Releases: sandboxie-plus/Sandboxie
Release v1.0.16 / 5.55.16
This build fixes a couple of issues, but also introduces a major change in how sandboxie controls access to process memory.
Before this build sandboxie allowed sandboxed programs to read the memory of any unsandboxed program belonging to the current user, this is obviously a bad idea if your goals is not only infection prevention but also data protection. Hence with 1.0.16 onwards sandboxie will not allow for PROCESS_VM_READ on unsandboxed processes or processes belonging to other boxes.
To facilitate compatibility this build introduces a IPC options, with ReadIpcPath=$:program.exe any unboxed process can be configured to allow for PROCESS_VM_READ, it is also possible to restore the old behavior entirely by specifying ReadIpcPath=$:*
By default the only process whos memory can be read is explorer.exe many processes want that and explorer should not keep any secrets normally anyways. To block this you can use ClosedIpcPath=$:explorer.exe
To facilitate optimal process isoaltion the EnableObjectFiltering option is now on by default, although this only applies for new installations, hence its recommend for existing installation to go to settings->advanced and enable it explicitly.
Other changes in this build include a simple resource access monitor mode and a change how process paths are resolved for sandboxed processes, this should fix a couple of issues.
Given that this build changes a couple of core mechanics it is possible that in some special cases this can lead to an incompatibility.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
-- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes - Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe
Changed
- EnableObjectFiltering is now set enabled by default, and replaces Sbie's old process/thread handle filter
- the
$:
syntax now accepts a wildcard$:*
no more specialized wildcards though
fixed
Release v1.0.15 / 5.55.15
Note: A few SBIE2101 warnings were reported between v1.0.10 and v1.0.15 releases, for more info: #1743
This build fixed a couple of security issues and other bugs.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
[1.0.15 / 5.55.15] - 2022-03-24
Fixed
- fixed memory corruption introduced in the last build causing Chrome to crash sometimes
- FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)
[1.0.14 / 5.55.14] - 2022-03-23
Added
- added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
- added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
- added a warning when Sandboxie-Plus.ini is not writeable #1681
- added clean-up for critical sections (by chunyou128) #1686
Changed
- improved command line handling for breakout processes #1655
- disabled SBIE2193 notification (by isaak654) #1690
- improved error message 6004 #1719
Fixed
- fixed dark mode issue with the new tray list
- fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
- fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
- fixed issue with events on box closure not always being executed #1658
- fixed memory leaks in key_merge.c
- fixed issue enumerating registry keys in privacy mode
- fixed settings issue introduced in 1.0.13 #1684
- fixed crash issue when parsing firewall port options
- FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714
Release v1.0.14 / 5.55.14
This build fixed a security issue.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- added notification to warn that the default update checker is lagging behind the newest release on GitHub, to ensure that only bug-free builds are offered as updates #1682
- added main browsers to BlockSoftwareUpdaters template (by Dyras) #1630
- added a warning when Sandboxie-Plus.ini is not writeable #1681
- added clean-up for critical sections (by chunyou128) #1686
Changed
- improved command line handling for breakout processes #1655
- disabled SBIE2193 notification (by isaak654) #1690
- improved error message 6004 #1719
Fixed
- fixed dark mode issue with the new tray list
- fixed not showing a warning when Sandboxie-Plus.ini is not writeable #1681
- fixed issue with software compatibility checkbox (thanks MitchCapper) #1678
- fixed issue with events on box closure not always being executed #1658
- fixed memory leaks in key_merge.c
- fixed issue enumerating registry keys in privacy mode
- fixed settings issue introduced in 1.0.13 #1684
- fixed crash issue when parsing firewall port options
- FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges #1714
Release v1.0.13 / 5.55.13
This build fixed a security issue.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Fixed
- FIXED SECURITY ISSUE: Hard link creation was not properly filtered (thanks Diversenok)
- fixed issue with checking the certificate entry.
Release v1.0.12 / 5.55.12
This build fixed a lot of various issues.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- added mini dump creation to Sandman.exe in case it crashes
Changed
- disabled Chrome and Firefox phishing entries in new sandboxes (by isaak654) #1616
- updated Mozilla paths for the BlockSoftwareUpdaters template (by isaak654) #1623
- renamed "Pause Forced Programs Rules" command to "Pause Forcing Programs" (Plus only)
- reworked tray icon generation now using overlays, added busy overlay
Fixed
- fixed issue with accessing network drives in privacy mode #1617
- fixed issue with ping in compartment mode #1608
- fixed SandMan UI freezing when a lot of processes are created and closed in a box
- fixed Editing existing 'Run Menu' Command Line entry not being recognized #1648
- fixed blue screen issue in driver (thanks Diversenok)
- fixed incompatibility with Windows 11 Insider Build 22563.1 #1654
Release v1.0.11 / 5.55.11
This build fixed a lot of various issues.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- added optional tray notification when box content gets auto-deleted
- added FreeDownloadManager template
- added warning when opening unsandboxed regedit #1606
- added languages files that were missing in official Qt 5.15.2 (by DevSplash) #1605
Changed
- the asynchronous box operations introduced in the last build are now disabled by default
- moved sys tray options from general to shell integration tab
- removed "AlwaysUseWin32kHooks", now these win32 hooks are always enabled
-- Note: you can use "UseWin32kHooks=program.exe,n" to disable them for selected programs - updated Listary template to v6 (by isaak654) #1610
Fixed
Release v1.0.10 / 5.55.10
This build fixed a lot of various issues.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- added option to show only boxes in tray with running processes #1186
-- additional option shows only pinned boxes, in box options a box can be set to be always shown in tray list (Pinned) - added Options menu command to reset the GUI #1589
- added
Run Un-Sandboxed
context menu option - added new trigger
OnBoxDelete
that allows to specify a command that is run UNBOXED just before the box content gets deleted
-- note: this can be used as a replacement toDeleteCommand
#591 - selected box operations (deletion) no longer show the progress dialog 1061
-- if a box with a running operation shows a blinking hour glass icon, the context menu can be used to cancel the operation
Changed
HideHostProcess=program.exe
can now be used to hide Sandboxie services #1336- updater blocking is now done using a template called BlockSoftwareUpdaters
- enhanced
StartProgram=...
makesStartCommand=...
obsolete
-- for same functionality asStartCommand=...
, useStartProgram=%SbieHome%\Start.exe ...
- merged
Auto Start
General tab with theAuto Exec
Advanced tab into a universalTriggers
Advanced tab
Fixed
- fixed a couple issues with the new breakout process feature and improved security (thanks Diversenok)
- fixed issues with re-opening windows already open #1584
- fixed issue with desktop access #1588
- fixed issue about command line invocation handling #1133
- fixed UI issue with main window state when switching always on top attribute #1169
- fixed issue with box context menu in tray list 1106
- fixed issue with
AutoExec=...
- fixed issues where canceling box deletion operations didn't work 1061
- fixed issue with DPI scalling and color picker dialog #803
Removed
- removed
UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y
used for Free Download Manager as it broke other things
-- only if you use Free Download Manager together with the settingRpcMgmtSetComTimeout=n
in a sandbox, you have to add the line manually to your Sandboxie.ini
Release v1.0.9 / 5.55.9
This build fixed a lot of various issues, some of them quite old, as well as a security issue related to some internal COM workarounds.
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- SandMan now causes all boxed processes to update their path settings in real time when access options were modified
- added new maintenance menu option "Uninstall All" to quickly remove all components when running in portable mode
- added version number to the title bar of Sandboxie Classic
- added option to return not to a snapshot but to an empty box state while keeping all snapshots
- Sandboxie-Plus.ini can now be placed in C:\ProgramData\Sandboxie-Plus\ folder and takes precedence (for business use)
- added support for AF_UNIX on Windows to resolve issues with OpenJDK17 and later #1009 #1520 #1521
Changed
- reworked breakout mechanism to be service based and not allowing the parent process to access the broken out child process
- enabled creation of directory junctions for sandboxed processes #1375
- restored back AutoRecover=y on box creation #1554
- improved snapshot support #1220
- renamed "Disable Forced Programs" command to "Pause Forced Programs Rules" (Plus only)
Fixed
- fixed BreakoutProcess not working with EnableObjectFiltering=y
- FIXED SECURITY ISSUE: when starting COMSRV unboxed, the returned process handle had full access
- fixed issue with progress dialog #1562
- fixed issue with handling directory junctions in Sandboxie #1396
- fixed a handle leak in File_NtCloseImpl
- fixed border issues on maximized windows introduced in the last build #1561
- fixed a couple of index overruns (thanks 7eRoM) #1571
- fixed issues with sysnative directory #1403
- fixed issue with starting SandMan when running sandboxed from context menu #1579
- fixed dark mode flash issue with main window creation #1231
- fixed issues with snapshot error handling #350
- fixed issues with the always on top option (Plus only)
Release v1.0.8 / 5.55.8
This build fixed many issues, and adds a new functionality: "BreakoutProcess=program.exe" which allows to preset programs to be able to escape a sandbox, hence this is a feature rather for compartmentalization than security. But in the way it is implemented, a breakout process will be captured by another sandbox if it is configured as a forced process for it. So a possibly security related use case would be to have a box dedicated to run your web browser only, where it is forced, and have it configured as a breakout process for all other boxes or globally. In this scenario, no matter what boxed or unboxed application starts a browser, it will always run in the browser box.
This new feature is enabled only for certified project supporters, if I reach 250 patrons it will be made available to all users, please consider supporting the development of Sandboxie-Plus: https://www.patreon.com/DavidXanatos
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
Added
- added Portuguese of Portugal on Plus UI (by JNylson, isaak654, mpheath) #1497
- added "BreakoutProcess=program.exe", with this option selected applications can be started unboxed from within a box #1500
-- the program image must be located outside the sandbox for this to work
-- if another sandbox has "ForceProcess=program.exe" configured, it will capture the process
-- use case: set up a box with a Web browser forced, when another box opens a website, this will happen in the dedicated browser box
-- Note: "BreakoutFolder=some\path" is also available - added silent uninstall switch
/remove /S
for Classic installer (by sredna) #1532
Changed
- The filename "sandman_pt" was changed to "sandman_pt_BR" (Brazilian Portuguese) #1497
- The filename "sandman_ua" was changed to "sandman_uk" (Ukrainian) #1527
-- Note: Translators are encouraged to follow the Localization notes and tips before creating a new pull request - updated Firefox update blocker (discovered by isaak654) #1545
Fixed
- fixed issue with opening all file access OpenFilePath=* #971
- fixed issue with opening network shares #1529
- fixed possible upgrade issue with Classic installer (by isaak654) 130c43a
- fixed minor issues with Classic installer (by sredna) #1533
- fixed issue with Ldr_FixImagePath_2 #1507
- when using "Run Sandboxed" with SandMan UI and the UI is off, it wil stay off.
- fixed issue with Util_GetProcessPidByName that should resolve the driver sometimes failing to start at boot #1451
- SandMan will now run in background like SbieCtrl when starting a boxed process post506
- fixed taskbar not showing with persistent box border in full screen post474
- fixed box border not spanning across multiple monitors #1512
- fixed issues with border when using DPI scaling #1506
- fixed DPI issues with Qt #1368
- fixed issue with bright flashing on window creation when in dark mode #1231
- fixed issues with the PortableRootDir setting #1509
- fixed issue with the settings window crashing when the driver was not connected
- fixed DPI issues with Finder Tool #912
- fixed another issue with reused process IDs #1547
- fixed issue introduced in 1.0.6 related to SeAccessCheckByType #1548
Release v1.0.7 / 5.55.7
This build fixed various issues with the previous build and adds some new functionality
If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.
You can support the project through donations, any help will be greatly appreciated.
ChangeLog
[1.0.7 / 5.55.7] - 2022-01-06
Added
- added experimental option "CreateToken=y" to create a new token instead of repurposing an existing one
- added option "DisableRTBlacklist=y" allowing to disable the hardcoded runtime class blacklist
- added new template "DeviceSecurity" to lock down access to device drivers on the system
-- Note: This template requires RuleSpecificity being available to work properly - added option to set a custom ini editor in the Plus UI #1475
- added option "LingerLeniency=n" to solve issue #997
Changed
- reworked syscall invocation code in the driver
-- Win32k hooking is now compatible with HVCI #1483
Fixed
- fixed memory leak in driver (conf_user.c)
- fixed issue with file renaming in open paths introduced in 1.0.6
- fixed issue causing Chromium browsers not closing properly #1496
- fixed issue with start.exe #1517 #1516
- fixed SandMan issue with reused process IDs
- fixed KmdUtil sometimes not properly terminating the driver #1493
Removed
- removed OpenToken as it is only a shorthand for UnrestrictedToken=y and UnfilteredToken=y set together