Update CHANGELOG.md
Co-Authored-By: NewKidOnTheBlock <NewKidOnTheBlock@users.noreply.github.com>
This commit is contained in:
isaak654
parent
5b6d543404
commit
e8616fa039
59
CHANGELOG.md
59
CHANGELOG.md
|
|
@ -8,60 +8,59 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
## [0.9.0 / 5.51.0] - 2021-07-??
|
||||
|
||||
### Added
|
||||
- added support for Windows Filtering Platform (WFP) to be used instead of the device based network blocking scheme
|
||||
-- to enable this support add 'NetworkEnableWFP=y' to the global section and reload the driver, or reboot
|
||||
-- to use WFP for a specified sandbox add 'AllowNetworkAccess=n' to said box
|
||||
-- you can excempt certain processes from a block by using 'AllowNetworkAccess=program.exe,y'
|
||||
- added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
|
||||
-- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
|
||||
-- to use WFP for a specified sandbox, add 'AllowNetworkAccess=n' to said box
|
||||
-- you can exempt certain processes from blocking by using 'AllowNetworkAccess=program.exe,y'
|
||||
-- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
|
||||
-- in which case you can excempt entire boxes by adding 'AllowNetworkAccess=n' to said box
|
||||
-- in this case you can exempt entire boxes by adding 'AllowNetworkAccess=n' to said boxes
|
||||
-- specifying 'AllowNetworkAccess=program.exe,n' will block the access only for the named process
|
||||
-- note: WFP is less absolute than the old approche, using WFP will filter only TCP/UDP communication
|
||||
-- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
|
||||
-- restricted boxed processes will still be able to resolve domain names using the system service
|
||||
-- thay will not be howeever able to send or receive data packets directly
|
||||
-- the advantages of WFP is that filter rules can be implemented restricting communication only to
|
||||
-- specified addresses or selected ports using "NetworkAccess=..."
|
||||
- added fully functional rule based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
|
||||
-- however, they will not be able to send or receive data packets directly
|
||||
-- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
|
||||
- added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
|
||||
-- the mechanism replaces the old "BlockPort=..." functionality
|
||||
-- note: this filter applies only to outgoing connections/traffic for incomming eider the WFP mode or a 3rd party firewall is needed
|
||||
-- like the old user mode based mechanism maliciouse applications can bypass it by unhooking certein functions
|
||||
-- hence its recomended to use kernel mode WFP based mechanism when reliable isolation is required
|
||||
-- note: the main reason this mechanism was added also in user mode is to make it easier to debug
|
||||
-- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
|
||||
-- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
|
||||
-- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
|
||||
-- Note: the main reason this mechanism was added in user mode is to allow for easier debugging
|
||||
- added new trace option "NetFwTrace=*" to trace the actions of the firewall components
|
||||
-- please note that the driver trace logs only to the kernel debug output, use DbgView.exe to log it
|
||||
- API_QUERY_PROCESS_INFO can be now used to get the impersonation token of sandboxed thread
|
||||
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox internal tokens
|
||||
-- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
|
||||
- API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
|
||||
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
|
||||
-- Note: a process must have administrative privileges to be able to use this API
|
||||
- added a UI option to switch "MsiInstallerExemptions=y" on and off
|
||||
-- just in case a future windows build breaks something for the systemless mode
|
||||
-- just in case, if a future Windows build breaks something in the systemless mode
|
||||
- added sample code for ObRegisterCallbacks to the driver
|
||||
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" allowing to disable file and registry filtering
|
||||
-- Note: this options are for testing only and disable core parts of the sandbox isolation
|
||||
- added a few CommandLone options to sandman.exe
|
||||
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
|
||||
-- Note: these options are for testing only and disable core parts of the sandbox isolation
|
||||
- added a few command line options to SandMan.exe
|
||||
|
||||
### Changed
|
||||
- greately improved the performanceof the trace log, but its no longer possible to log to booth sandman and sbiectrl at the same time
|
||||
- greatly improved the performance of the trace log, but it's no longer possible to log both SandMan and SbieCtrl at the same time
|
||||
- changed code integrity verification policies
|
||||
-- code signature validation of user mode components is disabled when windows is booted in test signing mode
|
||||
-- code signature validation of user mode components is disabled when Windows is booted in test-signing mode
|
||||
- reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination
|
||||
|
||||
### Fixed
|
||||
- added missing hook for ConnectEx
|
||||
- added missing hook for ConnectEx function
|
||||
|
||||
|
||||
|
||||
## [0.8.9 / 5.50.9] - 2021-07-22
|
||||
## [0.8.9 / 5.50.9] - 2021-07-??
|
||||
|
||||
### Changed
|
||||
- updated a few icons
|
||||
- updated github build action to use qt 5.15.2
|
||||
- improved full tray icon to be more distringuishable from the empty one
|
||||
- updated GitHub build action to use Qt 5.15.2
|
||||
- improved the "full" tray icon to be more distinguishable from the "empty" one
|
||||
- changed code integrity verification policies
|
||||
-- code signature is no longer required to change config, to protect presets use the the existing "EditAdmin
|
||||
-- code signature is no longer required to change config, to protect presets use the existing "EditAdminOnly=y"
|
||||
|
||||
### Fixed
|
||||
- fixed issue with systemless MSI mode introduced in the last build
|
||||
- fixed MSI installer not being able to create action server on windows 11
|
||||
- fixed MSI instalelr not workign in systemless mode on windows 11
|
||||
- fixed MSI installer not being able to create the action server mechanism on Windows 11
|
||||
- fixed MSI installer not working in systemless mode on Windows 11
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue