Support

If it doesn't fit elsewhere, it goes here
btm
Posts: 160
Joined: Sat Nov 23, 2013 11:31 am

Re: Support

Post by btm » Wed Apr 22, 2015 6:03 pm

Curt@invincea wrote:This is a good place to start to learn about Windows messages https://msdn.microsoft.com/en-us/librar ... S.85).aspx. The WM messages are the most important.

Of course, applications can define their own messages which most likely are not documented anywhere.
Like buster I always wondered what the implications could be but my searches never turned up much aside from programmers facing issues that didn't seem related. The shatter attack page might help as well but I haven't glanced over it yet. The ms link will take some time for me to sort through since I'm no programmer and quite a bit of it is greek to me. Either way thanks for sharing the links, at least I have a place to start finally!
This account has been abandoned. If you need to PM me, please send a message to Syrinx.

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1666
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Support

Post by Curt@invincea » Wed Apr 22, 2015 10:42 pm

Buster wrote:It is ironic to suggest to use a feature only with trusted programs in a software which has as slogan "Trust No Program".
It is ironic that, when I answered the question that, according to you, got you banned by Ronen, who you claim was far better at support than Invincea, your response is to mock the slogan that Ronen came up with.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Support

Post by Buster » Thu Apr 23, 2015 1:33 am

Curt@invincea wrote:
Buster wrote:It is ironic to suggest to use a feature only with trusted programs in a software which has as slogan "Trust No Program".
It is ironic that, when I answered the question that, according to you, got you banned by Ronen, who you claim was far better at support than Invincea, your response is to mock the slogan that Ronen came up with.
Curt@invincea wrote:Ok, I will do exactly what Ronen did. Consider the last quote from me as well.
Glad to see you changed your mind about that!

When is Norm back from conference?

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Mon Apr 27, 2015 3:12 pm

Bellzemos wrote:Thank you for shining some light on the matter, I finnaly understand the risk now, at least to a certain degree. I don't really want to use the * solution since it's not too safe. The only reason why I'm using OpenWinClass=* is this:
http://forums.sandboxie.com/phpBB3/view ... 11&t=20859

Do you know what the OpenWinClass=# would do in terms of lessening Sandboxie's security compared to OpenWinClass=*? I'll try with the # instead of * when I get the tablet back in my hands again and see if it works.

Can you think of any other workaround to make Sandboxie work properly on a 32-bit Windows 8.1 tablet computer? I'd like to have as much security when browsing the web with a sandboxed Firefox as I have on my regular laptop (working without a problem, 64-bit Windows 7).

Thank you for the help!
I finally got the tablet back and tried disabling the OpenWinClass=* and enabling the OpenWinClass=# feature and I got errors again when starting up Firefox and Firefox didn't work. So I switched back to OpenWinClass=*. Is there any other (safer) workaround for using Sandboxie on a tablet PC?

Thank you!

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1666
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Support

Post by Curt@invincea » Mon Apr 27, 2015 5:03 pm

Bellzemos wrote: I finally got the tablet back and tried disabling the OpenWinClass=* and enabling the OpenWinClass=# feature and I got errors again when starting up Firefox and Firefox didn't work. So I switched back to OpenWinClass=*. Is there any other (safer) workaround for using Sandboxie on a tablet PC?

Thank you!
You can run the resource access monitor and take note of which window classes are being blocked. That might tell you which classes you need to open.

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Tue Apr 28, 2015 8:27 am

I don't really know how to do that. How do I start?

deugniet
Posts: 336
Joined: Thu Jan 29, 2009 12:16 pm

Re: Support

Post by deugniet » Tue Apr 28, 2015 9:36 am

Bellzemos wrote:I don't really know how to do that. How do I start?
See Using the monitor: http://www.sandboxie.com/index.php?Reso ... essMonitor

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Support

Post by rpljhun » Thu Apr 30, 2015 5:57 am

Bellzemos, using OpenWinClass=* in Windows XP is risky. For Windows Vista and above, the UIPI, UAC and the Untrusted Integrity Level(Lowest Level) of sandboxed application should prevent shatter attacks but that depends on how sandboxie handle application with manifest entry UIAccess="true" and passed UIPI requirements. If sandboxie removed this entry then shatter and shatter like attacks will be prevented while using OpenWinClass=*. Although without it being removed the risk is very low because malware will unlikely pass the requirements but still possible.

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Thu Apr 30, 2015 8:30 am

Thank you very much for the explanation. I always disable the UAC and run Windows in admin mode. But I use the drop rights feature in the sandbox so that deals with that. Would a Windows 8.1 tablet with "OpenWinClass=*" still be relatively safe by having UAC disabled then? I don't have my tablet at hand at the moment, to run the Resource Access Monitor and am also too busy at the moment but I really think that a safer solution should be presented, to enable usage of Sandboxie on Windows tablets.

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Support

Post by rpljhun » Thu Apr 30, 2015 10:55 am

I did a second look on this and I realized that it will not pass one of UIPI requirements which is the application should be in Program Files directory/sub-directories or Windows directory/sub-directories. At first, I thought it will when an application is installed in a sandboxed in C:\Program Files directory. The application running in the sandboxed can see that it was running in this location but I forgot that the Windows is seeing differently, it sees the real location which cause it to fail in UIPI requirements.

Disabling UAC is not recommended, it's another layer of defense.

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Fri May 01, 2015 8:41 am

So that would mean that it's still pretty secure, regarding the UIPI, even with the "OpenWinClass=*" enabled?

I know what you mean about the UAC but I've made this decision 5 years ago, I can't stand UAC and I have never ever had any problems so I'm sticking with it disabled.

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Support

Post by rpljhun » Wed May 06, 2015 4:55 am

Bellzemos wrote:So that would mean that it's still pretty secure, regarding the UIPI, even with the "OpenWinClass=*" enabled?
Yes for Windows Vista and above.

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Wed May 06, 2015 9:43 am

Thank you. I've enabled the * on a Windows 8.1 tablet so I guess I'm still safe and secure then.

Curt, what do you think about this, do you agree?

rpljhun
Posts: 203
Joined: Sat Jan 12, 2013 9:29 am

Re: Support

Post by rpljhun » Thu May 07, 2015 1:56 am

Bellzemos, quoting tzuk post.
tzuk wrote:The process in the sandbox is still running at untrusted integrity level even when OpenWinClass=* so the UAC/UIPI mechanism prevents it from accessing window objects that have a higher integrity level. And most window objects outside the sandbox should have at least medium integrity level.

This means that on systems where UAC is enabled, OpenWinClass=* doesn't really mean the process in the sandbox has more access to window objects. However it can "see" and "read" window objects outside the sandbox directly without going through SbieSvc. Whereas without OpenWinClass=*, it cannot see or read window objects outside the sandbox directly, and has to go through the SbieSvc helper process.

If UAC is disabled, and on Windows XP, integrity levels don't come into play for window objects, and OpenWinClass=* does give the process in the sandbox full access to window objects outside the sandbox.

Bellzemos
Posts: 877
Joined: Wed Feb 17, 2010 2:08 pm

Re: Support

Post by Bellzemos » Thu May 07, 2015 11:28 am

Thank you for the quote, I don't believe I've read it before. It really clarifies my question. So having the Drop Rights feature enabled in the sandbox with the "OpenWinClass=*" is not enogh then, right? I should re-enable the UAC on the tablet computer then? Again, thank you. :)

Locked

Who is online

Users browsing this forum: No registered users and 1 guest