security token

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

security token

Post by pantau » Tue Oct 03, 2017 5:30 pm

My USB cryptographic token (Watchdog) is not seen from within the sandbox by Firfox ESR, though both were installed in the same sandbox.

Sandboxie 5.20 x64
Widnows 7 x64
GDATA Antivirus
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Wed Oct 04, 2017 10:42 am

Hello pantau,

Does the token work outside Sandboxie?
Are you receiving an error message when you try to use it?

Try disabling your Antivirus and creating a new Sandbox to see if the problem persists.

Maybe this workaround does the trick for you:
viewtopic.php?p=128787#p128787

Last, but not least, give the latest beta a try:
viewtopic.php?p=129389#p129389

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Wed Oct 04, 2017 6:16 pm

The token works when I install it outside the sandbox, but I'd like to install it inside a sandbox.
No error message.
Disabling Anti-Virus doesn't change anything.
I tried the new beta, same result.
As far as the threads are concerned, I don't find a USB device in the monitor:

Code: Select all

Pipe        -------------------------------
Pipe        \Device\KsecDD
Pipe        \Device\NamedPipe\chrome.1328.7.159420133
Pipe        \device\namedpipe\chrome.1328.7.159420133
Pipe        \Device\NamedPipe\chrome.1328.8.30247384
Pipe        \device\namedpipe\chrome.1328.8.30247384
Pipe        \device\namedpipe\gdkbdpipe1
Pipe        \Device\NamedPipe\GDKBDPipe1
Pipe        \device\namedpipe\gdkbdpipe1
Pipe        \device\namedpipe\gecko-crash-server-pipe.1328
Pipe        \Device\NamedPipe\gecko-crash-server-pipe.1328
Pipe        \device\namedpipe\gecko-crash-server-pipe.1328
Pipe        \Device\NamedPipe\jpi2_pid620_pipe1
Pipe        \device\namedpipe\jpi2_pid620_pipe1
Pipe        \Device\NamedPipe\jpi2_pid620_pipe1
Pipe        \device\namedpipe\jpi2_pid620_pipe1
Pipe        \Device\NamedPipe\jpi2_pid620_pipe2
Pipe        \device\namedpipe\jpi2_pid620_pipe2
Pipe        \Device\NamedPipe\jpi2_pid620_pipe2
Pipe        \device\namedpipe\jpi2_pid620_pipe2
Pipe     O  \Device\Afd
Pipe     O  \Device\NamedPipe
Pipe     O  \Device\NamedPipe\
Pipe     O  \device\namedpipe\
Pipe     O  \Device\NamedPipe\
Pipe     O  \device\namedpipe\
Pipe     O  \Device\NamedPipe\
Pipe     O  \Device\Nsi
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Thu Oct 05, 2017 12:43 pm

Hello pantau,
The token works when I install it outside the sandbox, but I'd like to install it inside a sandbox.
What are you installing, exactly? Does it require a driver/service? If so, it will not install inside Sandboxie.

Did you try a new Sandbox with default settings?
How about a different browser, sandboxed?

Did you get a chance to try the workaround provided on my previous post?:
viewtopic.php?p=128787#p128787

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Thu Oct 05, 2017 6:31 pm

Yes, the token requires a service. That means there is no point in installing it sandboxed?

------ MERGED POST -----

I've installed the token now outside the Sandbox.

Now it is seen by Firefox ESR, but accessing it I get a message "Certificate private key is not avaliable".

You're workaround referes to the "Pipe \Device\00000064" and "Pipe \Device\USBPDO-0"? I don't have these in my resource monitor.

With a new default sandbox, the problem remains.
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Fri Oct 06, 2017 9:49 am

Hello pantau,

The workaround in the topic I provided reads as follows:
I found when using a sandboxed browser if I insert the key before its required i.e. at the username or password stage, then when it gets to the authentication stage the key will activate and function normally. However if the key is inserted when already on the authentication request page, then it doesn't work. On unsandboxed browsers it works both ways.
I wonder if that works for you. If it doesn't, let's gather more info from your Resource Access Monitor, using a new Sandbox with default settings. Please see these steps (be sure to use the "</>" option in the forum to format the output) to capture the results:
https://www.sandboxie.com/ResourceAccessMonitor

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Sun Oct 08, 2017 8:41 am

The workaround doesn't make a difference. I've created a new sandbox, same result. Please find the Resource Monitor below:

Code: Select all

(Drive)     \Device\CdRom0
(Drive)     \Device\HarddiskVolume5
(Drive)     \Device\HarddiskVolume6
Clsid       -------------------------------
File/Key    -------------------------------
Image       -------------------------------
Image       *:\users\user\appdata\local\scytl\icpbravoaccess.extension\icpbravoaccess.windows.chrome.app.exe
Image       c:\program files\sandboxie\sbiedll.dll
Image       c:\users\user\appdata\local\scytl\icpbravoaccess.extension\icpbravoaccess.windows.common.dll
Image       c:\users\user\appdata\local\scytl\icpbravoaccess.extension\newtonsoft.json.dll
Image       c:\users\user\appdata\local\scytl\icpbravoaccess.extension\nlog.dll
Image       c:\users\user\appdata\local\scytl\icpbravoaccess.extension\scytl.icpbravo.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ae297c0391919d23b8eebc5c349edb67\mscorlib.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\b1a4e5fb7db27bf3740be36f347b4125\system.configuration.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\c492b244caac9c856b927dba120e188e\system.core.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\d9f7aa41913b8ab0f17caae5d1f9a1f0\system.data.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.numerics\3460a2d6d29218073fa19d562fd02ce1\system.numerics.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.runteb92aa12#\73d6b75a3c7db911aa7d69f169bfb1fb\system.runtime.serialization.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.servicemodel\375d9329aef6a25afbde6c2d95cb3db1\system.servicemodel.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml.linq\7ccbe78ef79c5287dac4a71875c927d3\system.xml.linq.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\14ae6ad709f860da6220a1d3395df5ad\system.xml.ni.dll
Image       c:\windows\assembly\nativeimages_v4.0.30319_64\system\114196eb67ce32fc45d498121285fa02\system.ni.dll
Image       c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
Image       c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
Image       c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
Image       c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
Image       c:\windows\microsoft.net\framework64\v4.0.30319\nlssorting.dll
Image       c:\windows\system32\advapi32.dll
Image       c:\windows\system32\atl.dll
Image       c:\windows\system32\bcrypt.dll
Image       c:\windows\system32\certcli.dll
Image       c:\windows\system32\cfgmgr32.dll
Image       c:\windows\system32\crypt32.dll
Image       c:\windows\system32\cryptbase.dll
Image       c:\windows\system32\cryptnet.dll
Image       c:\windows\system32\cryptsp.dll
Image       c:\windows\system32\devobj.dll
Image       c:\windows\system32\dsrole.dll
Image       c:\windows\system32\gdi32.dll
Image       c:\windows\system32\hid.dll
Image       c:\windows\system32\iertutil.dll
Image       c:\windows\system32\imm32.dll
Image       c:\windows\system32\kernel32.dll
Image       c:\windows\system32\kernelbase.dll
Image       c:\windows\system32\lpk.dll
Image       c:\windows\system32\msasn1.dll
Image       c:\windows\system32\mscoree.dll
Image       c:\windows\system32\msctf.dll
Image       c:\windows\system32\msvcr120_clr0400.dll
Image       c:\windows\system32\msvcrt.dll
Image       c:\windows\system32\nsi.dll
Image       c:\windows\system32\ntdll.dll
Image       c:\windows\system32\ole32.dll
Image       c:\windows\system32\oleaut32.dll
Image       c:\windows\system32\profapi.dll
Image       c:\windows\system32\psapi.dll
Image       c:\windows\system32\rpcrt4.dll
Image       c:\windows\system32\rsaenh.dll
Image       c:\windows\system32\sechost.dll
Image       c:\windows\system32\sensapi.dll
Image       c:\windows\system32\setupapi.dll
Image       c:\windows\system32\shell32.dll
Image       c:\windows\system32\shlwapi.dll
Image       c:\windows\system32\sspicli.dll
Image       c:\windows\system32\urlmon.dll
Image       c:\windows\system32\user32.dll
Image       c:\windows\system32\userenv.dll
Image       c:\windows\system32\usp10.dll
Image       c:\windows\system32\version.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\tokenmgr.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\uirese3.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdalg.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdcsp03.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdcspui.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdkmgr.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdpkcs.dll
Image       c:\windows\system32\watchdata\watchdata icp csp v1.0\wdsafe3.dll
Image       c:\windows\system32\wininet.dll
Image       c:\windows\system32\winscard.dll
Image       c:\windows\system32\winspool.drv
Image       c:\windows\system32\winsta.dll
Image       c:\windows\system32\wldap32.dll
Image       c:\windows\system32\ws2_32.dll
Ipc         -------------------------------
Ipc         \BaseNamedObjects\CLR_PerfMon_StartEnumEvent
Ipc         \RPC Control\epmapper
Ipc         \RPC Control\LSMApi
Ipc         \RPC Control\protected_storage
Ipc         \SBIE_DummyJob_firefox.exe_3
Ipc         \SBIE_DummyJob_firefox.exe_4
Ipc         \Sessions\1\BaseNamedObjects\Cor_Private_IPCBlock_v4_8464
Ipc         \Sessions\1\BaseNamedObjects\Cor_Private_IPCBlock_v4_8588
Ipc         \Sessions\1\BaseNamedObjects\CPFATE_8464_v4.0.30319
Ipc         \Sessions\1\BaseNamedObjects\CPFATE_8588_v4.0.30319
Ipc         \Sessions\1\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0
Ipc         \Sessions\1\BaseNamedObjects\NLS_CodePage_850_3_2_0_0
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_8464
Ipc         \Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_8588
Ipc         \Sessions\1\BaseNamedObjects\SboxSession
Ipc         \Sessions\1\BaseNamedObjects\UrlZonesSM_****
Ipc         \Sessions\1\BaseNamedObjects\Watchdata ICP CSP v1.0_BinFileShare
Ipc         \Sessions\1\BaseNamedObjects\Watchdata ICP CSP v1.0_CSPNumStrin1
Ipc         \Sessions\1\BaseNamedObjects\Watchdata ICP CSP v1.0_SharePageFile
Ipc         \Sessions\1\BaseNamedObjects\windows_shell_global_counters
Ipc         \Sessions\1\BaseNamedObjects\ZoneAttributeCacheCounterMutex
Ipc         \Sessions\1\BaseNamedObjects\ZonesCacheCounterMutex
Ipc         \Sessions\1\BaseNamedObjects\ZonesCounterMutex
Ipc         \Sessions\1\BaseNamedObjects\ZonesLockedCacheCounterMutex
Ipc      O  \...\Cor_SxSPublic_IPCBlock
Ipc      O  \BaseNamedObjects\TermSrvReadyEvent
Ipc      O  \KernelObjects\LowMemoryCondition
Ipc      O  \KnownDlls\advapi32.dll
Ipc      O  \KnownDlls\CFGMGR32.dll
Ipc      O  \KnownDlls\CRYPT32.dll
Ipc      O  \KnownDlls\DEVOBJ.dll
Ipc      O  \KnownDlls\gdi32.dll
Ipc      O  \KnownDlls\IERTUTIL.dll
Ipc      O  \KnownDlls\kernel32.dll
Ipc      O  \KnownDlls\kernelbase.dll
Ipc      O  \KnownDlls\LPK.dll
Ipc      O  \KnownDlls\MSASN1.dll
Ipc      O  \KnownDlls\MSCTF.dll
Ipc      O  \KnownDlls\MSVCRT.dll
Ipc      O  \KnownDlls\NSI.dll
Ipc      O  \KnownDlls\ole32.dll
Ipc      O  \KnownDlls\OLEAUT32.dll
Ipc      O  \KnownDlls\PSAPI.DLL
Ipc      O  \KnownDlls\rpcrt4.dll
Ipc      O  \KnownDlls\Setupapi.dll
Ipc      O  \KnownDlls\SHELL32.dll
Ipc      O  \KnownDlls\SHLWAPI.dll
Ipc      O  \KnownDlls\URLMON.dll
Ipc      O  \KnownDlls\user32.dll
Ipc      O  \KnownDlls\USP10.dll
Ipc      O  \KnownDlls\WININET.dll
Ipc      O  \KnownDlls\WLDAP32.dll
Ipc      O  \KnownDlls\WS2_32.dll
Ipc      O  \RPC Control\ConsoleLPC-0x0000000000002124-378449943-17290014841367315349-1956158870796987615-5305902461060697199-2096042535
Ipc      O  \RPC Control\ConsoleLPC-0x000000000000219C-154243396011047636131071144817-136856048835932168414354817571967989125202799788
Ipc      O  \RPC Control\DNSResolver
Ipc      O  \RPC Control\lsapolicylookup
Ipc      O  \RPC Control\LSARPC_ENDPOINT
Ipc      O  \RPC Control\lsasspirpc
Ipc      O  \RPC Control\SbieSvcPort
Ipc      O  \RPC Control\senssvc
Ipc      O  \Security\LSA_AUTHENTICATION_INITIALIZED
Ipc      O  \Sessions\1\Windows\ApiPort
Ipc      O  \Sessions\1\Windows\SharedSection
Pipe        -------------------------------
Pipe        \Device\KsecDD
Pipe        \Device\NamedPipe\GDKBDPipe1
Pipe        \device\namedpipe\gdkbdpipe1
Pipe        \Device\NamedPipe\GDKBDPipe1
Pipe        \device\namedpipe\gdkbdpipe1
Pipe        \device\namedpipe\lsarpc
Pipe        \device\namedpipe\subprocesspipe.6668.10
Pipe        \Device\NamedPipe\SubProcessPipe.6668.10
Pipe        \device\namedpipe\subprocesspipe.6668.10
Pipe        \device\namedpipe\subprocesspipe.6668.11
Pipe        \Device\NamedPipe\SubProcessPipe.6668.11
Pipe        \device\namedpipe\subprocesspipe.6668.11
Pipe        \Device\NamedPipe\SubProcessPipe.6668.6
Pipe        \device\namedpipe\subprocesspipe.6668.6
Pipe        \Device\NamedPipe\SubProcessPipe.6668.6
Pipe        \device\namedpipe\subprocesspipe.6668.6
Pipe        \Device\NamedPipe\SubProcessPipe.6668.7
Pipe        \device\namedpipe\subprocesspipe.6668.7
Pipe        \Device\NamedPipe\SubProcessPipe.6668.8
Pipe        \device\namedpipe\subprocesspipe.6668.8
Pipe        \device\namedpipe\subprocesspipe.6668.9
Pipe        \Device\NamedPipe\SubProcessPipe.6668.9
Pipe        \device\namedpipe\subprocesspipe.6668.9
Pipe     O  \Device\Afd
WinCls      -------------------------------
WinCls   O  Shell_TrayWnd
Last edited by Barb@Invincea on Mon Oct 09, 2017 2:34 pm, edited 1 time in total.
Reason: Formatted the output.
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Mon Oct 09, 2017 2:55 pm

Hello pantau,

Does it work in a different browser, sandboxed?
If you connect the device, does it show in Windows Explorer? (If yes, does it show in a Sandboxed windows explorer?)

This looks like it may be related (is not Watchdog, but Watchdata):
\Sessions\1\BaseNamedObjects\Watchdata ICP CSP v1.0_*

To test it, create a new Sandbox (or use the one you just created for the Res. Acc. Mon results)
Right click on the Sandbox --> Sandbox Settings --->Resource Access ---> IPC Access---> Direct Access
Hit "Add"
Paste:
*\BaseNamedObjects\Watchdata ICP CSP v1.0_*
Hit Apply and Ok your way out.
Go to Configure --> Reload Configuration
Delete the contents of your Sandbox and re-try

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Mon Oct 09, 2017 4:24 pm

It doesn't work in Chrome either.

The device shows up as CD-Drive in Explorer, also in a sandboxed one.

Watchdata belongs indeed to the token, which is called Watchdog (the service it installs is also called Watchdata).

I think we're on the right way, but unfortunately "*\BaseNamedObjects\Watchdata ICP CSP v1.0_*" didn't do the trick...
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Tue Oct 10, 2017 1:46 pm

Hello pantau,

One more thing you can try is giving direct access to your CD-ROM drive following these steps:
https://www.sandboxie.com/ResourceAccessSettings#file

Once you are done making the changes:
Go to Configure --> Reload Configuration
Delete the contents of your Sandbox and re-try

Also, do try the workaround after applying the new settings.

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Wed Oct 11, 2017 8:44 am

Unfortunately no change.

Just to be sure: I added "E:\*" as Resource Access/Direct Access at File and IPC, correct? (E ist the letter assigned to the CD-Drive).
Top
Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2337
Joined: Mon Nov 07, 2016 3:10 pm

Re: security token

Post by Barb@Invincea » Wed Oct 11, 2017 2:17 pm

Hello pantau,

You can try Direct Access only (not IPC). If all fails, try full access.

If that doesn't work, see if installing the stable version of Firefox makes any difference, or maybe try creating a different Firefox profile (be sure to delete the contents of your Sandbox after applying changes, or create new Sandboxes).

I also noticed you are using an add-on for Firefox:
icpbravoaccess
I am not sure it works Sandboxed, I haven't found any information about it.
Is there a different add-on that you can test? Or, can you try a different browser (after applying the changes we discussed before)?

Regards,
Barb.-
Top
pantau
Posts: 7
Joined: Tue Oct 03, 2017 8:50 am

Re: security token

Post by pantau » Sun Oct 15, 2017 2:39 pm

Full Access makes no difference.

I've tested various versions of Firefox and Chrome. They are all stable versions (some were portable or Extended Support Release).

icpbravoaccess allows access to the certificate without java. It works sandboxed (that is, it recognizes the certificate), but it can't access the private key. Other ways of access (with java) result in the same error.

Maybe its just not possible...
Top
Post Reply

Return to “Problem Reports”

Who is online

Users browsing this forum: No registered users and 1 guest