[German]A few days ago David Xantos brought his Sandboxie-Fork to build 0.3/5.42. David informed me about this fact and some changes by mail. Thus security gaps in the original sandbox mechanism are fixed by the update..
Sandboxie was developed by Sophos for application virtualization and later released as open source (see also Sandboxie is now Open Source and this GitHub project). The company acquired Sandboxie from Invincea, which had previously purchased it from the original author Ronen Tzur. It is a sandbox-based isolation software for 32- and 64-bit Windows NT-based operating systems.
The Fork by David Xanatos
David Xanatos took over the released source code and developed it further as a fork. The project is available on the GitHub sandboxie page. He writes that the MSI installer problems are all fixed now, and the latest release fixes several security holes in the sandbox mechanism. He lists the following fixed issues in the change log.
- API_QUERY_PROCESS_INFO can be now used to get the original process token of sandboxed processes — Note: this capability is used by TaskExplorer to allow inspecting sandbox internal tokens
- Added option “KeepTokenIntegrity=y” to make the sbie token keep its initial integrity level (debug option) — Note: Do NOT USE Debug Options if you dont know their security implications (!)
- Added process id to log messages very usefull for debugging
- Added finder to resource log
- Added option to hide host processes “HideHostProcess=[name]” — Note: Sbie hides by default processes from other boxes, this behavioure can now be controlled with “HideOtherBoxes=n”
- Sandboxed RpcSs and DcomLaunch can now be run as system with the option “ProtectRpcSs=y” howeever tht breaks sandboxed explorer and other
- BuiltIn Clsid whitelist can now be disabled with “OpenDefaultClsid=n”
- Processes can be now terminated with the del key, and require a confirmation
- Added sandboxed window border display to SandMan.exe
- Added notification for sbie log messages
- Added Sandbox Presets sub menu allowing to quickly change some settings — Enable/Disable API logging, logapi_dll’s are now distributed with SbiePlus — And other: Drop admin rights; Block/Allow internet access; Block/Allow access to files on te network
- Added more info to the sandbox status column
- Added path column to SbieModel
- Added info tooltips in SbieView
- Reworked ApiLog, added pid and pid filter
- Auto config reload on in change is now delayed by 500ms to not reload multiple times on incremental changes
- Sandbox names now replace “_” witn ” ” for display allowing to use names that are build of separated words
- added mising PreferExternalManifest itialization to portable mode
- fixed permission issues with sandboxed system processes — Note: you can use “ExposeBoxedSystem=y” for the old behaviour (debug option)
- fixed missing SCM access check for sandboxed services — Note: to disable the access check use “UnrestrictedSCM=y” (debug option)
- fixed missing initialization in serviceserver that caused sandboxed programs to crash when querying service status
- fixed many bugs that caused the SbieDrv.sys to BSOD when run with MSFT Driver Verifier active — 0xF6 in GetThreadTokenOwnerPid and File_Api_Rename — missing non optional parameter for FltGetFileNameInformation in File_PreOperation — 0xE3 in Key_StoreValue and Key_PreDataInject
As far as I have seen, Sandboxie and Sandboxie Plus are available as Visual Studio projects in source code and can be compiled with Microsoft’s Visual Studio 15 to get an installer.
A ready to use installer version is available at https://github.com/sandboxie-plus/Sandboxie/releases in the category Releases – Assets – directly below the changelog.
David wrote me: The Sandboxie Plus version with new Qt based UI is available as portable zip. It will get an installer somewhere in the next or next but one build.
What is Sandboxie?
Sandboxie is an application isolation program that allows you to run other software on Windows in a controlled environment. To do this, Sandboxie takes control when the application is installed and isolates all file and registry accesses and redirects them into separate files. Xanatos writes about this:
It creates a sandbox-like isolated operating environment where applications can be run or installed without permanently changing the local or mapped drive. An isolated virtual environment allows controlled testing of untrusted programs and surfing the Internet.
The isolation technology used by Sandboxie separates the programs installed in this way from the underlying operating system. This prevents unwanted changes from being made to personal data, programs and applications that are safely stored on the hard drive. Sandboxie therefore allows software to be tested and later uninstalled from the system without leaving any residue.