gjf
Platinum Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Added
added "RunServiceAsSystem=..." allows specific named services to be ran as system
Changed
refactored some code around SCM access
Fixed
fixed a crash issue in SbieSvc.exe introduced with the last build
fixed issue with sandman ui update check
Removed
removed "ProtectRpcSs=y" due to incompatybility with new isolation defaults
Release Changelog
Added
Sandboxie now strips particularly problematic privileges from sandboxed system tokens
-- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
-- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
-- those resources are open by default but for a hardened box its desired to close them
added print spooler filter to prevent printers from being set up outside the sandbox
-- the filter can be disabled with "OpenPrintSpooler=y"
added overwrite prompt when recovering an already existing file
added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
added more compatybility templates (thanks isaak654)
Changed
Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
-- use "RunServicesAsSystem=y" to enable the old legacy behavior
-- Note: sandboxed services with a system token are still sandboxed and restricted
-- However not granting them a system token in the first place removes possible exploit vectors
-- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
Reworked dynamic IPC port handling
Improved Resource Monitor status strings
Fixed
fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
fixed issue with ipc tracing
fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
-- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
fixed hooking issues SBIE2303 with chrome, edge and possibly others
fixed failed check for running processes when performing snapshot operations
fixed some box option checkboxes were not properly initialized
fixed unavailable options are not properly disabled when sandman is not connected to the driver
fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
added missing localization to generic list commands
fixed issue with "iconcache_*" when runngin sandboxed explorer
fixed more issues with groups
|
