HitmanPro.Alert blocking sandboxed browsers

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Thu Nov 23, 2017 10:43 am

I believe this to be more a HitmanPro problem and have written to them.

Their latest version v3-7-1-723 will not allow either Firefox or Opera (both latest versions) run sandboxed.
If I turn off Exploit Mitigation in Hitman I get repeatedly the error "SBIE2205 Service not implemented: Win32Init.6 (000000AA)".
The browsers will then open with some interference with Add-ons in Firefox but Opera appears to be okay.
Experimenting with Opera, when I navigate I get more lines of the above error.

So until Hitman brings out a fix I have had to "Stop" the HitmanPro.Alert service in Windows Services.

I'm using Windows 7 Pro 32bit.

deugniet
Posts: 334
Joined: Thu Jan 29, 2009 6:16 pm

Re: HitmanPro.Alert blocking sandboxed browsers

Post by deugniet » Thu Nov 23, 2017 1:19 pm

kerflot wrote:
Thu Nov 23, 2017 10:43 am
I believe this to be more a HitmanPro problem and have written to them.

Their latest version v3-7-1-723 will not allow either Firefox or Opera (both latest versions) run sandboxed.
If I turn off Exploit Mitigation in Hitman I get repeatedly the error "SBIE2205 Service not implemented: Win32Init.6 (000000AA)".
The browsers will then open with some interference with Add-ons in Firefox but Opera appears to be okay.
Experimenting with Opera, when I navigate I get more lines of the above error.

So until Hitman brings out a fix I have had to "Stop" the HitmanPro.Alert service in Windows Services.

I'm using Windows 7 Pro 32bit.
Had a lot of PrivGuard problems with Sandboxie 5.22 and HmP.Alert 723. More info: https://www.wilderssecurity.com/threads ... 1/page-575

Possible solution:
Screenshot-2017-11-23 HitmanPro Alert BETA.png
Screenshot-2017-11-23 HitmanPro Alert BETA.png (38.35 KiB) Viewed 2693 times

deugniet
Posts: 334
Joined: Thu Jan 29, 2009 6:16 pm

Re: HitmanPro.Alert blocking sandboxed browsers

Post by deugniet » Thu Nov 23, 2017 2:12 pm

Or add HitmanPro.Alert:
1.JPG
1.JPG (67.23 KiB) Viewed 2686 times

Sandboxie Control > Configure > Software Compatibility

cocoon
Posts: 33
Joined: Tue Jul 11, 2017 3:11 pm

Re: HitmanPro.Alert blocking sandboxed browsers

Post by cocoon » Thu Nov 23, 2017 2:59 pm

I had the same problem with a specific program (not a browser). The workaround for me was to add it to HMPA's exceptions.

EDIT: It also occurred with Firefox after I made the above posting.
-=-=-=-=-=-=-
Windows 10 Pro Creators Edition, Sandboxie 5.22 beta, Bitdefender Total Security 2018, VoodooShield 4.12b, Hitmanpro Alert, Opera, Firefox 57

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Sat Dec 02, 2017 4:37 am

Thank you one and all for your input.

The Sandboxie settings were already in place, that's why I did not have an issue before the latest HMPA update.

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Sat Dec 02, 2017 4:40 am

I eventually received the following "solutions" from HMPA over a few days:

"Change the Action mode to 'Silent audit'. Is everything back to normal now?"
[didn't do a thing]

"Sandboxie is stealing security tokens and applying that the the sandboxed browser, and that is exactly what PrivGuard is supposed to block.
So unfortunately these two don't play nice, if you wish to keep Sandboxie you can disable 'Local Priviledge mitigation' on process protection."

[didn't do a thing - "stealing"? Oh really? Also, their spelling not mine]


And finally after me asking if PrivGuard was not blocking this before the update:

"No, the feature is new, hence the previous version had no protection against this.
But there are more issues with running Alert and Sandboxie, I have informed our developers and they are looking in to it.".


So there you have it. Unfortunately you cannot prevent HMPA from updating itself. You just have to stop using it.
For now I let HMPA start on boot up, check for updates manually (just in case), then go to services.msc and Stop the HitmanPro.Alert service before running a sandboxed browser.

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1876
Joined: Mon Nov 07, 2016 9:10 pm

Re: HitmanPro.Alert blocking sandboxed browsers

Post by Barb@Invincea » Tue Dec 05, 2017 11:38 pm

All,

I downloaded Hitman Pro Alert v3.7.1 build723 + Win 7 x86 +Sbie 5.23.1 . I ensured Process Protection ---> Local Privilege Mitigation was enabled (it is by default), and tested launching web browsers in a new Sandbox with default settings. I did not experience any issues launching Firefox or Chrome in the Sandbox.
I went to the Exploit Mitigation settings, and Sandboxie was listed as "Not Protected" under Running applications.

After a reboot, I did get a PrivGuard Alert when I launched Chrome Sandboxed, but no error messages appeared and functionality was not affected.
Can somebody please provide repro steps?

Regards,
Barb.-

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Tue Dec 05, 2017 11:52 pm

I was using Sanboxie 5.22 full version.

After updating to the above Beta version nothing changed.
Even with HMPA uninstalled and reinstalled.

With Exploit Mitigation enabled I noticed that by going to Delete Contents (SB) there is only 1MB of data.
Firefox does not show in Windows Task Manager.
The attached image shows a list of what is sandboxed. There are no "All Files and Folders" but I suppose this is expected.
Attachments
SB_window.jpg
SB_window.jpg (114.48 KiB) Viewed 6187 times

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Wed Dec 06, 2017 1:23 am

Barb@Invincea wrote:
Tue Dec 05, 2017 11:38 pm
Can somebody please provide repro steps?
Repro steps not possible.
HMPA updated itself, requested that I reboot.
I did.
Then tried using Firefox and nothing happened.
Which Win7 version are you using, Pro?
Which version of Firefox are you using? I'm using v57.0.1 (FF Quantum).

deugniet
Posts: 334
Joined: Thu Jan 29, 2009 6:16 pm

Re: HitmanPro.Alert blocking sandboxed browsers

Post by deugniet » Wed Dec 06, 2017 1:32 pm

@Barb.

Cant reproduce a mitigation, it occurs sometimes out of the blue. Maybe You could contact Erik or Mark Loman from Sophos/Surfright, they are aware of this issue.

Info of the mitigation can be found via the Windows Event viewer.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 30-11-2017 08:09:56
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation ROP

Platform 10.0.16299/x64 v723 06_5e
PID 8264
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 57

Callee Type LoadLibrary

Stack Trace

Code: Select all

# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFE81D6966D KernelBase.dll
2 00007FFE85848508 ntdll.dll
3 00007FFE85830F56 ntdll.dll __C_specific_handler +0x96
4 00007FFE85844C3D ntdll.dll __chkstk +0x11d
5 00007FFE857BD1B8 ntdll.dll
6 00007FFE85843B6E ntdll.dll KiUserExceptionDispatcher +0x2e

7 00007FFE3CD64B9E xul.dll
cc INT 3

8 00007FFE3D10F90A xul.dll
9 00007FFE3D0F8E66 xul.dll
10 00007FFE3CE09EF6 xul.dll

Code Injection
0000000000BC0000-0000000000BC6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2336]
0000000000BD0000-0000000000BD1000 4KB
00007FFE85819000-00007FFE8581A000 4KB
000001DE89C3B000-000001DE89C3C000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [17656]
00007FFE85840000-00007FFE85841000 4KB
00007FFE85842000-00007FFE85843000 4KB
00007FFE8583F000-00007FFE85840000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
2 C:\Windows\System32\services.exe [900]
3 C:\Windows\System32\wininit.exe [788]
wininit.exe
1 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
2 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
4 C:\Windows\System32\services.exe [900]
5 C:\Windows\System32\wininit.exe [788]
wininit.exe

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [8264]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17656.12.1897105222\717771794" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
2 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
3 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
4 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
5 C:\Windows\System32\services.exe [900]
6 C:\Windows\System32\wininit.exe [788]
wininit.exe

Thumbprint
7e016af425dd8125a9190f43f3da3d150b3c68d6cd73d7ad8ebefe5a0f4d5f4b

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Thu Dec 07, 2017 12:14 am

kerflot wrote:
Tue Dec 05, 2017 11:52 pm
The attached image shows a list of what is sandboxed. There are no "All Files and Folders" but I suppose this is expected.
I meant to say: There are no "User Files".

kerflot
Posts: 53
Joined: Mon Mar 09, 2009 3:08 am
Location: Australia

Re: HitmanPro.Alert blocking sandboxed browsers

Post by kerflot » Thu Dec 07, 2017 12:25 am

Info in my Windows Event Viewer, if it's of any help (under HitmanPro.Alert Events):

Mitigation PrivGuard

Platform 6.1.7601/x86 v723 06_17*
PID 7560
Application D:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 57

Sweep

Code Injection
00030000-00031000 4KB C:\Program Files\Sandboxie\SbieSvc.exe [1592]
00040000-00041000 4KB
77C73000-77C74000 4KB
00384000-00385000 4KB D:\Program Files\Mozilla Firefox\firefox.exe [9436]
77C55000-77C56000 4KB
77C56000-77C57000 4KB
0023F000-00240000 4KB
0023E000-0023F000 4KB
1 D:\Program Files\Mozilla Firefox\firefox.exe [9436]
2 C:\Program Files\Sandboxie\Start.exe [1836]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Sandboxie" /env:=Refresh "D:\Program Files\Mozilla Firefox\firefox.exe"

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests