Skip to content

Commit

Permalink
list fix
Browse files Browse the repository at this point in the history
  • Loading branch information
offhub committed Oct 3, 2024
1 parent 7145afc commit 490608e
Show file tree
Hide file tree
Showing 6 changed files with 29 additions and 11 deletions.
2 changes: 2 additions & 0 deletions docs/Content/MessagesFromSandboxie.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ It's possible to log _Messages From Sandboxie_ to a file with a simple configura
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFile /d "2;C:\Windows\System32\LogFiles\Sandboxie.log" /f
```
The `LogFile` value consists of two pieces of information:

- `2` is the log level. Only two values are correct: `2` (classic log) or `3` (log with process SID)
- `C:\Windows\System32\LogFiles\Sandboxie.log` is the full path of the log

Expand All @@ -45,5 +46,6 @@ reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFil
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v MultiLog /d "1308,1307" /f
```
This simple configuration will:

- put all logs without filter inside `C:\Windows\System32\LogFiles\Sandboxie.log`
- create _one file per box_ (ie: `C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log`) with only event 1308 and 1307
3 changes: 3 additions & 0 deletions docs/PlusContent/BoxSnapshots.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,13 @@ A **snapshot** saves the current state of a sandbox. You can create multiple sna
![](../Media/Box_AutoDelete.png)

**Installing Software to a Box and Creating a Snapshot:**

- Select a box, disable AutoDelete, install the software to this box, set it up just the way you like.
- Then, close the box, create a snapshot and enable box AutoDelete.
- Now, this box will revert to the snapshot you created whenever it is closed.

**Updating Software Installed to a Box:**

- Create a pre-update snapshot (for a baseline you can revert to, if need be).
- Disable box AutoDelete, update the software and test.
- If all is well, create a post-update snapshot, enable box AutoDelete.
Expand All @@ -31,6 +33,7 @@ You have the ability to create a snapshot, remove a snapshot, revert to a snapsh
**Caveat:** It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk).

**Additional Details:**

- Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label.
- All snapshot folders for a given box are inside the box folder.
- The snapshot layout and information on the current (default) snapshot are saved in the file **snapshot.ini** in the box folder.
Expand Down
1 change: 1 addition & 0 deletions docs/PlusContent/Sandboxie-Insider.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ The insider builds introduce several new features that are designed to improve t
- [Document Breakout](../Content/BreakoutDocument.md) is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application.

Please note that:

- The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed.
- The new things in the insider builds are limited to new functionality and new features.
- Experimental things that may impact compatibility are tested in the public GitHub preview channel.
Expand Down
2 changes: 2 additions & 0 deletions docs/PlusContent/Sandboxie-Live.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ In the "Support & Updates" tab in the "Global Options", the user can now choose
There the user can also select how to behave when a "New Version" (where an installer is available) or a "Version Update" (where only individual files of the existing installation will be updated) is found.

For a "New Version", the following options are available:

- Notify
- Download & Notify
- Download & Install

For a "Version Update", the following options are available:

- Ignore
- Notify
- Download & Notify
Expand Down
12 changes: 9 additions & 3 deletions docs/PlusContent/WFPSupport.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,20 +43,25 @@ The Sandman UI provides us with a method for editing and testing network rules.
![](../Media/WFP_Rule_Editor.png)

The **attributes** at our disposal (with some examples of syntax) are:

- **Action** = `Allow` | `Block` (selected from the Network Restrictions tab)
- **Program** = `program.exe`
- **Port** = `80,443,1000-2000`
- **Address** = `111.222.333.444,0.0.0.0-255.255.255.255`
- **Protocol** = `TCP` | `UDP`

The following **rules precedence** scheme determines rule hierarchy:

1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs.
2. A rule with a Port number or IP address trumps a rule without:
- 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only.
- 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level.

- 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only.
- 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level.

3. Block rules trump Allow rules.
4. A rule without a Protocol means all protocols.
- 4a. A rule with a Protocol trumps a rule without, if it is the only difference.

- 4a. A rule with a Protocol trumps a rule without, if it is the only difference.

**Some examples:**

Expand All @@ -69,4 +74,5 @@ The following **rules precedence** scheme determines rule hierarchy:
`NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444` - allow chrome.exe to access one IP address

**BlockPorts template:**

- `NetworkAccess=*,Block;Port=137,138,139,445` - enabled by default since version [1.3.4 / 5.58.4](https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc)
20 changes: 12 additions & 8 deletions docs/PlusContent/privacy-mode.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,22 @@ The setting for a privacy enhanced box can be enabled by adding `UsePrivacyMode=
**What is User Space?** AppGuard refers to [user space](https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364) as "computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives." Think of "user space" as everything outside the **system** (where the core operating system and programs live), in other words, outside the `C:\Windows`, `C:\Program Files`, and `C:\Program Files (x86)` folders!

Internally, a privacy enhanced box is based on three defaults:

1. **Allow read access to system resources:**
- `C:\Windows`
- `C:\Program Files`
- `C:\Program Files (x86)`
- `C:\ProgramData\Microsoft` (since **Sandboxie Plus v1.12.7**)
- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.
- **Note:** The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using `Write[File/Key]Path`) if desired.

- `C:\Windows`
- `C:\Program Files`
- `C:\Program Files (x86)`
- `C:\ProgramData\Microsoft` (since **Sandboxie Plus v1.12.7**)
- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed.
- **Note:** The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using `Write[File/Key]Path`) if desired.

2. **Hide (and block access to) user space:**
- In user space, a privacy box works in **default block** mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking [Rule Specificity](../PlusContent/RuleSpecificity.md).

- In user space, a privacy box works in **default block** mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking [Rule Specificity](../PlusContent/RuleSpecificity.md).

3. **Enable [Rule Specificity:](../PlusContent/RuleSpecificity.md)**
- Internally, rule specificity is **always enabled** in privacy mode. It uses the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations to be **readable and sandboxed**. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for **blue** boxes (based on privacy mode) but also for **red** boxes (with both privacy mode **and** [security mode](../PlusContent/security-mode.md) enabled).

- Internally, rule specificity is **always enabled** in privacy mode. It uses the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations to be **readable and sandboxed**. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for **blue** boxes (based on privacy mode) but also for **red** boxes (with both privacy mode **and** [security mode](../PlusContent/security-mode.md) enabled).

**Recent Changes:** Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with **Sandboxie Plus v1.8.0**, all built-in access rules have been moved to a set of default templates (included in the file **Templates.ini** under the `[TemplatePModPaths]` section) for easier management.

0 comments on commit 490608e

Please sign in to comment.