Closed rugabunda closed 1 year ago
Source where people complained about his before, some say it did not work on xp but it worked on vista-10 for a time https://forums.malwarebytes.com/topic/187485-sbie-mbae/ https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit-and-emet.360912/#post-2347627
I thought originally sandboxie was blocking mbae because mbae was not reporting them in the log. however, when enabling strict CFG exploit protections for vivaldi, vivaldi loaded in the sandbox, but crashed outside the sandbox... meaning sandboxie appears to be breaking Windows-Defender exploit protections. If my observations are correct, I am not sure then which is wiser, ditching sandboxie or ditching the latest cutting edge exploit protections.
Update:
1a. When strict CFG exploit protections for vivaldi is disabled, mbae loads when sandboxie is disabled; 1b. If sandboxie is enabled, mbae does not work in vivaldi.
2a. When strict CFG exploit protections for vivaldi is enabled and sandboxie DISABLED, vivaldi crashes, 2b but when sandboxie is enabled Vivaldi loads without mbae protections.
mbae offers software based protections not yet adopted by Windows 10 or non Intel CPUs' (ROP) so, fixing this would be quite useful.
@DavidXanatos, what do you think is safer? Firefox with Exploit Protections, or Sandboxie with broken Exploit protections?
I think in the end the question is if you assume that CFG and or mbae really block all possible exploit vectors. If you assume that is the case you don't need Sandboxie.
If you however assume that while they are cutting edge and fancy and so on but not all encumbering, that is there are still ways to find an exploit. Using Sandboxie instead is imho better as its a secondary fully independent layer of protection.
Also about that mbae promises like ROP protection, I would be very surprised if that would work reliably without eider hardware support or being done by the compiler when building. Its probably better than nothign but simply not really reliable. If you could made it reliable imho windows defender would already have it.
One more question if you lave CFG and sandboxie enabled does it work well together?
@DavidXanatos its better to have all of the security capabilities than to make all of them pointless because of one weakness. Exploits are becoming easier and easier in this manner, you just scan and there it finds the weakest link in the chain.
@DavidXanatos, I believe windows defender may have it, type Get-ProcessMitigation -System, its not visible in the window GUI however.
Just wondering because if viruses can simply bypass sandboxie easily with inadequate exploit protections in place, then it defeats the whole purpose.
maybe this requires Tiger Lake hardware?
Get-ProcessMitigation -System
Override EnableRopStackPivot : False
EnableRopCallerCheck : NOTSET
EnableRopSimExec : NOTSET
Ok i see these are actually already in the GUI, they just do not preface it with the name "ROP"
One more question if you lave CFG and sandboxie enabled does it work well together?
CFG is on by default for all programs, and yes for firefox, but it does not work with sandboxed firefox. it does not appear to cause any instability or other problems.
Sandboxie service has CF Guard, but not firefox, or vlc when they operate inside of sandboxie
I have only seen these so far in sandboxie, I noticed many crashdumps appearing with validate heap integrity on by default.
Sbiesvc.exe FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000005_ntdll.dll!RtlUserThreadStart ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
This happens to dozens of programs every day.
Do you have any recommendations for manual enhancement to Sandboxie windows exploit protections?
Most exploit mitigations are working fine, except CFG, even when enabled, this does not work. And strict CFG breaks firefox in sandboxie. Prefer system32 images is enabled in some firefox processes inside sandboxie.
Inside sandboxie
outside sandboxie
https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
How Can I Enable CFG?
In most cases, there is no need to change source code. All you have to do is add an option to your Visual Studio 2015 project, and the compiler and linker will enable CFG.
The simplest method is to navigate to Project | Properties | Configuration Properties | C/C++ | Code Generation and choose Yes (/guard:cf) for Control Flow Guard.
cfg property in visual studio
Alternatively, add /guard:cf to Project | Properties | Configuration Properties | C/C++ | Command Line | Additional Options (for the compiler) and /guard:cf to Project | Properties | Configuration Properties | Linker | Command Line | Additional Options (for the linker).
well it looks like sandboxie itself is compatible with cfguard, but what about sandboxed applications? how to get that to work
Why this bug closed? In fact, I hope sandboxed process have as more as possible exploit mitigations, because they're another security layer.
I noted that any browser that runs in sandboxie is not protected by mbae; please add this functionality.
Thank you, you are doing a great job.