Sandboxie Support

I tried posting in the beta forum, but it said only administrators could start topics there.

Beta version 4.01.02 fixed the printing issues that I was experiencing in Firefox, which is great. I'm stoked to be able to now run this beta on x64!

The only issue I'm having is that Applocker is blocking SANDBOXIERPCSS.EXE from launching. The only way I have found so far to allow SANDBOXIERPCSS.EXE to launch is to place the EXE rules in auditing mode. This is on Windows 7 x64.

I don't understand the applocker eventlog entry (posted below), but I do notice that the {value} following EXE as well as the user SID (S-1-5-7) are different than all the other entries. All of the others have {random values (not all 0s)} and the full SID noted. I'm not sure if this is what is causing the problem or not. I tried creating an EXE rule to allow Guests (it was the only thing I could find that sounded like it would let anyone launch besides the Everyone group which also failed) to launch SANDBOXIERPCSS.EXE, but that didn't work.

I will keep running in Audit mode in Applocker because I think Sandboxie affords me more valuable security, but it would be nice to be able to put my rules back to Enforce. If I find a solution, I'll post back. Thanks in advance for any help and my apologies if I've placed this in the wrong forum section.

The event log details are as follows:

The description for Event ID ( 8004 ) in Source ( Microsoft-Windows-AppLocker ) could not be found.
Either the component that raises this event is not installed on the computer or the installation is corrupted.You can install or repair the component or try to change Description Server.

The following information was included with the event (insertion strings):
3
EXE
{00000000-0000-0000-0000-000000000000}
1
-
1
-
S-1-5-7
3140
43
%PROGRAMFILES%\SANDBOXIE\SANDBOXIERPCSS.EXE
0

1
-

I've come across the same problem. As 0strodamus mentioned, setting EXE and DLL rules to audit allows Sandboxie 4.01 to run.

With only EXE rules in audit mode, I get the error: %SYSTEM32%\RPCEPMAP.DLL was prevented from running.

The odd thing is that there are default AppLocker rules which allow Everyone to run EXE's from the Program Files folders, and DLL's from The Windows folder (and below).

Still getting these errors with Applocker enabled on Windows 7 x64:

SBIE2313 Could not execute SandboxieRpcSs.exe (1260)
SBIE2204 Cannot start sandboxed service RpcSs (1260)

I think you reported this before but I haven't looked into this. It's on my list, but there are a lot of things on my list. I will post when I have an update, so you might want to keep an eye on an existing topic, for example this one.

Yes, I did. I just wanted to let you know I was still seeing the error with the latest beta. Thanks for the reply!

This issue is resolved with .04 beta. Thanks tzuk!

Thanks for the update! Good to know.

Not fixed for me in .04 - still seeing same errors in Win 7 x64 with AppLocker enabled:

SBIE2313 Could not execute SandboxieRpcSs.exe (1260)
SBIE2204 Cannot start sandboxed service RpcSs (1260)


Was anything done to address this bug in .04 ?

A bit more info: In 0strodamus' original thread here, they mentioned the user id as S-1-5-7, which was different from all the others. After setting AppLocker EXE and DLL rules to audit only, Sandboxie .04 beta runs fine but task manager shows the user who launched firefox.exe, SandboxieDcomLaunch.exe and SandboxieRpcSs.exe as "NT AUTHORITY\ANONYMOUS LOGON".


Unrelated to .04 beta, in 3.76, if I save a file in Sandboxied Firefox and try to create a new folder on the file save dialog, the new folder is not visible in the save dialog, but it is actually created in the Sandbox.

Task manager will show the user as anonymous, that is how things work in version 4.

As for AppLocker, can you explain how you configure it so I can try to reproduce the problem? I'm not familiar with AppLocker so please take that into account in your explanation.

You need to be running Windows 7 Ultimate to have access to AppLocker. Make sure Application Identity service is running and set to Automatic. Type gpedit.msc, then navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”. Under Advanced tab, enable DLL rule collection, and under Enforcement tab make sure all rules are enabled/configured and set to "Enforce rules". On the left hand tree, select "Executable Rules", and then right-click it and select "Create Default Rules". Repeat for "Windows Installer Rules", "Script Rules" and "DLL Rules".

Log in as a Standard User account, and try to run Firefox sandboxied wiht 4.01.04 beta. You will get the errors mentioned in this topic. If you set "Executable Rules" and "DLL Rules" to "Audit only" instead of "Enforce rules", Firefox runs without problems as it makes AppLocker only log Allow/block attempts, rather than actually block them.

Check under Event Viewer->Applications and Services Logs->Microsoft->Windows->Applocker to see when something is allowed/blocked from running by AppLocker.

http://www.howtogeek.com/howto/6317/blo ... applocker/

Let me know if you need more info.

Due to some other problem, I changed SandboxieRpcSs to not start directly by the program in the sandbox, but instead start through SbieSvc (which is a component of Sandboxie that is outside the sandbox).

This means the AppLocker check would occur in the context of the SbieSvc component outside the sandbox, rather than inside the sandbox.

I think this should work around the problem described here, although I haven't experimented or tested this myself.

Please check if it makes a difference.

With .05, I no longer get the errors: SBIE2313 Could not execute SandboxieRpcSs.exe (1260) and SBIE2204 Cannot start sandboxed service RpcSs (1260).

However, I still get an error dialog - title "Sandboxie RpcSs", message "Could not load service DLL - rpcepmap.dll".

No problem if AppLocker DLL Rules are set to audit, rather than enforce.

Same problem as previous poster mentioned. Screenshots in this post: http://www.wilderssecurity.com/showpost ... ostcount=1

What I don't get is, the default rules allow dlls in system32 to run, but RPCEPMAP.DLL was blocked!

I'm glad to see there's some improvement. I'll check out the remaining problems.