search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.38k stars 1.49k forks source link

schannel error SEC_E_SECPKG_NOT_FOUND in encrypted sandboxes #4081

Closed vercas closed 1 month ago

vercas commented 1 month ago

Describe what you noticed and did

This problem only appears in encrypted hardened sandboxes with data protection: 

C:\>curl -O https://download.delta.chat/desktop/v1.46.1/DeltaChat%20Setup%201.46.1.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) schannel: AcquireCredentialsHandle failed: SEC_E_SECPKG_NOT_FOUND (0x80090305) - The requested security package does not exist

Non-encrypted sandboxes with data protection don't have this problem, I can download the file just fine.

curl is not the only program seeing this issue, it's just the easiest way to test.
DeltaChat (the program I'm trying to download) has the same problem.
Thunderbird does not have this problem.

Reproduced on two different Windows installs, including a brand spanking new one.

How often did you encounter it so far?

All the time.

Expected behavior

I expect SSL/TLS to work.

Affected program

curl, DeltaChat, surely others

Download link

Not relevant

Where is the program located?

The program is installed both inside and outside the sandbox.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

Sandboxie Plus v1.14.4 x64

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression from previous versions?

No response

In which sandbox type you have this problem?

In an encrypted sandbox (black sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows 11 Pro 23H2 x64

In which Windows account you have this problem?

A local account (Administrator)., A Microsoft account (Administrator).

Please mention any installed security software

Windows Defender

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

No response

offhub commented 1 month ago

Add the following setting to your configuration and try it again.

DenyHostAccess=lsass.exe,n

Sandboxie Plus > Right click on the box > Sandbox Options Security Options > Box Protection > Allow Process : lsass.exe OK

vercas commented 1 month ago

That seems to have fixed the problem, thank you.
Is there any downside to doing this?

DavidXanatos commented 1 month ago

No, the lsass.exe is an integral part of the windows system and pretty well protected, so it can be trusted. you can enable additional protection for lsass.exe: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

vercas commented 1 month ago

I've enabled the extra protection, cheers.