Page 2 of 8
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Thu Nov 03, 2016 5:01 pm
by Curt@invincea
As I said in that thread, it is not possible to terminate some processes. If we spend resources to fix this particular case, all they have to do is move to the technique (open kernel handle) that can't be fixed. And we're right back where we started.
It isn't worth the time & effort.
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Thu Nov 03, 2016 9:46 pm
by Syrinx
So after upgrading to 5.15.3 from 5.15.2 I started getting errors and was unable to run anything sandboxed.
SBIE2204 Cannot start sandboxed service RpcSs (C0000364)
SBIE2204 Cannot start sandboxed service DcomLaunch (-4)
Reverting to 5.15.2 solved it but I did a little digging and as it turns out something in this version seems to have changed and now AppLocker is detecting and blocking stuff from Program Files and System32/SysWow64 even though there is already an 'Everyone' rule which worked for these before.
I added four more rules (two for exes, two for dlls) for ANONYMOUS LOGON and it's back to normal again:
Code: Select all
</FilePathRule>
<FilePathRule Id="c66ebb93-a8cb-47db-bdc1-f6ad12779b4c" Name="Windows" Description="" UserOrGroupSid="S-1-5-7" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="84149cbb-c1c3-4ef7-bde5-23b093d15009" Name="Program Files" Description="" UserOrGroupSid="S-1-5-7" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
</RuleCollection>
<FilePathRule Id="aaa55716-c39a-4538-aa87-ae8fd330e23a" Name="Program Files" Description="" UserOrGroupSid="S-1-5-7" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="ad24b95e-7d7f-418d-87a1-f369489067c5" Name="Windows" Description="" UserOrGroupSid="S-1-5-7" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
</RuleCollection>
I'm curious as to what might've changed that these were suddenly required but at least it's more
consistent now!
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Fri Nov 04, 2016 1:19 pm
by Curt@invincea
I had to make a small change to our sandboxed token to allow Win 10-AU Immersive dialogs to work inside the sandbox.
So are you saying you had rules to allow Everyone, and now you have to specifically allow Anonymous? Perhaps you should tell me exactly what you were doing before and what you had to change.
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Fri Nov 04, 2016 3:26 pm
by Syrinx
Yes, previously the 'Everyone' (S-1-1-0) rules worked for dlls and exes in Program Files or Windows\System32 & SysWOW64
eg
Code: Select all
<FilePathRule Id="297fce9c-3f54-4403-ad73-47576f2f64d3" Name="(Default Rule) Windows DLLs" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
was fine. As I found
however (previously) they didn't work with specific users though that's a bit offtopic.
But suddenly with 5.15.3 they were being blocked and resulting in even Sandboxies own exes running inside being unable to load the dlls and in turn the errors reported above being shown in SbieCtrl.
Here's a couple sample Event Log errors:
Code: Select all
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
<EventID>8004</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-11-04T19:11:32.170424000Z" />
<EventRecordID>88832</EventRecordID>
<Correlation />
<Execution ProcessID="1328" ThreadID="2144" />
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>SNIPPED</Computer>
<Security UserID="SNIPPED" />
</System>
- <UserData>
- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
<PolicyName>DLL</PolicyName>
<RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
<RuleName>-</RuleName>
<RuleSddl>-</RuleSddl>
<TargetUser>S-1-5-7</TargetUser>
<TargetProcessId>1328</TargetProcessId>
<FilePath>%SYSTEM32%\MSVCR100.DLL</FilePath>
<FileHash />
<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® VISUAL STUDIO® 2010\MSVCR100_CLR0400.DLL\10.0.40219.325</Fqbn>
</RuleAndFileData>
</UserData>
</Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
<EventID>8004</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-11-04T19:11:04.261975300Z" />
<EventRecordID>88757</EventRecordID>
<Correlation />
<Execution ProcessID="1164" ThreadID="2364" />
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>SNIPPED</Computer>
<Security UserID="SNIPPED" />
</System>
- <UserData>
- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
<PolicyName>DLL</PolicyName>
<RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
<RuleName>-</RuleName>
<RuleSddl>-</RuleSddl>
<TargetUser>S-1-5-7</TargetUser>
<TargetProcessId>1164</TargetProcessId>
<FilePath>%SYSTEM32%\IMM32.DLL</FilePath>
<FileHash />
<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\IMM32\6.1.7600.16385</Fqbn>
</RuleAndFileData>
</UserData>
</Event>
Adding just DLL rules for ANONYMOUS LOGON then caused events like this to be logged and a different set of errors:
Code: Select all
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
<EventID>8004</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-11-04T19:15:56.072295000Z" />
<EventRecordID>89027</EventRecordID>
<Correlation />
<Execution ProcessID="2276" ThreadID="2440" />
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>SNIPPED</Computer>
<Security UserID="SNIPPED" />
</System>
- <UserData>
- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
<PolicyName>EXE</PolicyName>
<RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
<RuleName>-</RuleName>
<RuleSddl>-</RuleSddl>
<TargetUser>S-1-5-7</TargetUser>
<TargetProcessId>3456</TargetProcessId>
<FilePath>%PROGRAMFILES%\SANDBOXIE\SANDBOXIEDCOMLAUNCH.EXE</FilePath>
<FileHash />
<Fqbn>O=INVINCEA, INC., L=FAIRFAX, S=VIRGINIA, C=US\SANDBOXIE\SANDBOXIEDCOMLAUNCH.EXE\5.15.3.00</Fqbn>
</RuleAndFileData>
</UserData>
</Event>
SBIE2204 Cannot start sandboxed service DcomLaunch (1260)
So after adding 2 rules for ANONYMOUS LOGON to both the EXE and DLL rules in addition to the existing EVERYONE (S-1-1-0) rules for Program Files & the Windows folders, AppLocker was once again allowing them to launch.
This is more like what I experienced before with specific user rules and other areas but for some reason the EVERYONE rule worked for those areas before but now it doesn't.
Either way it's not a complaint and
I'm unsure if there is even anything to correct. As I said in the last post, now at least things are much more
constant in the way AppLocker handles the paths/rules and detection of ANONYMOUS LOGON. It was just weird that in one version it worked without the extra rules and one suddenly needed them.
5.15.3
Posted: Sat Nov 05, 2016 12:36 pm
by 424tsiai
Re: 5.15 Beta Available (latest version 5.15.1)
Posted: Sun Nov 06, 2016 7:00 am
by Bertus
Bertus wrote:Problem with printing in firefox, Iron and cyberfox. When I try to print from the browser, the browser crashes before the print preview.
It seems splwow64.exe is unable to run in the sandbox.
Printing is working again without problems in sandboxie 5.15.3.
Thanks
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Sun Nov 06, 2016 2:31 pm
by ITSecMedia
Installation / Crash / Fail
All attempts to install PrePros6 beta installer in sandboxie fails:
To test simply request free beta thru this form :
https://prepros.io/prepros-6
Then try to run the installer in sandboxie ... fails for msi and exe installer.
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Mon Nov 07, 2016 11:59 am
by Brummelchen
is there a known problem between games from "deutschland spielt" and sandboxie on windows 10 redstone 1607?
eg "Northern Tales" (a smaller download)
http://www.deutschland-spielt.de/spiele ... hern-tale/
(happens also on other DS games)
i cannot reproduce the error with windows pro th2 (1511) or LTSB.
the games startup, but no windows, no message, nothing - and quit. no log files from game.
the games run fine outside sandboxie.
thx
Posted: Tue Nov 08, 2016 8:00 am
by a3739349drdrbcom
Opera 42.0.2393.14Beta & Opera 43.0.2403.0Dev sandboxed are opened with a "loading" blank page and unable to visit any website even its settings.
Re: 5.15 Beta Available (latest version 5.15.3)
Posted: Tue Nov 08, 2016 3:35 pm
by Dun
The "System process" cpu usage seems to be high in some cases like when you run 2 firefox instances in separate sandboxes. May be win10 issue. Has anyone noticed this?
BSOD in 5.15.3
Posted: Thu Nov 10, 2016 6:45 am
by Anocs
After installing 5.15.3 the BSOD welcomes me.
HW: Dell Vostro 3350
OS: Windows 10 Pro 64bit PL (version 1607, compilation 14393.351)
AV: Norton Security 2017 (version 22.8.0.50)
Code: Select all
==================================================
Dump File : 111016-7171-01.dmp
Crash Time : 10.11.2016 11:29:29
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff803`66ed221f
Parameter 3 : ffffc780`9006b1c0
Parameter 4 : 00000000`00000000
Caused By Driver : SbieDrv.sys
Caused By Address : SbieDrv.sys+221f
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+14a510
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\111016-7171-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 14393
Dump File Size : 416 620
Dump File Time : 10.11.2016 11:30:38
==================================================
Re: BSOD in 5.15.3
Posted: Thu Nov 10, 2016 12:00 pm
by Curt@invincea
Anocs wrote:After installing 5.15.3 the BSOD welcomes me.
HW: Dell Vostro 3350
OS: Windows 10 Pro 64bit PL (version 1607, compilation 14393.351)
AV: Norton Security 2017 (version 22.8.0.50)
There is a bug that is fixed in 5.15.4. If your Sbie license has expired, and you are using Office ClickToRun, you will get a BSOD when starting Windows.
Re: BSOD in 5.15.3
Posted: Thu Nov 10, 2016 7:52 pm
by nanana1
Curt@invincea wrote:There is a bug that is fixed in 5.15.4. If your Sbie license has expired, and you are using Office ClickToRun, you will get a BSOD when starting Windows.
5.15 Beta Available (latest version 5.15.4)
Post by nanana1 » Thu Nov 11, 2016 7:49 pm
Combined 32/64 installer:
http://www.sandboxie.com/SandboxieInstall-515-4.exe
Separate:
http://www.sandboxie.com/SandboxieInstall32-515-4.exe
http://www.sandboxie.com/SandboxieInstall64-515-4.exe
Changes in 5.15.4:
Fixed BSOD when running Office ClickToRun if SBIE license expired
Stick Password issue
Posted: Fri Nov 11, 2016 8:04 am
by henryg
Not sure it is new to 5.14 but I am getting frequent crashes:
SBIE2101 Object name not found: , error OpenProcess (C0000022) access=00123FFA initialized=1
SBIE2314 Canceling process stpass.exe [2632 / 7]
I gave using the SP template some time ago because it is (was?) old and SP worked better without it. IME!
Re: 5.15 Beta Available (latest version 5.15.4)
Posted: Fri Nov 11, 2016 1:27 pm
by Curt@invincea
5.15.4 has been officially released.