gjf
Platinum Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Added added "RunServiceAsSystem=..." allows specific named services to be ran as system Changed refactored some code around SCM access Fixed fixed a crash issue in SbieSvc.exe introduced with the last build fixed issue with sandman ui update check Removed removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults Release Changelog Added Sandboxie now strips particularly problematic privileges from sandboxed system tokens -- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok) -- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended) added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n" -- those resources are open by default but for a hardened box its desired to close them added print spooler filter to prevent printers from being set up outside the sandbox -- the filter can be disabled with "OpenPrintSpooler=y" added overwrite prompt when recovering an already existing file added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI added more compatybility templates (thanks isaak654) Changed Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system -- use "RunServicesAsSystem=y" to enable the old legacy behavior -- Note: sandboxed services with a system token are still sandboxed and restricted -- However not granting them a system token in the first place removes possible exploit vectors -- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence! Reworked dynamic IPC port handling Improved Resource Monitor status strings Fixed fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok) fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation fixed issue with ipc tracing fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok) -- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y" fixed hooking issues SBIE2303 with chrome, edge and possibly others fixed failed check for running processes when performing snapshot operations fixed some box option checkboxes were not properly initialized fixed unavailable options are not properly disabled when sandman is not connected to the driver fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2 added missing localization to generic list commands fixed issue with "iconcache_*" when runngin sandboxed explorer fixed more issues with groups |