Page 1 of 1
HitmanPro.Alert blocking sandboxed browsers
Posted: Thu Nov 23, 2017 4:43 am
by kerflot
I believe this to be more a HitmanPro problem and have written to them.
Their latest version v3-7-1-723 will not allow either Firefox or Opera (both latest versions) run sandboxed.
If I turn off Exploit Mitigation in Hitman I get repeatedly the error "SBIE2205 Service not implemented: Win32Init.6 (000000AA)".
The browsers will then open with some interference with Add-ons in Firefox but Opera appears to be okay.
Experimenting with Opera, when I navigate I get more lines of the above error.
So until Hitman brings out a fix I have had to "Stop" the HitmanPro.Alert service in Windows Services.
I'm using Windows 7 Pro 32bit.
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Thu Nov 23, 2017 7:19 am
by deugniet
kerflot wrote: ↑Thu Nov 23, 2017 4:43 am
I believe this to be more a HitmanPro problem and have written to them.
Their latest version v3-7-1-723 will not allow either Firefox or Opera (both latest versions) run sandboxed.
If I turn off Exploit Mitigation in Hitman I get repeatedly the error "SBIE2205 Service not implemented: Win32Init.6 (000000AA)".
The browsers will then open with some interference with Add-ons in Firefox but Opera appears to be okay.
Experimenting with Opera, when I navigate I get more lines of the above error.
So until Hitman brings out a fix I have had to "Stop" the HitmanPro.Alert service in Windows Services.
I'm using Windows 7 Pro 32bit.
Had a lot of PrivGuard problems with Sandboxie 5.22 and HmP.Alert 723. More info:
https://www.wilderssecurity.com/threads ... 1/page-575
Possible solution:
- Screenshot-2017-11-23 HitmanPro Alert BETA.png (38.35 KiB) Viewed 3323 times
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Thu Nov 23, 2017 8:12 am
by deugniet
Or add HitmanPro.Alert:
- 1.JPG (67.23 KiB) Viewed 3316 times
Sandboxie Control > Configure > Software Compatibility
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Thu Nov 23, 2017 8:59 am
by cocoon
I had the same problem with a specific program (not a browser). The workaround for me was to add it to HMPA's exceptions.
EDIT: It also occurred with Firefox after I made the above posting.
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Fri Dec 01, 2017 10:37 pm
by kerflot
Thank you one and all for your input.
The Sandboxie settings were already in place, that's why I did not have an issue before the latest HMPA update.
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Fri Dec 01, 2017 10:40 pm
by kerflot
I eventually received the following "solutions" from HMPA over a few days:
"Change the Action mode to 'Silent audit'. Is everything back to normal now?"
[didn't do a thing]
"Sandboxie is stealing security tokens and applying that the the sandboxed browser, and that is exactly what PrivGuard is supposed to block.
So unfortunately these two don't play nice, if you wish to keep Sandboxie you can disable 'Local Priviledge mitigation' on process protection."
[didn't do a thing - "stealing"? Oh really? Also, their spelling not mine]
And finally after me asking if PrivGuard was not blocking this before the update:
"No, the feature is new, hence the previous version had no protection against this.
But there are more issues with running Alert and Sandboxie, I have informed our developers and they are looking in to it.".
So there you have it. Unfortunately you cannot prevent HMPA from updating itself. You just have to stop using it.
For now I let HMPA start on boot up, check for updates manually (just in case), then go to services.msc and Stop the HitmanPro.Alert service before running a sandboxed browser.
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Tue Dec 05, 2017 5:38 pm
by Barb@Invincea
All,
I downloaded Hitman Pro Alert v3.7.1 build723 + Win 7 x86 +Sbie 5.23.1 . I ensured Process Protection ---> Local Privilege Mitigation was enabled (it is by default), and tested launching web browsers in a new Sandbox with default settings. I did not experience any issues launching Firefox or Chrome in the Sandbox.
I went to the Exploit Mitigation settings, and Sandboxie was listed as "Not Protected" under Running applications.
After a reboot, I did get a PrivGuard Alert when I launched Chrome Sandboxed, but no error messages appeared and functionality was not affected.
Can somebody please provide repro steps?
Regards,
Barb.-
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Tue Dec 05, 2017 5:52 pm
by kerflot
I was using Sanboxie 5.22 full version.
After updating to the above Beta version nothing changed.
Even with HMPA uninstalled and reinstalled.
With Exploit Mitigation enabled I noticed that by going to Delete Contents (SB) there is only 1MB of data.
Firefox does not show in Windows Task Manager.
The attached image shows a list of what is sandboxed. There are no "All Files and Folders" but I suppose this is expected.
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Tue Dec 05, 2017 7:23 pm
by kerflot
Barb@Invincea wrote: ↑Tue Dec 05, 2017 5:38 pm
Can somebody please provide repro steps?
Repro steps not possible.
HMPA updated itself, requested that I reboot.
I did.
Then tried using Firefox and nothing happened.
Which Win7 version are you using, Pro?
Which version of Firefox are you using? I'm using v57.0.1 (FF Quantum).
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Wed Dec 06, 2017 7:32 am
by deugniet
@Barb.
Cant reproduce a mitigation, it occurs sometimes out of the blue. Maybe You could contact Erik or Mark Loman from Sophos/Surfright, they are aware of this issue.
Info of the mitigation can be found via the Windows Event viewer.
Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 30-11-2017 08:09:56
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation ROP
Platform 10.0.16299/x64 v723 06_5e
PID 8264
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 57
Callee Type LoadLibrary
Stack Trace
Code: Select all
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFE81D6966D KernelBase.dll
2 00007FFE85848508 ntdll.dll
3 00007FFE85830F56 ntdll.dll __C_specific_handler +0x96
4 00007FFE85844C3D ntdll.dll __chkstk +0x11d
5 00007FFE857BD1B8 ntdll.dll
6 00007FFE85843B6E ntdll.dll KiUserExceptionDispatcher +0x2e
7 00007FFE3CD64B9E xul.dll
cc INT 3
8 00007FFE3D10F90A xul.dll
9 00007FFE3D0F8E66 xul.dll
10 00007FFE3CE09EF6 xul.dll
Code Injection
0000000000BC0000-0000000000BC6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2336]
0000000000BD0000-0000000000BD1000 4KB
00007FFE85819000-00007FFE8581A000 4KB
000001DE89C3B000-000001DE89C3C000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [17656]
00007FFE85840000-00007FFE85841000 4KB
00007FFE85842000-00007FFE85843000 4KB
00007FFE8583F000-00007FFE85840000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
2 C:\Windows\System32\services.exe [900]
3 C:\Windows\System32\wininit.exe [788]
wininit.exe
1 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
2 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
4 C:\Windows\System32\services.exe [900]
5 C:\Windows\System32\wininit.exe [788]
wininit.exe
Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [8264]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17656.12.1897105222\717771794" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
2 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
3 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
4 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
5 C:\Windows\System32\services.exe [900]
6 C:\Windows\System32\wininit.exe [788]
wininit.exe
Thumbprint
7e016af425dd8125a9190f43f3da3d150b3c68d6cd73d7ad8ebefe5a0f4d5f4b
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Wed Dec 06, 2017 6:14 pm
by kerflot
kerflot wrote: ↑Tue Dec 05, 2017 5:52 pm
The attached image shows a list of what is sandboxed. There are
no "All Files and Folders" but I suppose this is expected.
I meant to say: There are no "User Files".
Re: HitmanPro.Alert blocking sandboxed browsers
Posted: Wed Dec 06, 2017 6:25 pm
by kerflot
Info in my Windows Event Viewer, if it's of any help (under HitmanPro.Alert Events):
Mitigation PrivGuard
Platform 6.1.7601/x86 v723 06_17*
PID 7560
Application D:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 57
Sweep
Code Injection
00030000-00031000 4KB C:\Program Files\Sandboxie\SbieSvc.exe [1592]
00040000-00041000 4KB
77C73000-77C74000 4KB
00384000-00385000 4KB D:\Program Files\Mozilla Firefox\firefox.exe [9436]
77C55000-77C56000 4KB
77C56000-77C57000 4KB
0023F000-00240000 4KB
0023E000-0023F000 4KB
1 D:\Program Files\Mozilla Firefox\firefox.exe [9436]
2 C:\Program Files\Sandboxie\Start.exe [1836]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Sandboxie" /env:=Refresh "D:\Program Files\Mozilla Firefox\firefox.exe"