sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.96k stars 1.55k forks source link

Edge sbox does not terminate with Malwarebytes Browser Guard enabled #3372

Open bjm234 opened 1 year ago

bjm234 commented 1 year ago

Describe what you noticed and did

Just curious any users run Malwarebytes Browser Guard extension in Edge sbox. Edge sbox upon close does not terminate when Malwarebytes Browser Guard is enabled. Edge sbox auto delete enabled does not auto delete. Terminate Programs sorts. Just curious any users experience similar in Edge sbox. I've tried new default sbox with auto delete enabled. I've tried direct/full access to AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ihcjic..... I've tried direct access to entire Edge profile. I've tried Leader Programs > msedge.exe + default LingerPrograms enabled. I've tried Leader Programs > MbamBgNativeMsg.exe No joy.
Just curious what's holding Edge from terminating. With bookmarks extension and uBlock Origin. Edge sbox auto delete is okay. With bookmarks, uBO and MBG. Edge sbox auto delete is not okay.
Chrome sbox (same extensions) has same issue as Edge sbox. Firefox sbox (same extensions) seems to auto delete okay. Just curious. Thanks

How often did you encounter it so far?

reproducible

Affected program

Edge

Download link

Not relevant

Where is the program located?

Edge is installed only outside the sandbox.

Expected behavior

expect to see auto delete okay

What is your Windows edition and version?

W10 22H2

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Norton 360, OSArmor

What version of Sandboxie are you running?

1.11.4

Is it a new installation of Sandboxie?

I just updated Sandboxie from a previous version (I remember which one it is).

Is it a regression?

1.11.3 same MBG issue

In which sandbox type you have this problem?

Enhanced Isolation or Default Auto Delete

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty default sandbox with auto delete enabled.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

[GlobalSettings]
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
TemplateReject=WindowsRasMan
TemplateReject=WindowsLive
TemplateReject=OfficeLicensing
TemplateReject=7zipShellEx
TemplateReject=NortonInternetSecurity
UseFileDeleteV2=y
UseRegDeleteV2=y
ForceDisableSeconds=6000
NetworkEnableWFP=y
SandboxieLogon=y
NotifyForceProcessDisabled=y
DefaultBox=Default

[UserSettings_04D4013A]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
BoxDisplayOrder=DefaultBox,7Zip,ByteScout,Chrome,Edge,Explorer,Firefox,WindowsExplorer,Hardened,Sumatra,WMP,HardenedDP
SbieCtrl_EnableAutoStart=n
SbieCtrl_UserName=bjm
SbieCtrl_NextUpdateCheck=-1
SbieCtrl_WindowCoords=570,267,1008,511
SbieCtrl_ActiveView=40021
SbieCtrl_ProcessViewColumnWidths=250,70,300
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_AutoApplySettings=n
SbieCtrl_HideMessage=1308,cmd.exe [Edge]
SbieCtrl_HideMessage=1308,dllhost.exe [Edge]
SbieCtrl_HideMessage=1308,RuntimeBroker.exe [Edge]
SbieCtrl_HideMessage=1308,software_reporter_tool.exe [Chrome]
SbieCtrl_HideMessage=1308,MicrosoftEdgeUpdateBroker.exe [Edge]
SbieCtrl_HideMessage=1308,identity_helper.exe [Edge]
SbieCtrl_HideMessage=1318,WavesSvc64.exe
SbieCtrl_HideMessage=1318,MacriumService.exe
SbieCtrl_HideMessage=1318,MicrosoftEdgeUpdate.exe
SbieCtrl_HideMessage=1318,symerr.exe
SbieCtrl_HideMessage=1318,msiexec.exe
SbieCtrl_HideMessage=1318,CCleaner64.exe
SbieCtrl_HideMessage=1318,BelarcAdvisor.exe
SbieCtrl_HideMessage=1318,mbamtray.exe
SbieCtrl_HideMessage=1318,mbam.exe
SbieCtrl_RecoverTarget=C:\Users\bjm\Desktop
BoxGrouping=:7Zip,ByteScout,Chrome,Edge,Explorer,Firefox,Hardened,Sumatra,WMP,Default
SbieCtrl_BoxExpandedView=Edge,Firefox

[Edge]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00ffa5,ttl,6
Template=BlockTelemetry
Template=LingerPrograms
Template=qWave
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=BlockPorts
Template=Edge_Bookmarks_DirectAccess
Template=Edge_Passwords_DirectAccess
ConfigLevel=10
ProcessGroup=<InternetAccessDisabled>,
ProcessGroup=<InternetAccess>,SandboxieCrypto.exe,msedge.exe
ProcessGroup=<StartRunAccess>,notepad.exe,msedge.exe
PromptForInternetAccess=y
ClosedIpcPath=!<StartRunAccess>,*
DropAdminRights=y
HideHostProcess=KeePass.exe
UseRuleSpecificity=y
AllowBoxedJobs=y
UseSecurityMode=y
UseFileDeleteV2=y
UseRegDeleteV2=y
ProtectHostImages=y
AllowNetworkAccess=!<InternetAccess>,n
DenyHostAccess=audiodg.exe,n
NeverDelete=n
AutoDelete=y
ConfidentialBox=y
LeaderProcess=msedge.exe

Maybe, Malwarebytes Browser Guard is talking to Malwarebytes even though my Malwarebytes is not running real-time protection.

png_17156

Does Leader/Lingering see MbamBgNativeMsg.exe the same as mbambgnativemsg.exe

bjm234 commented 1 year ago

Okay, auto delete works in my Default Auto Delete sbox by adding msedge.exe, mbam.exe, MbamBgNativeMsg.exe, cmd.exe to Lingering Programs.

I thought if leader processes are defined, all others are treated as lingering processes. I had added msedge.exe, mbam.exe, MbamBgNativeMsg.exe, cmd.exe to Leader Programs. That did not work, for me.

I have to see if my Edge sbox Enhanced Isolation Auto Delete will auto delete.

Does Leader/Lingering see MbamBgNativeMsg.exe the same as mbambgnativemsg.exe My Edge sbox Leader/Lingering will not hold uppercase...reverts to all lower case.

offhub commented 1 year ago

To test it, try setting ConfidentialBox to N. ConfidentialBox=n

offhub commented 1 year ago

It doesn't matter whether the letters are uppercase or lowercase.

Disable Malwarebytes Browser Guard extension or use ClosedFilePath=%ProgramFiles%\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe to block it from running in the sandbox.

When you try to terminate MbamBgNativeMsg.exe manually (or with Sandboxie), you get an "Access Denied" error. This is why it seems to be stuck, because it won't terminate itself. In such cases it may be better to use a more forceful termination technique. @DavidXanatos

bjm234 commented 1 year ago

Okay, auto delete works in my Default Auto Delete sbox by adding msedge.exe, mbam.exe, MbamBgNativeMsg.exe, cmd.exe to Lingering Programs.

Edge sbox Enhanced Isolation Box Protection Auto Delete will not auto delete.

I'm not married to MBG. I'm curious why MBG does not play well in my Edge sbox.
My bookmarks extension + uBO play well in my Edge sbox.

@offhub Thanks for your interest.

bjm234 commented 1 year ago

@offhub ClosedFilePath=%ProgramFiles%\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe is definitive fix...if I want to run Malwarebytes Brower Guard extension in my Edge sbox.
No Leader/Lingering Programs needed. Edge sbox - Auto-delete works.

Regards w Respect

mike406 commented 8 months ago

Having this same issue but with Firefox. What is strange is I am able to manually terminate MbamBgNativeMsg.exe with task manager and then the sandbox will finally end and delete. Even more confusing, if you right click MbamBgNativeMsg.exe in the Sandboxie Control window and click "Terminate Program" it fails to terminate with no error message, BUT if I right click the sandbox itself and click "Terminate Programs" it will terminate everything including MbamBgNativeMsg.exe. Why does one method work but not the other? 🤔