search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.78k stars 1.54k forks source link

Sandboxie-Plus stopped to run any sb Apps #2712

Open masscream opened 1 year ago

masscream commented 1 year ago

Describe what you noticed and did

I've been using SBP, mainly for firefox and keepassxc on Win 10 and it's been working well for quite a time. Now, suddenly (might have been triggered by firefox update - always outside of sb, but I doubt it, however I have no other trace what changed), it stopped working. Whenever I try to run any app in Sb I get only error "SBIE2204 cannot start sandboxed service RpcSs (-1)" and sometimes "SBIE2204 cannot start sandboxed service DcomLaunch (-4)". While googling around, I found only old threads with no solutions and/or advices, that Sb (old versions) were not compatible with windows 10 yet. Now the situation should be different however. I updated Sb plus to the latest version (was using 1.0.20, then 1.7.2), reinstalled everything, but no change. It broke across all the sandboxes, creating a new sb does not help.

The issue is nicely described here, but with not solution too.... https://sandboxie-plus.github.io/sandboxie-docs/Content/SBIE2204.html

Thanks for any hints

How often did you encounter it so far?

Always

Affected program

Firefox ESR, KeepassXC, but probably not relevant....

Download link

not relevant

Where is the program located?

The program is installed both inside and outside the sandbox.

Expected behavior

It should run.

What is your Windows edition and version?

Windows 10 Enterprise 21H2

In which Windows account you have this problem?

User account with UAC protection completely turned off.

Please mention any installed security software

Sentinel

What version of Sandboxie are you running?

Sandboxie Plus 1.7.2

Is it a new installation of Sandboxie?

I have been using the same version for some time.

Is it a regression?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

Nothing I'm aware of.

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

#
# Sandboxie-Plus configuration file
#

[GlobalSettings]
FileRootPath=\??\%SystemDrive%\User\Sandbox\%USER%\%SANDBOX%
SeparateUserFolders=y
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
NetworkEnableWFP=y
Template=Edge_Fix
Template=RocketDock
Template=WindowsRasMan
Template=WindowsLive
Template=OfficeLicensing
Template=OfficeClickToRun
Template=7zipShellEx
DefaultBox=DefaultBox

[UserSettings_0E3A01E2]
SbieCtrl_AutoStartAgent=SandMan.exe
SbieCtrl_EnableAutoStart=y
BoxCollapsedView=Test

[MyBox]
Enabled=y
AutoRecover=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#d78318,ttl,3
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=9
CopyLimitKb=81920
RunCommand=KeePassXC|"C:\Program Files\KeePassXC\KeePassXC.exe"
OpenFilePath=C:\Logs
OpenFilePath=C:\User
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices
ProcessGroup=<StartRunAccess>,
AllowNetworkAccess=<BlockNetAccess>,n
DropAdminRights=n
FakeAdminRights=n

[DefaultBox]
Enabled=y
AutoRecover=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=9
offhub commented 1 year ago

It could be an issue caused by Sentinel security software.

Optional:

  1. Make sure your Windows is up to date.
  2. Backup your Sandboxie config files. 
    C:\Windows\Sandboxie.ini
C:\Users\user\AppData\Local\Sandboxie-Plus\Sandboxie-Plus.ini
  3. Restart your computer
  4. Uninstall Sandboxie (select remove configs too)
  5. Restart your computer again
  6. Install the lastest version
  7. Restart your computer again (2)
  8. Try running any program without using your old configuration.
masscream commented 1 year ago

I tried, however, even with the new config on a new box, same issue. Isn't there any log I could check or setup in verbose mode? Yes, Sentinel is a pretty piece of crap in this sense, it wouldn't be the first app it screwed up in that system, however, everytime it does so, it's very visibly announcing "quarantining a threat", now it's silent, nothing in its log... Interesting.

There must be a way how to find out, what exactly goes wrong. There are no files missing, blocked, I do have admin rights on the system...

masscream commented 1 year ago

Attaching a tracelog, it looks like there's a problem to the RpcSs exe file itself, like permissions or so. The file is physically there but Sb can't use it Sandboxie-log.txt

offhub commented 1 year ago

Try adding the following to your sandbox configuration.

DelayLoadDll=InProcessClient32.dll
DelayLoadDll=InProcessClient64.dll
ClosedFilePath=*\InProcessClient32.dll
ClosedFilePath=*\InProcessClient64.dll

OR

ClosedFilePath=*\InProcessClient32.dll
ClosedFilePath=*\InProcessClient64.dll
masscream commented 1 year ago

Tried, the result is that the error pops up immediately instead of the process hanging for a moment... (and then threw an error). Here is the log. Sandboxie-log2.txt

offhub commented 1 year ago

Try these:

Note: Do not use them except for testing! Especially with untruested apps!

DelayLoadDll=InProcessClient32.dll
DelayLoadDll=InProcessClient64.dll
ClosedFilePath=*\InProcessClient32.dll
ClosedFilePath=*\InProcessClient64.dll
OpenIpcPath=*\BaseNamedObjects*\*
OpenPipePath=\Device\NamedPipe\*

OR

ClosedFilePath=*\InProcessClient32.dll
ClosedFilePath=*\InProcessClient64.dll
OpenIpcPath=*\BaseNamedObjects*\*
OpenPipePath=\Device\NamedPipe\*

OR

OpenIpcPath=*\BaseNamedObjects*\*
OpenPipePath=\Device\NamedPipe\*
masscream commented 1 year ago

Still no success, here is the log for the first one. Will try to find in the meantime, if there's any process interfering. Sandboxie-log3.txt

DavidXanatos commented 1 year ago

have you tried with Sentinel disabled or uninstalled? PS: where can i find a test version of this Sentinel to check it out?

masscream commented 1 year ago

Nope, unfortunately I don't have that option. Anyway digging deeper into the system log, I discovered, that last day my setup was working was the day Sentinel got a new version, speaking about 22.2.4.558. Where you can get it, not sure, cause I'm using both with Windows forced on this PC.

It is interesting because Sentinel is usually seizing / deleting functional files on the run and as I said, very verbosely. Therefore this must be something new in its settings or so. There might be a slight chance getting it to work by modifying something in Sb settings only, but I already started creating a new solution. Thanks for the ideas and hints.

ghost commented 1 year ago

This is corporate AV software. It does not even have any GUI options to configure

e-t-l commented 10 months ago

@masscream Did you have Firefox and KeePassXC in the same box or different boxes?

masscream commented 10 months ago

If I remember correctly, I had it installed on the host but was running it inside the Sb. I found some tutorials how to make it work from the host to Sb, however I was never successful with them. Anyway, I dumped the whole Sb solution back then, cause it stopped working at all in the corporate environment.