Sandboxie Support

Dear developers of Sandboxie, hello everyone !

I am using Windows 7 x64, Sandboxie and FinePrint Version 7 for several years now - I never had an issue with that combination. While installing, Sandboxie recognized FinePrint and setup a compatibilty-setting for it, witch was always working well.

Now, since several month, when I do some printing within Firefox (running in Sandboxie), USING OR NOT USING FinePrint as the printer, I always get a message-box from sandboxie "SBIE1319 Blocked spooler print to file ...".

I can't tell exactly the version of sandboxie, when that behavior arised, but I think, it was a version of sandboxie before V4.20.

I tried to search informations about that issue here in the forum and I know, that I do have the possibility to configure Sandboxie, to exclude the temp-directory of the print-spooler, or simply click "allow" within Sandboxies error-messagebox to do my print-out, but both workarounds are not really good solutions.

In compatibility-settings of Sandboxie there is FinePrint marked with this symbol "-" but not a "+".

Remember, that also normal printing, when selecting the physical, real printer, without using FinePrint, printing doesn't work anymore without that error-message.

I do use the lastet BETA of Sandboxie 5.01.6 and latest Firefox ESR 38.1.1 and FinePrint 7.

Thanks for reading ... any help is welcome.

Hello!

This is a new introduced protection against a possible security hole. Please read the version changes for all necessary information:

Version 4.18

Released on 28 May 2015.

A security hole with the Windows print spooler has been plugged. An application could use the print spooler to write an arbitrary file outside the sandbox. If Sandboxie detects that the print spooler is attempting to write a file outside the sandbox at the request of a sandboxed application, it will issue "SBIE1319 Blocked spooler print to file".

NOTE: Some printer drivers write temporary files to their own work area, even when not printing to file. In these cases, you will get SBIE1319 even when printing normally (not to file). The print may still print successfully. In this situation, you can safely ignore SBIE1319, hide the error message, or open the folder as described below.

There are 3 ways to allow the print spooler to print to file:

1) If you trust the process that is printing, you can double-click the SBIE1320 (that follows SBIE1319) to allow the print spooler to write files outside the sandbox for that particular process.
2) The spooler can write files outside the sandbox according to OpenFilePath settings. This enables you to permanently open the folders a particular printer driver uses to store its work files.
3) You can manually add the setting AllowSpoolerPrintToFile=y to sandboxie.ini. This is not recommended as it leaves your sandbox open to a print spooler exploit.

http://www.sandboxie.com/index.php?Vers ... ges#v_4_18

C3PO wrote:..., but both workarounds are not really good solutions.

Please explain us why?

Hello Michael,

thank you for your help !

Well OK, I understand now - Sandboxie-sourcecode was changed by intention by its developers.

Regarding to your question, why I thought, that the two possible workarounds aren't really good, I have to say, that I confused Point 2 with Point 3 from the official statement you sent to me above. Now I understand, that in fact, it -IS- an acceptable solution, to permanently permit a -SPECIFIC- printer driver, to store files outside the sandbox, because permanently clicking when I like to print something, is annoying (to me).

As I trust FinePrint, I will use method #2, as it has the same effect like a manual click on 1320 to permit the trusted process, to use windows' print-spooler. IT WOULD BE GREAT, IF SANDBOXIE WOULD INCLUDE AN OPTION, TO REMEMBER A MANUALLY GIVEN PERMISSION !

Now I have to search/find out, HOW exactly I can configure sandboxie using the "OpenFilePath"-setting, to give a permanent permission to FinePrint and Firefox, to store their files outside the sandbox - let's see, if I am able to manage that ... if not, I will ask here for help.

Back ...

Last weekend I verified how to configure sandboxie to give a permanent permission to FinePrint and Firefox, to store their files outside the sandbox:

First I looked at sandboxies warning-message - it says:

While attempting to print with Firefox:
[8248] firefox.exe, \ProgramData\EPSON\PRINTER\EPAUDF01.AUD

While attempting to print with Firefox, using Fineprint:
[2212] fpdisp7.exe, \ProgramData\EPSON\PRINTER\EPAUDF01.AUD


OK, fine ... I think if I would add the following line to sandboxie.ini under [GlobalSettings], Firefox with or without using Fineprint, would print without
any error-message (I checked it not yet, read below ...):

c:\ProgramData\EPSON\PRINTER\EPAUDF01.AUD

But I think, not only Firefox and Fineprint, but -ANY- process/program would be able to bypass the sandbox, but I would like to give an -INDIVIDUAL- permission to Firefox and FinePrint -ONLY- ... but HOW can I do this ?

I think I need to include the program-names itself (firefox.exe and fpdisp7.exe) somehow in the configuration of sandboxie, but I don't have an idea how to do that - anyone can tell me how ?

Just a small hint: It should be the path shown in the SBIE1319 error message.

Example: "SBIE1319 Blocked spooler print to file, [xxxx] xxx.exe, \folder1\folder2\xxx.tmp"

You can add "OpenFilePath=%SystemDrive%\folder1\folder2" to allow printing for all sandboxed applications or "OpenFilePath=xxx.exe,%SystemDrive%\folder1\folder2" to allow printing for a specific application only.

Thank you Michael, I will try to do so ... I will let you know, if I have success !

OK, it works ! Now everything works smooth again.

While setting-up sandboxie, I also realized, that sandboxie only supports FinePrint version 5 + 6 in it's compatibility-settings. Would also be very nice to see from the developers, to see an added support for newer versions of FinePrint.

Thanks for your help Michael !

Great, I am glad to hear that.

I noticed your (due to moderation) delayed post.

C3PO wrote:... I think if I would add the following line to sandboxie.ini under [GlobalSettings], ...

If you add the line in the [GlobalSettings] section the OpenFilePath is valid for all sandboxes you have created. If you have created an own sandbox for Firefox, you better add the line in the matching section [NameOfSandbox].

C3PO wrote:... \ProgramData\EPSON\PRINTER\EPAUDF01.AUD ...

If you want to make it even more secure, you can add the file extension to the OpenFilePath:
OpenFilePath=firefox.exe,%SystemDrive%\ProgramData\EPSON\PRINTER\*.AUD
OpenFilePath=fpdisp7.exe,%SystemDrive%\ProgramData\EPSON\PRINTER\*.AUD