github sandboxie-plus/Sandboxie v1.3.0
Release v1.3.0 / 5.58.0
on GitHub

latest releases: v1.15.1, v1.15.0, v1.14.10...
pre-release2 years ago

0 5 5

This build adds 2 new isolation mechanisms to increase security of hardened boxes, hence boxes previously designated hardened will now be downgraded in the UI to normal, and the hardened icons will be used to the new box type.
The first isolation mechanism "SysCallLockDown=y" limits the amount of ntdll syscalls which are executed with the original process token to a list of known approved syscalls
The second isolation mechanism "RestrictDevices=y" leverages rule specificity to limit the accessible driver/device endpoints to a list of known required endpoints plus whatever the user opens using the resource access rules.

Please note that the installers for this test build are not signed.

You can support the project through donations, any help will be greatly appreciated.

Known Issues

  • ApproveWinNtSysCall=OpenKeyEx is missing, you can add it to [GlobalSettings] of your sandboxie.ini and reload the driver to fix issues with the hardened box type, additional syscalls to approve
    ApproveWinNtSysCall=SetInformationFile
    ApproveWinNtSysCall=CreatePrivateNamespace
    ApproveWinNtSysCall=AlpcCreateSecurityContext
  • Hardened box type is not available on first driver load when no sandboxie.ini was found, reload driver/reboot to fix

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Changelog

Added

  • Added hook configuration for ntoskrnl/ntdll
    -- individual ntdll hooks can be disabled using "DisableWinNtHook=..."
  • Added new Super Extra Security Enhanced Box Mode to enable set "UseSecurityMode=y"
    -- then this setting is enabled it combines "SysCallLockDown=y" that limits the use of Nt system calls with "DropAdminRights=y" and "RestrictDevices=y"
    -- Only calls configured in the global section as "ApproveWinNtSysCall=..."/"ApproveWin32SysCall=..." wil be executed with the original token
    -- all not aproved Nt sys calls will be executed with the sandboxed token, this may break compatybility in certain scenarios
    -- hence additional syscalls may need to be allowed, this is to be done in the [GlobalSettings] and the driver must be restarted
    -- Note: Boxes created as Security Enhanced with prior builds will be displayed in the UI to normal from now on
    -- The Security Enhanced icons are now repurposed for the new Super Extra Security Enhanced Box Mode
    -- Note: The new enhanced security features require a supporter certificate
  • added browse option to the force processes tab

Changed

  • replaced the "DeviceSecurity" template with a dedicated setting "RestrictDevices=y"
    -- Note: when needed more "NormalPipePath=..." entries can be added to open specific devices
  • rule specificity is now even more specific a exact rule now overrules once that end with a wildcard
Check out latest releases or
releases around sandboxie-plus/Sandboxie v1.3.0

Don't miss a new Sandboxie release

NewReleases is sending notifications on new releases.

Get notifications