Release v0.9.3 / 5.51.3

[DavidXanatos]

This build adds a new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
If the WFP support is not enabled the same rules still can be set and are used, but will be applied only by a set of user mode hooks, unlike the WFP implementation they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application.

The rational behind implementing this functionality in user and kernel mode (driver) instead of driver only is twofold for once it allows for debugging of the rule processing code as booth modes use the same code to make decisions based on the preset rules. Second the WFP callouts are global i.e. they are triggered for any process on the system whether its sandboxed or not, in the lather case they don't do anything and the use of a hash map to identify sandboxed programs that require action should provide optimal performance. That said users who run a 3rd party firewall which they may prefer may not want to many firewalls being active at once, while still wanting to use some per sandbox network rules for compatibility and not security reasons.

Also please note that with this build the old "BlockPort=..." functionality is completely dropped, the default port block rules are now implemented by the new user mode firewall component, if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=*,Block;Port=137,138,139,445"

The rules are applied based on a specific decision priority:

1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs
2. A rule with a Port or IP trumps a rule without
   2a. A rule with ip and port trums a rule with ip or port only
   2b. A rule with one ip trumps a rule with an ip range that is besides that on the same level
3. Block rules trump allow rules
4. A rule without a protocol means all protocols, a rule with a protocol trumps a rule without if its the only difference

The rule editing UI allows for testing rules, in the row below the rule list one can enter program name, port, ip and protocol to see which rules are in play and which rule will be applied in the end.

When configuring per process network access restrictions and WFP is enabled it is possible to choose between a WFP based approach and the old sandboxie way of blocking the network device end points. The later approach is more absolute, but is know for causing some application to crash.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

Changelog

[0.9.3 / 5.51.3] - 2021-08-08

added

• ability to use the "run unsandboxed" option with Sandboxie links #614

Fixed

• fixed "run outside sandbox" issue on Classic build #614
• fixed open template does not load the edit tab #1054
• fixed issue with "explore sandboxed" #972
• fixed start directory for sandboxed processes #1071
• fixed issue with language auto-detection #1018
• fixed issue with multiple files with the same name, by always showing the extension #1041
• fixed multiple program grouping issues with the SandMan UI #1054
• fixed "no disk" error #966
• fixed issue with 32bit build using qMake, the -O2 option resulted in a crash in the QSbieAPI.dll #995
• fixed issue with UserSettings introduced in a recent build #1054

[0.9.2 / 5.51.2] - 2021-08-07

Added

• added ability to reconfigure the driver, which allows enabling/disabling WFP and other features without a reload/reboot

Changed

• reorganized and improved the settings window
• improved the tray icon a bit, the sand is now more yellow

Fixed

• fixed issue with process start handling introduced in 5.51.0 #1063
• fixed issue with quick recovery introduced in 5.51.0
• fixed incompatibility with CET Hardware-enforced Stack Protection on Intel 11th gen and AMD Ryzen 5XXX CPUs #1067 #1012

removed

• commented out all Windows XP-specific support code from the driver

[0.9.1 / 5.51.1] - 2021-07-31

Added

• added tray icon indicating broken connection to the driver if it happens
• added option to customize the tray icon
• added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
• added localization support for Plus installer (by yfdyh000 and mpheath) #923

Changed

• reworked NtClose handling for better performance and extendibility
• improved tray box menu and list

Fixed

• fixed issue with fake admin and some NSIS installers #1052
• fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
• fixed issue with checking WFP status
• fixed issue WFP failing to initialize at boot
• fixed issue with tray sandbox options not being available just after boot
• fixed issue access changed flag not being properly set in box options #1065

[0.9.0 / 5.51.0] - 2021-07-29

Added

• added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
  -- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
  -- to use WFP for a specific sandbox, add 'AllowNetworkAccess=n'
  -- you can allow certain processes by using 'AllowNetworkAccess=program.exe,y'
  -- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
  -- in this case you can exempt entire sandboxes by adding 'AllowNetworkAccess=y' to specific boxes
  -- you can block certain processes by using 'AllowNetworkAccess=program.exe,n'
  -- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
  -- restricted boxed processes will still be able to resolve domain names using the system service
  -- however, they will not be able to send or receive data packets directly
  -- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
• added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
  -- the mechanism replaces the old "BlockPort=..." functionality
  -- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
  -- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
  -- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
• added new trace option "NetFwTrace=*" to trace the actions of the firewall components
  -- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
• API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
  -- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
  -- Note: a process must have administrative privileges to be able to use this API
• added a UI option to switch "MsiInstallerExemptions=y" on and off
  -- just in case a future Windows build breaks something in the systemless mode
• added sample code for ObRegisterCallbacks to the driver
• added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
  -- Note: these options are for testing only and disable core parts of the sandbox isolation
• added a few command line options to SandMan.exe

Changed

• greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
• reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination

Fixed

• added missing hook for ConnectEx function

---

This discussion was created from the release Release v0.9.3 / 5.51.3.

[reraikes]

Besides not running as Administrator on Windows 8.1 (I don't have another account), how do I get rid of the "Administrator Mode Detected" dialog box that pops up every time Edge is run starting with v0.9.3 / 5.51.3? Checking "Don't show me this message again" doesn't help -- it still comes up every time Edge is started. This does not occur with Sandboxie-Classic-x64-v5.50.9.exe and prior versions.

Thanks!

[DavidXanatos]

did you enabled fake admin mode in the settings?

[isaak654]

New issue opened here for better tracking purpose: #1097

[reraikes]

The only thing I did was run Sandboxie-Classic-x64-v5.51.3.exe to upgrade from Sandboxie-Classic-x64-v5.50.9.exe.

I've been a Sandboxie user for many many years, but I don't set up additional sandboxes or use special settings. It's a very simple installation.

I've gone back to v5.50.9 and the problem goes away.

[isaak654]

New issue opened here for better tracking purpose: #1097

[benrg]

the old "BlockPort=..." functionality is completely dropped [...] if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=*,Block;Port=137,138,139,445"

BlockPort is still documented as working at https://sandboxie-plus.com/sandboxie/blockport/, while I can't find documentation for NetworkAccess. How do you translate rules of the form BlockPort=*,1234?

Does simply translating BlockPort rules to NetworkAccess rules makes them less secure unless you enable the global setting, or was BlockPort never secure?

Is there a warning or error if BlockPort rules are still present, so that the sandboxes of people who don't read the release notes don't silently become leaky?

Template_BlockPorts in Sandboxie/install/Templates.ini still uses BlockPort, and both Sandboxie/apps/control/AppPage.cpp and SandboxiePlus/QSbieAPI/Sandboxie/SandBox.cpp seem to still add it to new sandboxes. (fixed on v0.9.6 / 5.51.6)