Releases: sandboxie-plus/Sandboxie
Release v0.9.2 / 5.51.2
This build finalizes the rework started with 0.9.0 and fixes a major issue with chrome on 11th gen intel and 5xxxX amd cpu's
See release 0.9.0 for more details about the new features: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.0a
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.9.2 / 5.51.2] - 2021-08-07
Added
- added ability to reconfigure teh driver, allowing to enable/disable WFP and otehr features without a reload/reboot
Fixed
- fixed issue with process start handling introduced in 5.51.0 #1063
- fixed issue with quick recovery introduced in 5.51.0
- fixed incompatybility with CET Hardware-enforced Stack Protection on intel 11th gen and AMD 5xxxX cpu's #1067 #1012
removed
- commented out all windows xp specific support code
Release v0.9.1 / 5.51.1
This build is a Test build, testing the new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
See release 0.9.0 for more details about this feature: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.0a
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.9.1 / 5.51.1] - 2021-07-31
Added
- added tray icon indicating no connection to the driver if it happens
- added option to customize the tray icon
- added "DllSkipHook=some.dll" option to disable installation of hooks into selected DLLs
- added localization support for Plus installer (by yfdyh000 and mpheath) #923
Changed
- reworked NtClose handling for better performance and extendibility
- improved tray box menu and list
Fixed
- fixed issue with fake admin and some NSIS installers #1052
- fixed more issued with FileDispositionInformation behaviour, which resulted in bogus file deletion handling
- fixed issue with checking WFP status
- fixed issue WFP failing to initialize at boot
- fixed issue with tray sandbox options not being available just after boot
- fixed issue access changed flag not being proeprly set in box options #1065
Release v0.9.0a / 5.51.0
This build is a Test build, a BETA RELEASE, testing the new functionality to use Windows Filtering Platform (WFP) to implement a per sandbox firewall.
This functionality needs to be enabled in the global Sandboxie settings, and the driver needs to be reloaded (or the PC rebooted) for the feature to be activated. Once this is done the firewall rules which can be configured in the network options of each sandbox, will be enforced by the driver.
If the WFP support is not enabled the same rules still can be set and are used, but will be applied only by a set of user mode hooks, unlike the WFP implementation they will apply only to outgoing connections and there are no enforcement guarantees as user mode hooks can be bypassed or disabled by a malicious application.
The rational behind implementing this functionality in user and kernel mode (driver) instead of driver only is twofold for once it allows for debugging of the rule processing code as booth modes use the same code to make decisions based on the preset rules. Second the WFP callouts are global i.e. they are triggered for any process on the system whether its sandboxed or not, in the lather case they don't do anything and the use of a hash map to identify sandboxed programs that require action should provide optimal performance. That said users who run a 3rd party firewall which they may prefer may not want to many firewalls being active at once, while still wanting to use some per sandbox network rules for compatibility and not security reasons.
Also please note that with this build the old "BlockPort=..." functionality is completely dropped, the default port block rules are now implemented by the new user mode firewall component, if you have custom BlockPort entries in your sandboxie ini they will need to be updated by hand to the new format, for example "BlockPort=137,138,139,445" -> "NetworkAccess=*,Block;Port=137,138,139,445"
The rules are applied based on a specific decision priority:
- A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs
- A rule with a Port or IP trumps a rule without
2a. A rule with ip and port trums a rule with ip or port only
2b. A rule with one ip trumps a rule with an ip range that is besides that on the same level - Block rules trump allow rules
- A rule without a protocol means all protocols, a rule with a protocol trumps a rule without if its the only difference
The rule editing UI allows for testing rules, in the row below the rule list one can enter program name, port, ip and protocol to see which rules are in play and which rule will be applied in the end.
When configuring per process network access restrictions and WFP is enabled it is possible to choose between a WFP based approach and the old sandboxie way of blocking the network device end points. The later approach is more absolute, but is know for causing some application to crash.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
Added
- added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
-- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
-- to use WFP for a specified sandbox, add 'AllowNetworkAccess=n' to said box
-- you can exempt certain processes from blocking by using 'AllowNetworkAccess=program.exe,y'
-- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
-- in this case you can exempt entire boxes by adding 'AllowNetworkAccess=n' to said boxes
-- specifying 'AllowNetworkAccess=program.exe,n' will block the access only for the named process
-- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
-- restricted boxed processes will still be able to resolve domain names using the system service
-- however, they will not be able to send or receive data packets directly
-- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..." - added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
-- the mechanism replaces the old "BlockPort=..." functionality
-- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
-- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
-- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
-- Note: the main reason this mechanism was added in user mode is to allow for easier debugging - added new trace option "NetFwTrace=*" to trace the actions of the firewall components
-- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log - API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
-- Note: a process must have administrative privileges to be able to use this API - added a UI option to switch "MsiInstallerExemptions=y" on and off
-- just in case, if a future Windows build breaks something in the systemless mode - added sample code for ObRegisterCallbacks to the driver
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
-- Note: these options are for testing only and disable core parts of the sandbox isolation - added a few command line options to SandMan.exe
Changed
- greatly improved the performance of the trace log, but it's no longer possible to log to both SandMan and SbieCtrl at the same time
- changed code integrity verification policies
-- code signature validation of user mode components is disabled when Windows is booted in test-signing mode - reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination
Fixed
- added missing hook for ConnectEx function
Release v0.8.9 / 5.50.9
This build is a maintenance release, it fixes various minor issues with the 0.8.8 release
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.8.9 / 5.50.9] - 2021-07-28 HotFix 2
Fixed
Fixed issue with registering session leader
[0.8.9 / 5.50.9] - 2021-07-28 HotFix 1
Fixed
Fixed issue with windows 7
[0.8.9 / 5.50.9] - 2021-07-27
Changed
- updated a few icons
- updated GitHub build action to use Qt 5.15.2
- improved the "full" tray icon to be more distinguishable from the "empty" one
- changed code integrity verification policies
-- code signature is no longer required to change config, to protect presets use the existing "EditAdminOnly=y"
Fixed
- fixed issue with systemless MSI mode introduced in the last build
- fixed MSI installer not being able to create the action server mechanism on Windows 11
- fixed MSI installer not working in systemless mode on Windows 11
- fixed Inno Setup script not being able to remove shell integration keys during Sandboxie Plus uninstall (by mpheath) #1037
Release v0.8.8 / 5.50.8
This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.8.8 / 5.50.8] - 2021-07-13
Changed
- MSIServer no longer requires being run as system; this completes the move to not use system tokens in a sandbox by default
-- the security-enhanced option "MsiInstallerExemptions=n" is now the default behaviour
Fixed
- fixed issue with the "Explore Sandboxed" command #972
- rolled back the switch from using NtQueryKey to NtQueryObject as it seems to break some older Windows 10 versions like 1803 #984
-- this change was introduced to fix #951
-- to use NtQueryObject the option "UseObjectNameForKeys=y" can be added to Sandboxie.ini
[0.8.7b / 5.50.7] - 2021-07-11
Fixed
- fixed issue with boxes that had auto-delete activated introduced in the previous build #986
[0.8.7 / 5.50.7] - 2021-07-10
Added
- added option to always auto-pick the DefaultBox #959
-- when this option is enabled, the normal behaviour with a box selection dialog can be brought up by holding down CTRL - added option to hide a sandbox from the "run in box" dialog
-- useful to avoid listing insecure compatibility test boxes for example - added box options to system tray #439 #272
Changed
- changed default "terminate all boxed processes" key from Ctrl+Pause to Ctrl+Alt+Pause #974
- Start.exe no longer links in unused MFC code, which reduced its file size from over 2.5 MB to below 250 KB
- updated the main SandMan and tray icon #963
- improved the box tree-style view
Fixed
- added additional delay and retries to KmdUtil.exe to mitigate issues when unloading the driver #968
- fixed issue with SbieCtrl not being properly started after setup #969
- fixed issue with "explore sandboxed" shell option #972
- fixed issue when running SandMan elevated #932
- fixed new box selection dialog showing disabled boxes
- fixed issue updating box active status
Removed
- removed Online Armor support as this product is deprecated since 2016
[0.8.6 / 5.50.6] - 2021-07-07
Added
- added LibreWolf template (by Dyras) #929
Fixed
- fixed performance bug introduced in 0.8.5
[0.8.5 / 5.50.5] - 2021-07-06
Added
- added global hotkey to terminate all sandboxed processes (default: Ctrl+Pause)
- the Run Sandboxed dialog can now be handled by the SandMan UI
- added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- Note: this allows Chrome and other programs to use the job system for additional isolation - added Librewolf.exe to the list of Firefox derivatives #927
- added run regedit sandboxed menu command
- added new support settings tab to SandMan UI for updates and news
- added code integrity verification to Sbie service and UI
- added template for Vivaldi Notes (by isaak654) #948
Changed
- replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2µs regardless of the running process count
-- The old list, with 100 programs running required 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was also affecting non-sandboxed applications due to how the driver handles certain callbacks - replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
- replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build - the presence of the default box is only checked on connect
- the portable directory dialog now shows the directory #924
- when terminated, boxed processes now first try doing that by terminating the job object
- the driver now can terminate problematic processes by default without the help of the service
- the box delete routine now retries up to 10 times, see #954
- replaced the Process List used by the service with a much faster Hash Map implementation
- replaced the per-process Thread List used by the service with a much faster Hash Map implementation
Fixed
- fixed faulty initialization in SetServiceStatus (by flamencist) #921
- fixed buttons position in Classic UI settings (by isaak654) #914
- fixed missing password length check in the SandMan UI #925
- fixed issues opening job objects by name
- fixed missing permission check when reopening job object handles (thanks Diversenok)
- fixed issue with some Chromium 90+ hooks affecting the display of PDFs in derived browsers #930 #817
- fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
- fixed minor setting issue #957
- fixed minor UI issue with resource access COM settings #958
- fixed an issue with NtQueryKey using NtQueryObject instead #951
- fixed crash in key.c when failing to resolve key paths
- added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds - fixed an issue deleting directories introduced in 5.49.5
- fixed an issue when creating box copies
Removed
- removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow password changes in Windows 10
Release v0.8.7b / 5.50.7
This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.8.7b / 5.50.7] - 2021-07-11 (Hot-Fix 2)
Fixed
- fixed issue with boxes that had auto-delete activated introduced in the previous build #986
[0.8.7 / 5.50.7] - 2021-07-10
Added
- added option to always auto-pick the DefaultBox #959
-- when this option is enabled, the normal behaviour with a box selection dialog can be brought up by holding down CTRL - added option to hide a sandbox from the "run in box" dialog
-- useful to avoid listing insecure compatibility test boxes for example - added box options to system tray #439 #272
Changed
- changed default "terminate all boxed processes" key from Ctrl+Pause to Ctrl+Alt+Pause #974
- Start.exe no longer links in unused MFC code, which reduced its file size from over 2.5 MB to below 250 KB
- updated the main SandMan and tray icon #963
- improved the box tree-style view
Fixed
- added additional delay and retries to KmdUtil.exe to mitigate issues when unloading the driver #968
- fixed issue with SbieCtrl not being properly started after setup #969
- fixed issue with "explore sandboxed" shell option #972
- fixed issue when running SandMan elevated #932
- fixed new box selection dialog showing disabled boxes
- fixed issue updating box active status
Removed
- removed Online Armor support as this product is deprecated since 2016
[0.8.6 / 5.50.6] - 2021-07-07 (Hot-Fix 1)
Added
- added LibreWolf template (by Dyras) #929
Fixed
- fixed performance bug introduced in 0.8.5
[0.8.5 / 5.50.5] - 2021-07-06 (Pre-Release)
Added
- added global hotkey to terminate all sandboxed processes (default: Ctrl+Pause)
- the Run Sandboxed dialog can now be handled by the SandMan UI
- added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- Note: this allows Chrome and other programs to use the job system for additional isolation - added Librewolf.exe to the list of Firefox derivatives #927
- added run regedit sandboxed menu command
- added new support settings tab to SandMan UI for updates and news
- added code integrity verification to Sbie service and UI
- added template for Vivaldi Notes (by isaak654) #948
Changed
- replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2µs regardless of the running process count
-- The old list, with 100 programs running required 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was also affecting non-sandboxed applications due to how the driver handles certain callbacks - replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
- replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build - the presence of the default box is only checked on connect
- the portable directory dialog now shows the directory #924
- when terminated, boxed processes now first try doing that by terminating the job object
- the driver now can terminate problematic processes by default without the help of the service
- the box delete routine now retries up to 10 times, see #954
- replaced the Process List used by the service with a much faster Hash Map implementation
- replaced the per-process Thread List used by the service with a much faster Hash Map implementation
Fixed
- fixed faulty initialization in SetServiceStatus (by flamencist) #921
- fixed buttons position in Classic UI settings (by isaak654) #914
- fixed missing password length check in the SandMan UI #925
- fixed issues opening job objects by name
- fixed missing permission check when reopening job object handles (thanks Diversenok)
- fixed issue with some Chromium 90+ hooks affecting the display of PDFs in derived browsers #930 #817
- fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
- fixed minor setting issue #957
- fixed minor UI issue with resource access COM settings #958
- fixed an issue with NtQueryKey using NtQueryObject instead #951
- fixed crash in key.c when failing to resolve key paths
- added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds - fixed an issue deleting directories introduced in 5.49.5
- fixed an issue when creating box copies
Removed
- removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow password changes in Windows 10
Release v0.8.7 / 5.50.7
This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
[0.8.7 / 5.50.7] - 2021-07-10
Added
- added option to always auto pick the DefautlBox sandbox #959
-- when this option is enabled the normal behavioure with a box selection dialog can be achived holding down CTRL - added option to hide boxed form the run in box dialog
-- usefull to avoidl listing for example insecure compatybility test boxes - added box options to sys tray #439 #272
Changed
- changed default terminate all boxed processes key from Ctrl+Break to Ctrl+Alt+Break #974
- start.exe does no longer link in all that unused MFC code reduced file size form over 2.5MB to below 250KB
- updated the main sandman and tray icon #963
- improved the bov view tree style
Fixed
- added additional delay and retryes to kmdutill.exe to mitigate issues when unloading the driver #968
- fixed issue with sbiectrl not being properly started after setup #969
- fixed issue with explore sandboxed shell option #972
- fixed issue when running sandman elevated #932
- fixed new box selection dialog showing disabled boxes
- fixed issue updating box active status
Removed
- removed Online Armor support as this product is deprecated since 2016
[0.8.6 / 5.50.6] - 2021-07-07 (Hot-Fix)
Added
- added LibreWolf template (by Dyras) #929
Fixed
- fixed performance bug introduced in 0.8.5
[0.8.5 / 5.50.5] - 2021-07-06 (Pre-Release)
Added
- added global hotkey to terminate all boxed processes (by default Ctrl+Break)
- the Run Sandboxed dialog can now be handled by the Sandman UI.
- added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- note: this allows Chrome and other programs to use the job system for additional isolation - added librewolf.exe to the list of Firefox derivatives #927
- added run regedit sandboxed menu command
- added new support settings tab to Sandman UI for updates and stuff
- added code integrity verification to Sbie service and UI
- added template for Vivaldi Notes (by isaak654) #948
- added LibreWolf template (by Dyras) #929
Changed
- Replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
-- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks - Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
- Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build - the presence of default box is only checked on connect
- the portable dir dialog now shows the directory #924
- when terminated boxed processes now we first try doing that by terminating the job object
- the driver now by default can terminate problematic processes without the help of the service
- box delete routine now retries up to 10 times to fix #954
- Replaced the Process List used by the service with a much faster Hash Map implementation
- Replaced the per-process Thread List used by the service with a much faster Hash Map implementation
Fixed
- fixed faulty initialization in SetServiceStatus (by flamencist) #921
- fixed buttons position in Classic UI settings (by isaak654) #914
- fixed missing password length check in the Sandman UI #925
- fixed issues opening job objects by name
- fixed missing permission check when reopening job object handles (thanks Diversenok)
- fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
- fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
- fixed minor setting issue #957
- fixed minor UI issue with resource access COM settings #958
- fixed an issue with NtQueryKey using NtQueryObject instead #951
- fixed crash in key.c when failing to resolve key paths
- added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds - fixed an issue deleting directories introduced in 5.49.5
- fixed an issue when creating box copies
Removed
- removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10
Release v0.8.6 / 5.50.6
This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
Added
- added global hotkey to terminate all boxed processes (by default Ctrl+Break)
- the Run Sandboxed dialog can now be handled by the Sandman UI.
- added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- note: this allows Chrome and other programs to use the job system for additional isolation - added librewolf.exe to the list of Firefox derivatives #927
- added run regedit sandboxed menu command
- added new support settings tab to Sandman UI for updates and stuff
- added code integrity verification to Sbie service and UI
- added template for Vivaldi Notes (by isaak654) #948
- added LibreWolf template (by Dyras) #929
Changed
- Replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
-- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks - Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
- Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build - the presence of default box is only checked on connect
- the portable dir dialog now shows the directory #924
- when terminated boxed processes now we first try doing that by terminating the job object
- the driver now by default can terminate problematic processes without the help of the service
- box delete routine now retries up to 10 times to fix #954
- Replaced the Process List used by the service with a much faster Hash Map implementation
- Replaced the per-process Thread List used by the service with a much faster Hash Map implementation
Fixed
- fixed faulty initialization in SetServiceStatus (by flamencist) #921
- fixed buttons position in Classic UI settings (by isaak654) #914
- fixed missing password length check in the Sandman UI #925
- fixed issues opening job objects by name
- fixed missing permission check when reopening job object handles (thanks Diversenok)
- fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
- fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
- fixed minor setting issue #957
- fixed minor UI issue with resource access COM settings #958
- fixed an issue with NtQueryKey using NtQueryObject instead #951
- fixed crash in key.c when failing to resolve key paths
- added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds - fixed an issue deleting directories introduced in 5.49.5
- fixed an issue when creating box copies
- fixed performance bug introduced in 0.8.5
Removed
- removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10
Release v0.8.5 / 5.50.5
This build reworks some internal mechanisms and fixes a lot of bugs as well as some new features.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
Added
- added global hotkey to terminate all boxed processes (by default Ctrl+Break)
- the Run Sandboxed dialog can now be handled by the Sandman UI.
- added "AllowBoxedJobs=y" allowing boxed processes to use nested jobs on Windows 8 and later
-- note: this allows Chrome and other programs to use the job system for additional isolation - added librewolf.exe to the list of Firefox derivatives #927
- added run regedit sandboxed menu command
- added new support settings tab to Sandman UI for updates and stuff
- added code integrity verification to Sbie service and UI
- added template for Vivaldi Notes (by isaak654) #948
Changed
- Replaced the Process List used by the driver with a much faster Hash Map implementation
-- Note: this change provides an almost static system call speed of 1.2us irregardless of the running process count
-- The old list, with 100 programs running required: 4.5µs; with 200: 12µs; and with 300: 18µs per syscall
-- Note: some of the slowdown was affecting also non sandboxed applications due to how the driver handles certain callbacks - Replaced the per-process Thread List used by the driver with a much faster Hash Map implementation
- Replaced configuration section list with a hash map to improve configuration performance, and increased line limit to 100000
-- not yet enabled in production build - the presence of default box is only checked on connect
- the portable dir dialog now shows the directory #924
- when terminated boxed processes now we first try doing that by terminating the job object
- the driver now by default can terminate problematic processes without the help of the service
- box delete routine now retries up to 10 times to fix #954
- Replaced the Process List used by the service with a much faster Hash Map implementation
- Replaced the per-process Thread List used by the service with a much faster Hash Map implementation
Fixed
- fixed faulty initialization in SetServiceStatus (by flamencist) #921
- fixed buttons position in Classic UI settings (by isaak654) #914
- fixed missing password length check in the Sandman UI #925
- fixed issues opening job objects by name
- fixed missing permission check when reopening job object handles (thanks Diversenok)
- fixed issue with some Chromium 90+ hooks affecting PDF plugin in derived browsers #930 #817
- fixed issues with reconnecting broken LPC ports used for communication with SbieSvc
- fixed minor setting issue #957
- fixed minor UI issue with resource access COM settings #958
- fixed an issue with NtQueryKey using NtQueryObject instead #951
- fixed crash in key.c when failing to resolve key paths
- added workaround for topmost modality issue #873
-- the notification window is not only topmost for 5 seconds - fixed an issue deleting directories introduced in 5.49.5
- fixed an issue with box copies
Removed
- removed switch for "BlockPassword=n" as it does not seem to be working #938
-- it's recommended to use "OpenSamEndpoint=y" to allow for password change in windows 10
Release v0.8.2 / 5.50.2
This build fixes many issues and brings usability improvements.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
Changelog
Added
- Sandboxie now applies by default "Close...=!,..." directives to non-excluded images if they are located in a sandbox
-- added 'AlwaysCloseForBoxed=n' to disable this behaviour as it may not be always desired, and it doesn't provide extra security - added process image information to Sandman UI
- localized template categories in the Plus UI
- added "DisableResourceMonitor=y" to disable resource access monitor for selected boxes
- added option to show trace entries only for the selected sandbox
- added "UseVolumeSerialNumbers=y" that allows drive letters to be suffixed with the volume SN in the \drive\ sandbox location
-- it helps to avoid files mixed together on multiple pendrives using the same letter
-- note: this option is not compatible with the recovery function of the Classic UI, only SandMan UI is fully compatible
Changed
- portable cleanup message now has y/n/c options
- consolidated Proc_CreateProcessInternalW and Proc_CreateProcessInternalW_RS5 to remove duplicate code
- the ElevateCreateProcess fix, as sometimes applied by the Program Compatibility Assistant, will no longer be emulated by default
-- use 'ApplyElevateCreateProcessFix=y' or 'ApplyElevateCreateProcessFix=program.exe,y' to enable it - trace log gets disabled only when it has no entries and the logging is stopped
Fixed
- fixed APC issue with the new global hook emulation mechanism and WoW64 processes
- fixed IPv6 issues with BlockPort options
- fixed an issue with CheatEngine when "OpenWinClass=*" was specified
- fixed memory corruption in SbieDrv
- fixed crash issue with process elevation on CreateProcess calls
- fixed process elevation when running in the built-in administrator account
- fixed template preview resetting unsaved entries in box options window
- fixed an issue with driver verifier and user handles
- fixed driver memory leak of FLT_FILE_NAME_INFORMATION objects
- fixed broken clipboard introduced in 5.50.0
- fixed dcom launch issue on windows 7 32 bit introduced in 5.50.0
- properly fixed an issue with Driver Verifier and user handles
- fixed an issue with CreateWindow function introduced with 0.8.0
- fixed issue with outdated BoxDisplayOrder entries being retained