From 590ad6d2a266e413e56a8bf62268148d49bb13ab Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:31:23 +0200 Subject: [PATCH 1/7] Update OptionsWindow.ui - Fixed a few typos. --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index 69040d25..a7f23ca4 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -429,7 +429,7 @@ - When <a href="sbie://docs/boxencryption">Box Encryption</a> is enabled the box’s root folder, including its registry hive, is stored in an encrypted disk image, using <a href="https://diskcryptor.org">Disk Cryptor's</a> AES-XTS implementation. + When <a href="sbie://docs/boxencryption">Box Encryption</a> is enabled the box's root folder, including its registry hive, is stored in an encrypted disk image, using <a href="https://diskcryptor.org">Disk Cryptor's</a> AES-XTS implementation. true @@ -1374,7 +1374,7 @@ - Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it’s no longer providing reliable security, just simple application compartmentalization. + Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it's no longer providing reliable security, just simple application compartmentalization. true @@ -4293,7 +4293,7 @@ The process match level has a higher priority than the specificity and describes - Sandboxie’s resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ‘ClosedFilePath=! iexplore.exe,C:Users*’ will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page. + Sandboxie's resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. 'ClosedFilePath=! iexplore.exe,C:Users*' will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the "Access policies" page. This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself. @@ -4766,7 +4766,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - Hide Firmware Informations + Hide Firmware Information @@ -4796,10 +4796,10 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - Some programs read system deatils through WMI(A Windows built-in database) instead of normal ways. For example,"tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop these behaviour. + Some programs read system details through WMI(A Windows built-in database) instead of normal ways. For example,"tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop these behaviour. - Prevent sandboxed processes from accessing system deatils through WMI (see tooltip for more Info) + Prevent sandboxed processes from accessing system details through WMI (see tooltip for more Info) @@ -4909,7 +4909,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - Dump the current Firmare Tables to HKCU\System\SbieCustom + Dump the current Firmware Tables to HKCU\System\SbieCustom Dump FW Tables From 648803f8955768423aa55a01b2b71ea8c4c5cf79 Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:32:20 +0200 Subject: [PATCH 2/7] Update SettingsWindow.ui - Fixed a few typos. --- SandboxiePlus/SandMan/Forms/SettingsWindow.ui | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Forms/SettingsWindow.ui b/SandboxiePlus/SandMan/Forms/SettingsWindow.ui index d83142cb..cbd0d0c7 100644 --- a/SandboxiePlus/SandMan/Forms/SettingsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/SettingsWindow.ui @@ -640,7 +640,7 @@ - Add ‘Set Force in Sandbox' to the context menu + Add 'Set Force in Sandbox' to the context menu From 53ea6536b8bc5957a45db45f77ba70cad187a14f Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:33:57 +0200 Subject: [PATCH 3/7] Update SandMan.cpp - Fixed a few typos. --- SandboxiePlus/SandMan/SandMan.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 2c96a98e..38123b73 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -1680,7 +1680,7 @@ void CSandMan::OnMessage(const QString& MsgData) } } else { - QMessageBox::warning(g_GUIParent, tr("Sandboxie-Plus Warning"), tr("Users canceled this operation."), QMessageBox::Yes, 0); + QMessageBox::warning(g_GUIParent, tr("Sandboxie-Plus Warning"), tr("User canceled this operation."), QMessageBox::Yes, 0); } } else if (Message.left(4) == "Run:") From f23afb2d318440e550a715ec051a4b596e006fc9 Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:35:30 +0200 Subject: [PATCH 4/7] Update SbieView.cpp - Fixed a few typos. --- SandboxiePlus/SandMan/Views/SbieView.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Views/SbieView.cpp b/SandboxiePlus/SandMan/Views/SbieView.cpp index 10c66b21..a1fb458e 100644 --- a/SandboxiePlus/SandMan/Views/SbieView.cpp +++ b/SandboxiePlus/SandMan/Views/SbieView.cpp @@ -1786,7 +1786,7 @@ void CSbieView::OnDoubleClicked(const CSandBoxPtr &pBox) if (!pBox->IsEnabled()) { - if (QMessageBox("Sandboxie-Plus", tr("This sandbox is disabled or restricted to a group/user, do you want to allow box for everybody ?"), QMessageBox::Question, QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape, QMessageBox::NoButton, this).exec() != QMessageBox::Yes) + if (QMessageBox("Sandboxie-Plus", tr("This sandbox is currently disabled or restricted to specific groups or users. Would you like to allow access for everyone?"), QMessageBox::Question, QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape, QMessageBox::NoButton, this).exec() != QMessageBox::Yes) pBox->SetText("Enabled", "y");// Fix #3999 } From 45c13a1809404b6b19430f62620c5a8ae1222c0e Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:45:49 +0200 Subject: [PATCH 5/7] Update OptionsWindow.ui --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index a7f23ca4..d1ab0d0d 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -4796,7 +4796,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - Some programs read system details through WMI(A Windows built-in database) instead of normal ways. For example,"tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop these behaviour. + Some programs read system details through WMI (a Windows built-in database) instead of normal ways. For example, "tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop this behaviour. Prevent sandboxed processes from accessing system details through WMI (see tooltip for more Info) From 7c15e03a0db2fb61599ce8fa40c5e1f88f89c8c1 Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 14:20:53 +0200 Subject: [PATCH 6/7] Update OptionsWindow.ui --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index d1ab0d0d..d14a8653 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -4293,7 +4293,7 @@ The process match level has a higher priority than the specificity and describes - Sandboxie's resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. 'ClosedFilePath=! iexplore.exe,C:Users*' will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the "Access policies" page. + Sandboxie's resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. 'ClosedFilePath=!iexplore.exe,C:Users*' will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the "Access policies" page. This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself. From 7b5ff9acc64389949c4f7932ae59357ef9428daf Mon Sep 17 00:00:00 2001 From: Michael <33252157+APMichael@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:26:58 +0200 Subject: [PATCH 7/7] Update OptionsWindow.ui --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index d14a8653..325729b7 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -4796,10 +4796,10 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - Some programs read system details through WMI (a Windows built-in database) instead of normal ways. For example, "tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop this behaviour. + Some programs read system details through WMI (a Windows built-in database) instead of normal ways. For example, "tasklist.exe" could get full processes list through accessing WMI, even if "HideOtherBoxes" is used. Enable this option to stop this behaviour. - Prevent sandboxed processes from accessing system details through WMI (see tooltip for more Info) + Prevent sandboxed processes from accessing system details through WMI (see tooltip for more info)