Sandboxie becomes free

Share interesting information or links related to portable apps here.
Message
Author

billon
Posts: 843
Joined: Sat Jun 23, 2012 4:28 pm

Re: Sandboxie becomes free

#17 Post by billon »


User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Sandboxie becomes free

#18 Post by Midas »


A warning from the author of these builds:

The 'SbieDrv.sys' driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications flag it as potentially dangerous:
https://www.virustotal.com/gui/file/f15 ... /detection

User avatar
Userfriendly
Posts: 430
Joined: Tue Nov 27, 2012 11:41 pm

Re: Sandboxie becomes free

#19 Post by Userfriendly »

Interesting roadmap/ideas/plans for improving Sandboxie from the dev of https://github.com/sandboxie-dev/Sandboxie Its the same as xanasoft, name was just changed to indicate it as a community collaborative project. Previous links redirects to it.
And I have a sort of road map, currently more an unsorted collection of ideas but its a start:

Data protection:
Sandboxie is great to protect the system from malicious modifications but with default configuration it does not protect user data from being accessed and exfiltrated.
Also it dos not protect the users privacy in therms of his user name and or unique hardware information like MAC-addresses or disk serial numbers, etc...

So I would like to make programs inside the sandbox see an empty user account just called user without access to the actual users profile data, ideally when creating a sandbox the user would choose if its a regular sandbox like currently or an anonymous sandbox without personal data.
For hardware information that is a subject for later...

Networking:
Sandboxie allows to restrict network access only through the ini file and iirc not on a per process basis. Of cause one can argue that per process is pointless as the processes inside can criss cross inject dll's so if one exe in it is allowed any other can in the end to.
But here my threat model is more privacy violating applications which don't use malware tactics, i.e. programs with unwanted Telemetry baked in.
Hence I would like to add a better control over the sand boxed application's network connectivity.
Definitely some easily accessible switch for each sandbox determining if the app inside can access the LAN, WAN or neither and not to far from it exception lists per process.

On one hand why not a full blown application firewall but than one can just use a 3rd party application firewall, not sure about the right balance between functionality for those that only have the windows firewall and redundancy for those with more advanced tools.

Application Virtualization:
Sandboxie due to the basic version being restricted to one sandbox at a time, never was much about using multiple sandboxes.
I would like to develop Sandboxie more towards a software packeting tool like the old Altiris SVS was, i.e. you install your software into a set of separated boxes and when you exchange your laptop or re install your Windows because MSFT broke it again, you just copy your box repo onto the new system and continue where you left of on the old one.

One could even think about a network based synchronization feature to use the same set of applications on multiple devices, and I would implement is on a P2P basis such that you don't necessarily need a home server, although one of this QNap or Synology boxes sure might be nice.

Complete UI Rebuild:
No, No, don't worry nothing like this atrocious win 10 modern UI abomination, but something more maintainable and better looking than the current plain C with Win-Forms, something with the esthetics of windows 7 or Classic XP.
If you need an idea what UI paradigms I cherish take a look on my Task Explorer.

Not sure if I will go with C++ and Qt again, or may be I try .NET C#, but there will be a completely new UI with a ton of easily accessible options, no more messing around with ini files.

Better Analysis Infrastructure:
Sandboxie hooks a many API calls, not all of them but a ton, and what output do we get, some Error Messages and a very basic Resource Access Monitor.
I think we can do better, much better in fact, a full verbose log of all the hooked API calls and parameters, imagine ProcMon.exe on steroids, something along the lines of WinAPIOverride. I think that would be extremely useful in resolving compatibility issues.
What we would also need would be the ability to create permissive testboxes i.e. just instrument/hook a process but don't isolate it from the system. With that comparing an applications traces from a sandbox and a testbox on the same system would make finding the calls where something went wrong child's play.

On this note I think a tool that pretty much captures all API calls might be very useful for ReactOS/WINE developers, actually why not set out to add official ReactOS support to sandboxie.

Plugins or Scripting:

Sandboxie implements many hard-coded workarounds for various Applications for example search for "chrome" in the code 133 results...
IMHO we should be able to implement workarounds ideally as scripts or at least as binary plugins, such that whenever something needs fixing its not necessary to rebuild and reinstall the entire project.

Now, booth options would need in principle a complete rework of the SbieDLL. Binary plugins are definitely doable with decent performance, scripting that's a different can of worms.

Limited Driver Support:
And last something to dream about...
When playing around with WINE (which is not an emulator) I noticed that I can there in fact load a driver as long as it does not need hardware access and generally doesn't do to much.
WINE spins up a User Mode process with the necessary API for a windows driver to load and do something. That may be useful for some use cases.
Now I have no idea how much work it would be to back port that to windows and plug it into the Sandboxie infrastructure, but it definitely would be a lot of fun.
Muhahahahahaha...

Specular
Posts: 443
Joined: Sun Feb 16, 2014 10:54 pm

Re: Sandboxie becomes free

#20 Post by Specular »

I'd be interested to know if its open sourcing will be of benefit to malware looking to circumvent its protections, or if that's not a concern due to its existing design or circumvention methods have been figured out in the past. My slight concern being that unless enough good security engineers are involved with subsequently reviewing code and improvements whether any weaknesses will be adequately fixed by whoever remains contributing.

Early days though I guess.

billon
Posts: 843
Joined: Sat Jun 23, 2012 4:28 pm

Re: Sandboxie becomes free

#21 Post by billon »

Userfriendly wrote: Tue Apr 14, 2020 6:49 am Interesting roadmap/ideas/plans
How horrifying :x

Special
Posts: 219
Joined: Wed Aug 14, 2013 7:22 am

Re: Sandboxie becomes free

#22 Post by Special »

You're kidding right? Those all sound great.

What exactly are you "horrified" about?

User avatar
Midas
Posts: 6705
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Sandboxie Plus

#23 Post by Midas »

Seems the open-sourcing of Sandboxie is already bearing results: enter Sandboxie Plus.

Apparently, this is just a continuation of the previously mentioned Xanasoft builds under a more easily recognizable branding -- the Plus stable version is currently v0.6.0 released 2021-01-25.
Sandboxie is a sandbox-based isolation software for 32- and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying local & mapped drives or the windows registry. An isolated virtual environment allows controlled testing of untrusted programs and web surfing.

Ghacks.net has already reviewed it and highlights differences between versions at:


Image


Sandboxie Classic/Plus releases and changelogs:


User avatar
rbon
Posts: 361
Joined: Wed Mar 28, 2007 2:16 am
Location: Italy

Re: Sandboxie becomes free

#24 Post by rbon »

Topic update.
Sandboxie Plus v0.7.2 released on March 5, 2021.
• GitHub project page: https://github.com/sandboxie-plus/Sandboxie
• GitHub download page: https://github.com/sandboxie-plus/Sandboxie/releases
• direct download Sandboxie Plus - Install/Portable x86: https://github.com/sandboxie-plus/Sandb ... v0.7.2.exe
• direct download Sandboxie Plus - Install/Portable x64: https://github.com/sandboxie-plus/Sandb ... v0.7.2.exe

Changelog:
Added
•added option to alter reported Windows version "OverrideOsBuild=7601" for Windows 7 SP1
• the trace log can now be structured like a tree with processes as root items and threads as branches

Changed
• SandboxieCrypto now always migrates the CatRoot2 files in order to prevent locking of real files
• greatly improved trace log performance
• MSI Server can now run with the "FakeAdminRights=y" and "DropAdminRights=y" options
-- special service allowance for the MSI Server can be disabled with "MsiInstallerExemptions=n"
• changed SCM access check behaviour; non elevated users can now start services with a user token
-- elevation is now only required to start services with a system token
• reworked the trace log mechanism to be more verbose
• reworked RPC mechanism to be more flexible

Fixed
• fixed issues with some installers introduced in 5.48.0
• fixed "add user to sandbox" in the Plus UI
• FIXED SECURITY ISSUE: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
• Classic UI no longer allows to create a sandbox with an invalid or reserved device name
Other details on Sandboxie Plus/Classic on this post: viewtopic.php?f=6&t=25365#p100125
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to build bigger and better idiots. So far, the universe is winning." - Rick Cook.

nathanmark6
Posts: 1
Joined: Tue Mar 30, 2021 2:37 am

Re: Sandboxie becomes free

#25 Post by nathanmark6 »

sandboxie is not even working for me now. Do you guys know any good alternatives?

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Sandboxie becomes free

#26 Post by webfork »

nathanmark6 wrote: Tue Mar 30, 2021 2:44 am sandboxie is not even working for me now. Do you guys know any good alternatives?
I've had a lot of luck with Win10's own built-in Sandbox. It doesn't have anti-virus and it doesn't restrict network access but that's not hard to enable at startup. I've been very pleased that I can run an environment for days and not have it take up a lot of resources.

Post Reply