Release v1.0.19 / 5.55.19

This build is a maintenance release, fixing various issues

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added drag and drop support for groups #1775
• added del key support to the box view for all entry types #1779
• added warning when trying to run explorer.exe in a box with OpenCOM #1716

Fixed

• fixed crash issue in the sandman ui #1772
• fixed issue some installers when EnableObjectFiltering is enabled #1795
• fixed to allow NtCreateSymbolicLinkObject to be used safely in the sandbox
• added workaround for a vivaldi hooking issue #1783
  -- Note: its a very provisional fix hence it can be disabled with UseVivaldiWorkaround=n
• fixed registry issue with snapshots #1782
• fixed issue with box grouping #1778 #1777 #1776
• fixed more issue with box grouping #1698 #1697
• fixed issues with snadshot ui #1696 #1695
• fixed issue with recovery dialog focus #1374

Release v1.0.18 / 5.55.18

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.18 / 5.55.18] - 2022-04-13

Added

• added minor browsers to BlockSoftwareUpdaters template (by APMichael) #1784

Changed

• Failed memory read attempts to unboxed processes will no longer cause message 2111 by default
  -- Note: the message can be enabled in the settings if desired with "NotifyProcessAccessDenied=y"
• reordered BlockSoftwareUpdaters template (by APMichael) #1785

Fixed

• fixed pipe impersonation in compartment mode
• fixed issue with box clean-up introduced in a recent build
• fixed missing trace log cleanup command #1773
• fixed unpin did not work #1694

[1.0.17 / 5.55.17] - 2022-04-02

Added

• added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

• improved OpenProcess/OpenThread logging

Fixed

• fixed crash issue with the new monitor mode
• fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

Release v1.0.17 / 5.55.17

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.17 / 5.55.17] - 2022-04-02

Added

• added checkbox for easy read access to memory of unsandboxed processes (old Sbie behaviour, not recommended)

Changed

• improved OpenProcess/OpenThread logging

Fixed

• fixed crash issue with the new monitor mode
• fixed issue with resource access entry parsing

[1.0.16 / 5.55.16] - 2022-04-01

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

Release v1.0.16 / 5.55.16

This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.

Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe

To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.

Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.

Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
  -- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
• Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe

Changed

• EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
• the $: syntax now accepts a wildcard $:* no more specialized wildcards though

fixed

• fixed NtGetNextProcess being fully disabled instead of properly filtered
• fixed reworked image name resolution when creating new processes in a sandbox
• fixed regression with HideOtherBoxes=y #1743 #1666

Release v1.0.15 / 5.55.15

Note: A few SBIE2101 warnings were reported between v1.0.10 and v1.0.15 releases, for more info: #1743

This build fixed a couple of security issues and other bugs.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

[1.0.15 / 5.55.15] - 2022-03-24

Fixed

• fixed memory corruption introduced in the last build causing Chrome to crash sometimes
• FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)

[1.0.14 / 5.55.14] - 2022-03-23

Added

• added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
• added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
• added a warning when Sandboxie-Plus.ini is not writeable #1681
• added clean-up for critical sections (by chunyou128) #1686

Changed

• improved command line handling for breakout processes #1655
• disabled SBIE2193 notification (by isaak654) #1690
• improved error message 6004 #1719

Fixed

• fixed dark mode issue with the new tray list
• fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
• fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
• fixed issue with events on box closure not always being executed #1658
• fixed memory leaks in key_merge.c
• fixed issue enumerating registry keys in privacy mode
• fixed settings issue introduced in 1.0.13 #1684
• fixed crash issue when parsing firewall port options
• FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714

Release v1.0.14 / 5.55.14

This build fixed a security issue.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
• added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
• added a warning when Sandboxie-Plus.ini is not writeable #1681
• added clean-up for critical sections (by chunyou128) #1686

Changed

• improved command line handling for breakout processes #1655
• disabled SBIE2193 notification (by isaak654) #1690
• improved error message 6004 #1719

Fixed

• fixed dark mode issue with the new tray list
• fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
• fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
• fixed issue with events on box closure not always being executed #1658
• fixed memory leaks in key_merge.c
• fixed issue enumerating registry keys in privacy mode
• fixed settings issue introduced in 1.0.13 #1684
• fixed crash issue when parsing firewall port options
• FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714

Release v1.0.13 / 5.55.13

This build fixed a security issue.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Fixed

• FIXED SECURITY ISSUE: Hard link creation was not properly filtered (thanks Diversenok)
• fixed issue with checking the certificate entry.

Release v1.0.12 / 5.55.12

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added mini dump creation to Sandman.exe in case it crashes

Changed

• disabled Chrome and Firefox phishing entries in new sandboxes (by isaak654) #1616
• updated Mozilla paths for the BlockSoftwareUpdaters template (by isaak654) #1623
• renamed "Pause Forced Programs Rules" command to "Pause Forcing Programs" (Plus only)
• reworked tray icon generation now using overlays, added busy overlay

Fixed

• fixed issue with accessing network drives in privacy mode #1617
• fixed issue with ping in compartment mode #1608
• fixed SandMan UI freezing when a lot of processes are created and closed in a box
• fixed Editing existing 'Run Menu' Command Line entry not being recognized #1648
• fixed blue screen issue in driver (thanks Diversenok)
• fixed incompatibility with Windows 11 Insider Build 22563.1 #1654

Release v1.0.11 / 5.55.11

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added optional tray notification when box content gets auto-deleted
• added FreeDownloadManager template
• added warning when opening unsandboxed regedit #1606
• added languages files that were missing in official Qt 5.15.2 (by DevSplash) #1605

Changed

• the asynchronous box operations introduced in the last build are now disabled by default
• moved sys tray options from general to shell integration tab
• removed "AlwaysUseWin32kHooks", now these win32 hooks are always enabled
  -- Note: you can use "UseWin32kHooks=program.exe,n" to disable them for selected programs
• updated Listary template to v6 (by isaak654) #1610

Fixed

• fixed compatibility issue with SECUROM #1597
• fixed modality issue #1615
• fixed special form of OpenWinClass in Templates.ini d6d9588

Release v1.0.10 / 5.55.10

This build fixed a lot of various issues.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

You can support the project through donations, any help will be greatly appreciated.

ChangeLog

Added

• added option to show only boxes in tray with running processes #1186
  -- additional option shows only pinned boxes, in box options a box can be set to be always shown in tray list (Pinned)
• added Options menu command to reset the GUI #1589
• added Run Un-Sandboxed context menu option
• added new trigger OnBoxDelete that allows to specify a command that is run UNBOXED just before the box content gets deleted
  -- note: this can be used as a replacement to DeleteCommand #591
• selected box operations (deletion) no longer show the progress dialog 1061
  -- if a box with a running operation shows a blinking hour glass icon, the context menu can be used to cancel the operation

Changed

• HideHostProcess=program.exe can now be used to hide Sandboxie services #1336
• updater blocking is now done using a template called BlockSoftwareUpdaters
• enhanced StartProgram=... makes StartCommand=... obsolete
  -- for same functionality as StartCommand=..., use StartProgram=%SbieHome%\Start.exe ...
• merged Auto Start General tab with the Auto Exec Advanced tab into a universal Triggers Advanced tab

Fixed

• fixed a couple issues with the new breakout process feature and improved security (thanks Diversenok)
• fixed issues with re-opening windows already open #1584
• fixed issue with desktop access #1588
• fixed issue about command line invocation handling #1133
• fixed UI issue with main window state when switching always on top attribute #1169
• fixed issue with box context menu in tray list 1106
• fixed issue with AutoExec=...
• fixed issues where canceling box deletion operations didn't work 1061
• fixed issue with DPI scalling and color picker dialog #803

Removed

• removed UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y used for Free Download Manager as it broke other things
  -- only if you use Free Download Manager together with the setting RpcMgmtSetComTimeout=n in a sandbox, you have to add the line manually to your Sandboxie.ini