github sandboxie-plus/Sandboxie v1.3.1
Release v1.3.1 / 5.58.1

latest releases: v1.15.1, v1.15.0, v1.14.10...
2 years ago

0 5 5

This build adds 2 new isolation mechanisms to increase security of hardened boxes, hence boxes previously designated hardened will now be downgraded in the UI to normal, and the hardened icons will be used to the new box type.
The first isolation mechanism "SysCallLockDown=y" limits the amount of ntdll syscalls which are executed with the original process token to a list of known approved syscalls
The second isolation mechanism "RestrictDevices=y" leverages rule specificity to limit the accessible driver/device endpoints to a list of known required endpoints plus whatever the user opens using the resource access rules.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Changelog

1.3.1

Added

  • added ability to switch fusion theme independently of the dark theme
  • added ability to download updates from the support page
  • added missing system calls to the hardened box type 88bc06a b775264 04b2377 (thanks Mr.X)
  • added search box to the Plus UI Settings and box option dialogs #2134
  • added Korean translation to the Plus UI #2133 (thanks VenusGirl)
  • added grouping to sandman tray menu #2148

Changed

  • improved info label
  • the look of vintage mode is even more vintage
  • reloading the configuration with the Sandman command "Options -> Reload ini file" now updates the list of approved syscalls
  • made rule specificity more specific, now a rule with less wildcards overrules a rule with more wildcards
    -- Note: tailing wildcards are evaluated separately

Fixed

  • fixed issue with displaying sandbox configuration #2111
  • fixed flashing issue when switching views #2050
  • fixed inconsistencies with various checkboxes in the Plus UI ef4ac1b 06c89e3
  • fixed a certificate validation issue 238cb44
  • fixed issue with "UseRuleSpecificity" setting #2124 file.c#L965-L966

1.3.0

Added

  • Added hook configuration for ntoskrnl/ntdll
    -- individual ntdll hooks can be disabled using "DisableWinNtHook=..."
  • Added new Super Extra Security Enhanced Box Mode to enable set "UseSecurityMode=y"
    -- then this setting is enabled it combines "SysCallLockDown=y" that limits the use of Nt system calls with "DropAdminRights=y" and "RestrictDevices=y"
    -- Only calls configured in the global section as "ApproveWinNtSysCall=..."/"ApproveWin32SysCall=..." wil be executed with the original token
    -- all not aproved Nt sys calls will be executed with the sandboxed token, this may break compatybility in certain scenarios
    -- hence additional syscalls may need to be allowed, this is to be done in the [GlobalSettings] and the driver must be restarted
    -- Note: Boxes created as Security Enhanced with prior builds will be displayed in the UI to normal from now on
    -- The Security Enhanced icons are now repurposed for the new Super Extra Security Enhanced Box Mode
    -- Note: The new enhanced security features require a supporter certificate
  • added browse option to the force processes tab

Changed

  • replaced the "DeviceSecurity" template with a dedicated setting "RestrictDevices=y"
    -- Note: when needed more "NormalPipePath=..." entries can be added to open specific devices
  • rule specificity is now even more specific a exact rule now overrules once that end with a wildcard

Don't miss a new Sandboxie release

NewReleases is sending notifications on new releases.