Sandboxie

Release Notes

This build introduces a bunch of updates and some changes, the Delete V2 mechanism has been improved to handle marking a lot of host files as deleted efficiently, and the Qt library has been updated to a custom build of Qt 5.15.13 https://github.com/xanasoft/qt-builds/ (thx @LumitoLuma)

For a full list of changes and fixes please review the full change log.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

In this update, we've introduced several key enhancements and fixes. A notable feature addition is the option to prevent sandboxed processes from capturing window images outside their environment, aimed at enhancing security; this can be activated via the "IsBlockCapture=y" setting in SandMan UI. We've also streamlined process management with the introduction of "LingerExemptWnds=n", eliminating exemptions for lingering processes with windows from termination, and added a the suspend all sandbox processes button to the toolbar and menu . Additionally, we've addressed an important bug fix related to symlinks in start menu folders, ensuring smoother system operation.
Thank you to our contributors Yeyixiao and offhub for their inputs in this update.

For a full list of changes and fixes please review the full change log.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This release advances the 1.13.x build line from its experimental pre release stage to stable release, it adds significant enhancements to the hooking mechanism associated with SCM-related functions, which enhances compatibility with newer versions of Windows. The revised hooking mechanism now supports API call tracing without the necessity for LogAPI.dll.

Additionally, this update introduces a feature aimed at increasing the privacy of encrypted boxes. When the option IsProtectScreen=y is set, windows of processes operating within boxes with this option enabled will be obscured during screenshot capture or recording, enhancing user privacy.

The release also enhances the compatibility of privacy-focused boxes with Windows Explorer, resolving issues related to the Recycle Bin. To this end a new default compatibility template has been introduced, which uses a new functionality of the wildcard pattern mechanism. Now the "**" pattern is supported, which acts as a placeholder for an arbitrary string without including the backslash ("") character, thus allowing users to apply wildcards to exactly one directory level, unlike the single asterisk ("*") which applies to multiple levels.

The update also introduces compatibility with Windows 11 insider builds up to 26080.
And modifies how the driver manages offset-dependent kernel object changes, the new method now enables loading an offset configuration directly from the registry, allowing offsets to be updated without the need to rebuild the driver.
To increase system stability, Sandboxie will cease using outdated known offsets for new, unrecognized kernel builds. This change applies except in cases where the PC is part of the Windows Insider Program.
In such instances, instead of using outdated offsets, the software will disable token-based security isolation and will display the warning SBIE1207, indicating that it has reverted to an less secure fallback mode of operation.

To force the use of the last known offsets on a newer build of windows than known to be supported import the below reg file to your system registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SbieDrv\Parameters]
"AllowOutdatedOffsets"=dword:00000001

While this build has been tested and appears functional, users may encounter minor issues in certain edge cases.

For a full list of changes and fixes please review the change log starting from 1.13.0.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This build fixes various issues and adds a few features, for a full list of changes please review the change log.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This build fixes various issues, for a full list of changes please review the change log.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is an experimental build it reworks and streamlines the hooking mechanism around SCM related functions which should improve compatibility with newer windows versions. The improved hooking mechanism allows for API call tracing without the need for LogAPI.dll.
This build adds compatibility with windows 11 insider build 26040, 26052 and later, and changes the way the driver handles offset dependent kernel object modifications, the new mechanism allows an offset configuration to be loaded from the registry such that it is possible to update the offsets without rebuilding the driver.
To improve system stability Sandboxie will no longer try to use old known offsets on newer yet not known kernel builds, except when the pc participates in the windows insider program, instead it will disable the token based security isolation and issue SBIE1207 indicating the insecure fallback mode of operation.

For a full list of changes and fixes please review the change log.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release, it fixes many issues, essentially a regression introduced in 1.12.8

For a full list of changes and fixes please review the 1.12.8 and 1.12.9 change logs.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release, it fixes many issues, for a full list of changes and fixes please review the full Changelog.

Known Issue

• Symbolic link resolution does not work correctly.
  The hotfix build v1.12.8b should fix the issue, but the installer is not signed !!! Alternatively, please wait for build v1.12.9.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release, it fixes many issues, for a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release, it fixes many issues, for a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

The latest update brings notable improvements and fixes to Sandboxie-Plus.
Key enhancements include the integration of Date & Time display in the Sbie Messages tab, and a streamlined the box creation process, allowing for more versatile box types. Among the various fixes, issues with sandboxed processes and stability concerns in SandMan-v1.12.3 have been addressed, ensuring a more reliable and efficient user experience.

We also announce a change in our update policy: automated update download & installation now requires an active supporter certificate to use the stable channel. Users on the preview channel with all the experimental potentially buggy test builds can still use auto update without a certificate. Users on the stable channel from now on will instead receive a update notification guiding them to our manually download page.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

The latest update brings notable improvements and fixes to Sandboxie-Plus.
Key enhancements include the integration of Date & Time display in the Sbie Messages tab, and a streamlined the box creation process, allowing for more versatile box types. Among the various fixes, issues with sandboxed processes and stability concerns in SandMan-v1.12.3 have been addressed, ensuring a more reliable and efficient user experience.

We also announce a change in our update policy: automated update download & installation now requires an active supporter certificate to use the stable channel. Users on the preview channel with all the experimental potentially buggy test builds can still use auto update without a certificate. Users on the stable channel from now on will instead receive a update notification guiding them to our manually download page.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This build brings a lot of usability improvements, most notably the ability to auto force all removable media (Requires a supporter certificate).

In the settings, exceptions can be specified, based on the volume serial number to exclude selected devices from forced sandboxing.

This build also enhances on the global hotkeys, two new hotkeys "Alt + Break" have been added to bring the sandman window in front with the top most flag set, and "Ctrl + Alt + F" to toggle disabling of forced processes, furthermore the terminate all hotkey "Shift + Break" (panic hotkey) has been improved, individual sandboxes can be configured to be excluded from a blanket global terminate all command, however when the panic hotkey is invoked 3 times with < 1 sec between presses it will terminate all boxed processes, no exceptions.

Also worth mentioning is an improvement to the service handling which allows to install and run the GOG launcher sandboxed in a reduced isolation box with the following configuration:

UnrestrictedSCM=y
RunServicesAsSystem=y
NoSecurityIsolation=y
Template=RpcPortBindingsExt

Further work is ongoing to make GOG work in a standard sandbox.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

This build fixes many issues and adds some new functionality.

This is a unsigned pre-release build, a final build is scheduled for the end of this week.

For a full list of changes and fixes please review the full Changelog.

This build fixes a couple of issues, among them an issue with Firefox 120.

For a full list of changes and fixes please review the full Changelog.

Release Notes

This build brings a lot of usability improvements most notably the ability to auto force all removable media (Requires a supporter certificate).

In the settings exceptions can be specified, based on the volume serial number to exclude selected devices form forced sandboxing.

This build also enhances on the global hot keys, two new hot keys have been added "Alt + Break" to bring the sandman window in front with the top most flag set, and "Ctrl + Alt + F" to toggle disabling of forced processes, furthermore the terminate all (panic hotkey) hot key "Shift + Break" has been improved, individual sandboxes can be configured to be excluded from a blanket global terminate all command, however when the panic hotkey is invoked 3 times with < 1 sec between presses it will terminate all boxed processes, no exceptions.

Also worth mentioning is an improvement to the service handling which allows to install and run the GOG launcher sand boxed in a reduced isolation box with the following configuration:

UnrestrictedSCM=y
RunServicesAsSystem=y
NoSecurityIsolation=y
Template=RpcPortBindingsExt

Further work is ongoing to make the GOG work in a standard sandbox.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release fixing a various issues and adds minor improvements

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes

This is a maintenance release fixing a few issues, and updating the 7z library to 23.01 which fixes a security issue present in previous versions of this library.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

Release Notes - New Features and Enhancements

Sandboxie-Plus 1.11.x comes with a new component ImBox.exe which in combination with new service and driver mechanisms enables exciting new functionality. The ImBox.exe is a block device proxy for the ImDisk driver (which can be installed using the add-on manager introduced in 1.10.x) and is capable of creating dynamic RAMDisks as well as mounting Encrypted Box Images using DiskCryptor's robust and reliable AES-XTS implementation.

• The RAMDisks integration is available to all project supporters with a valid supporter certificate, it allows for seamless RAMDisk usage once configured on the add-on options settings page and enabled for selected sandboxes. The RAMDisk can be mounted without a drive letter providing a seamless experience, the appropriate Folders on the shared RAMDisk are linked to the default box root folder locations. The RAMDisk is NOT persistent this means that all data stored on the RAMDisk vanish once the system is rebooted, making such a sand box ideal to store transient confidential data.

• The Encrypted Box Image feature uses encrypted container files to store a boxes root directory (containing all files and the boxes registry hive) the mounted encrypted volume is by default guarded by the driver such that only processes runnign within the sandbox (and essential sbie+ components) can access the files stored on that volume. In combination with the "ConfidentialBox=y" option, host process read access to sandboxed processes memory is effectively blocked, ensuring no rogue process on the host can access confidential data in RAM belonging to sandboxed processes. The combination of this mechanisms creates secure enclaves, which ensure data processed within an enclave can not leak to the host (except for user configured OpenFilePath locations) and is protected even when the host would to be compromised (only adversaries which obtained kernel level privileges can bypass these mechanisms).

Note: As the new Box Encryption feature opens up a completely new branch of use-cases, which would merit being a separate product on its own, it requires a separate advanced encryption option which must be obtained in addition to a valid supporter certificate, except for the following certificate types: Contributor, Patreon, Huge and Large, all others need to be upgraded using a upgrade key which can be obtained on the web store and has to be entered on the support page.
Also for more clarity the available certificate scheme was restructured Small was renamed to Subscription, Medium to just Personal, Large was removed and a Family Pack subscription was added.

For a full list of changes and fixes please review the full Changelog.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.

This is a maintenance release it fixes various bugs and issues, see the full changelog for details

There is an issue with validating one of the new certificate types in this build, newer issued certificates should work and all users which have received an affected one will get an updated one by email.

You can support the project through donations, any help will be greatly appreciated.

If you have issues with an update installation, just uninstall the previous version keeping the sandboxie.ini and reinstall the new build.