
  • fixed issues with localization
  • fixed issue using file recovery in legacy ui SbieCtrl.exe when "SeparateUserFolders=n" is set
  • when a program is blocked from starting due to restrictions no redundant messages are issues anymore
  • fixed UI not properly displaying async errors
  • fixed issues when a snapshot operation failed
  • fixed some special cases of IpcPath and WinClass in the new UI
  • fixed driver issues with WHQL passing compatybility testing
  • fixed issues with classical installer
Assets 10

@DavidXanatos DavidXanatos released this Nov 16, 2020 · 189 commits to master since this release

This build fixes many bugs and introduces a lot of new debugging facilities.

Important Note:

The SbieDrv.sys driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications wrongfully flag it as potentially dangerous or a virus.

If you want SandboxiePlus to get a proper EV-Code Signing Certificate please support the project through donations. You can donate via paypal at https://xanasoft.com/ or patreon https://www.patreon.com/DavidXanatos

ChangeLog

Added

  • added "Terminate all processes" and "disable forced programs" commands to tray menu in SandMan ui
  • program start restrictions settings now can be switsched between a white list and a black list
    -- programs can be terminated and blacklisted from the context menu
  • added additional process context menu options, lingering and leader process can be now set from menu
  • added option to view template presets for any given box
  • added text filter to template view
  • added new compatybility templates:
    -- Windows 10 core UI component: OpenIpcPath=\BaseNamedObjects[CoreUI]-* solving issues with Chinese Input and Emojis
    -- FireFox Quantum, access to windows FontCachePort for compatybility with windows 7
  • added experimental debug option "OriginalToken=y" which lets sandboxed processes retain their original unrestricted token
    -- This option is comparable with "OpenToken=y" and is intended only for testing and debugging, it BREAKS most SECURITY guarantees (!)
  • added debug option "NoSandboxieDesktop=y" it disables the desktop proxy mechanism
    -- Note: without an unrestricted token with this option applications wont be able to start
  • added debug option "NoSysCallHooks=y" it disables the sys call processing by the driver
    -- Note: without an unrestricted token with this option applications wont be able to start
  • added ability to record verbost access tracess to the resource monitor
    -- use ini options "FileTrace=", "PipeTrace=", "KeyTrace=", "IpcTrace=", "GuiTrace=" to record all events
    -- replace "
    " to log only: "A" - allowed, "D" - denided, or "I" - ignore events
  • added ability to record debug output strings to the resource monitor,
    -- use ini option DebugTrace=y to enable

Changed

  • AppUserModelID sting no longer contains sandboxie version string
  • now by default sbie's application manifest hack is disabled, as it causes problems with version checking on windows 10
    -- to enable old behavioure add "PreferExternalManifest=y" to the global or the box specific ini section
  • the resource log mechanism can now handle multiple strings to reduce on string copy operations

Fixed

  • fixed issue with disabling some restriction settings failed
  • fixed disabling of internet block from the presets menu sometimes failed
  • the software compatybility list in the sandman UI now shows the proper template names
  • fixed use of freed memory in the driver
  • replaced swprintf with snwprintf to prevent potential buffer overflow in SbieDll.dll
  • fixed bad list performance with resource log and api log in SandMan UI
Assets 6
You can’t perform that action at this time.