Skip to content

Release v1.0.18 / 5.55.18

Compare
Choose a tag to compare
@DavidXanatos DavidXanatos released this 13 Apr 16:09
· 4641 commits to master since this release
4ae166b

0 5 5

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.18 / 5.55.18] - 2022-04-13

Added

  • added minor browsers to BlockSoftwareUpdaters template (by APMichael) #1784

Changed

  • Failed memory read attempts to unboxed processes will no longer cause message 2111 by default
    -- Note: the message can be enabled in the settings if desired with "NotifyProcessAccessDenied=y"
  • reordered BlockSoftwareUpdaters template (by APMichael) #1785

Fixed

  • fixed pipe impersonation in compartment mode
  • fixed issue with box clean-up introduced in a recent build
  • fixed missing trace log cleanup command #1773
  • fixed unpin did not work #1694

[1.0.17 / 5.55.17] - 2022-04-02

Added

  • added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

  • improved OpenProcess/OpenThread logging

Fixed

  • fixed crash issue with the new monitor mode
  • fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

  • FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
    -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
  • Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

  • EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
  • the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

  • fixed NtGetNextProcess being fully disabled instead of properly filtered
  • fixed reworked image name resolution when creating new processes in a sandbox
  • fixed regression with HideOtherBoxes=y #1743 #1666