diff --git a/docs/Content/MessagesFromSandboxie.md b/docs/Content/MessagesFromSandboxie.md index 21365bae3..114ff81fc 100644 --- a/docs/Content/MessagesFromSandboxie.md +++ b/docs/Content/MessagesFromSandboxie.md @@ -20,6 +20,7 @@ It's possible to log _Messages From Sandboxie_ to a file with a simple configura reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFile /d "2;C:\Windows\System32\LogFiles\Sandboxie.log" /f ``` The `LogFile` value consists of two pieces of information: + - `2` is the log level. Only two values are correct: `2` (classic log) or `3` (log with process SID) - `C:\Windows\System32\LogFiles\Sandboxie.log` is the full path of the log @@ -45,5 +46,6 @@ reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v LogFil reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" /t REG_SZ /v MultiLog /d "1308,1307" /f ``` This simple configuration will: + - put all logs without filter inside `C:\Windows\System32\LogFiles\Sandboxie.log` - create _one file per box_ (ie: `C:\Windows\System32\LogFiles\Sandboxie_DefaultBox.log`) with only event 1308 and 1307 diff --git a/docs/PlusContent/BoxSnapshots.md b/docs/PlusContent/BoxSnapshots.md index b92334f9b..a5d9135ea 100644 --- a/docs/PlusContent/BoxSnapshots.md +++ b/docs/PlusContent/BoxSnapshots.md @@ -14,11 +14,13 @@ A **snapshot** saves the current state of a sandbox. You can create multiple sna ![](../Media/Box_AutoDelete.png) **Installing Software to a Box and Creating a Snapshot:** + - Select a box, disable AutoDelete, install the software to this box, set it up just the way you like. - Then, close the box, create a snapshot and enable box AutoDelete. - Now, this box will revert to the snapshot you created whenever it is closed. **Updating Software Installed to a Box:** + - Create a pre-update snapshot (for a baseline you can revert to, if need be). - Disable box AutoDelete, update the software and test. - If all is well, create a post-update snapshot, enable box AutoDelete. @@ -31,6 +33,7 @@ You have the ability to create a snapshot, remove a snapshot, revert to a snapsh **Caveat:** It is wise to use the snapshot features only for boxes whose location is on a real disk (and not on a ramdisk). **Additional Details:** + - Each snapshot is created its own folder, labeled snapshot-n, where the number n is the snapshot id. You can change this label. - All snapshot folders for a given box are inside the box folder. - The snapshot layout and information on the current (default) snapshot are saved in the file **snapshot.ini** in the box folder. diff --git a/docs/PlusContent/Sandboxie-Insider.md b/docs/PlusContent/Sandboxie-Insider.md index 61da08728..8d4fb31f0 100644 --- a/docs/PlusContent/Sandboxie-Insider.md +++ b/docs/PlusContent/Sandboxie-Insider.md @@ -19,6 +19,7 @@ The insider builds introduce several new features that are designed to improve t - [Document Breakout](../Content/BreakoutDocument.md) is an extension to the already well-known Breakout mechanism to allow to open selected file types saved to an open file path from within the sandbox in an unsandbox instance of the associated application. Please note that: + - The Sandboxie Plus insider builds are not like the Windows insider builds which are buggy and rushed. - The new things in the insider builds are limited to new functionality and new features. - Experimental things that may impact compatibility are tested in the public GitHub preview channel. diff --git a/docs/PlusContent/Sandboxie-Live.md b/docs/PlusContent/Sandboxie-Live.md index fa7a2c3ec..23f91dba3 100644 --- a/docs/PlusContent/Sandboxie-Live.md +++ b/docs/PlusContent/Sandboxie-Live.md @@ -10,11 +10,13 @@ In the "Support & Updates" tab in the "Global Options", the user can now choose There the user can also select how to behave when a "New Version" (where an installer is available) or a "Version Update" (where only individual files of the existing installation will be updated) is found. For a "New Version", the following options are available: + - Notify - Download & Notify - Download & Install For a "Version Update", the following options are available: + - Ignore - Notify - Download & Notify diff --git a/docs/PlusContent/WFPSupport.md b/docs/PlusContent/WFPSupport.md index 08f1ba66b..490d692d7 100644 --- a/docs/PlusContent/WFPSupport.md +++ b/docs/PlusContent/WFPSupport.md @@ -43,6 +43,7 @@ The Sandman UI provides us with a method for editing and testing network rules. ![](../Media/WFP_Rule_Editor.png) The **attributes** at our disposal (with some examples of syntax) are: + - **Action** = `Allow` | `Block` (selected from the Network Restrictions tab) - **Program** = `program.exe` - **Port** = `80,443,1000-2000` @@ -50,13 +51,17 @@ The **attributes** at our disposal (with some examples of syntax) are: - **Protocol** = `TCP` | `UDP` The following **rules precedence** scheme determines rule hierarchy: + 1. A rule for a specified program trumps a rule for all programs except a given one, trumps rules for all programs. 2. A rule with a Port number or IP address trumps a rule without: - - 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. - - 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. + + - 2a. A rule with an IP address and Port number trumps a rule with an IP address only or Port number only. + - 2b. A rule with one IP address trumps a rule with an IP address range that is besides that on the same level. + 3. Block rules trump Allow rules. 4. A rule without a Protocol means all protocols. - - 4a. A rule with a Protocol trumps a rule without, if it is the only difference. + + - 4a. A rule with a Protocol trumps a rule without, if it is the only difference. **Some examples:** @@ -69,4 +74,5 @@ The following **rules precedence** scheme determines rule hierarchy: `NetworkAccess=chrome.exe,Allow;Port=80,443;Address=111.222.333.444` - allow chrome.exe to access one IP address **BlockPorts template:** + - `NetworkAccess=*,Block;Port=137,138,139,445` - enabled by default since version [1.3.4 / 5.58.4](https://github.com/sandboxie-plus/Sandboxie/commit/4420ba4448a797b7369917058c34e8a78c2ec9fc) diff --git a/docs/PlusContent/privacy-mode.md b/docs/PlusContent/privacy-mode.md index 5c83405ba..91a0a15b0 100644 --- a/docs/PlusContent/privacy-mode.md +++ b/docs/PlusContent/privacy-mode.md @@ -13,18 +13,22 @@ The setting for a privacy enhanced box can be enabled by adding `UsePrivacyMode= **What is User Space?** AppGuard refers to [user space](https://malwaretips.com/threads/run-by-smartscreen-utility.65145/post-561364) as "computer storage space that is typically accessible by non-admin Windows users. It contains the user's profile directory (which includes the My Documents folder and Desktop), removable storage devices, network shares, and all non-system hard drives such as additional external and internal disk drives." Think of "user space" as everything outside the **system** (where the core operating system and programs live), in other words, outside the `C:\Windows`, `C:\Program Files`, and `C:\Program Files (x86)` folders! Internally, a privacy enhanced box is based on three defaults: + 1. **Allow read access to system resources:** -- `C:\Windows` -- `C:\Program Files` -- `C:\Program Files (x86)` -- `C:\ProgramData\Microsoft` (since **Sandboxie Plus v1.12.7**) -- Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. -- **Note:** The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using `Write[File/Key]Path`) if desired. + + - `C:\Windows` + - `C:\Program Files` + - `C:\Program Files (x86)` + - `C:\ProgramData\Microsoft` (since **Sandboxie Plus v1.12.7**) + - Registry resources under HKLM (but not HKCU) are readable and can be sandboxed. + - **Note:** The read access provides a good balance between privacy and convenience. One could, of course, drill down to identify selected system resources that may leak private data and further restrict them (using `Write[File/Key]Path`) if desired. 2. **Hide (and block access to) user space:** -- In user space, a privacy box works in **default block** mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking [Rule Specificity](../PlusContent/RuleSpecificity.md). + + - In user space, a privacy box works in **default block** mode: all drive paths are set to WriteFilePath. This hides all files and folders outside the sandbox, but allows new files and folders to be created in the sandbox (unless specifically allowed by an overriding rule). Access to selected paths is enabled by invoking [Rule Specificity](../PlusContent/RuleSpecificity.md). 3. **Enable [Rule Specificity:](../PlusContent/RuleSpecificity.md)** -- Internally, rule specificity is **always enabled** in privacy mode. It uses the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations to be **readable and sandboxed**. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for **blue** boxes (based on privacy mode) but also for **red** boxes (with both privacy mode **and** [security mode](../PlusContent/security-mode.md) enabled). + + - Internally, rule specificity is **always enabled** in privacy mode. It uses the **[Normal](../Content/NormalFilePath.md)** path directive (`Normal[File/Ipc/Key]Path`) to open selected locations to be **readable and sandboxed**. Note that setting a path to normal is meaningful only when a parent path was first set to something else, as done in privacy mode. It is thus relevant not only for **blue** boxes (based on privacy mode) but also for **red** boxes (with both privacy mode **and** [security mode](../PlusContent/security-mode.md) enabled). **Recent Changes:** Upon the introduction of privacy mode, a few built-in access rules were offered for some of the more common browsers and applications and these were augmented in later versions. Starting with **Sandboxie Plus v1.8.0**, all built-in access rules have been moved to a set of default templates (included in the file **Templates.ini** under the `[TemplatePModPaths]` section) for easier management.