[ESET / Kaspersky] Any website shows a connection error on sandboxed Firefox/Edge

[0x391F]

Describe what you noticed and did

1. Add SandboxieLogon=y in [GlobalSettings] (see here to enable it from Sandboxie Plus GUI)
2. Visit any website in sandboxed Firefox/Edge
3. Firefox "PR_CONNECT_RESET_ERROR"/Edge "ERR_CONNECTION_RESET"

Note: in order to reproduce this issue reliably, it is recommended to open a non-cached website in a new tab with both sandboxed browsers, while having in the system any ESET/Kaspersky Internet Security suite. Microsoft Defender is not affected.

How often did you encounter it so far?

No response

Affected program

Firefox 102, Edge 103

Download link

Not relevant

Where is the program located?

The program is installed only outside the sandbox.

Expected behavior

This bug shoudn't appear.

What is your Windows edition and version?

Windows 10 Enterprise LTSC 2021 x64 (21H2) (10.0.19044.1806)

In which Windows account you have this problem?

Not relevant to my request.

Please mention any installed security software

ESET Internet Security 15.2.11.0 x64 / Kaspersky Internet Security

What version of Sandboxie are you running?

Sandboxie 5.57.0/5.57.1 x64, Sandboxie-Plus 1.2.0/1.2.1 x64

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

Sandboxie 5.57.0/Sandboxie-Plus 1.2.0

In which sandbox type you have this problem?

Not relevant to my request.

Can you reproduce this problem on an empty sandbox?

I can confirm it also on an empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[0x391F]

Now I using Sandboxie 5.56.3 and Sandboxie-Plus 1.1.3, everything is well.

[ghost]

v1.2.1 also has this issue. Most https websites don't load

[ghost]

I downgraded to v1.1.3 and everything was working. Few hours later the issue reoccurred.

After restarting a router, it works again. That's interesting

[ghost]

I had this issue few more times. Restarting a router didn't fix it then. Does anyone else have the issue?

[ghost]

I can not open any https webpage in any sandbox anymore. Tested firefox and edge. Outside of sandbox everything works. Sbie 1.2.6

[DavidXanatos]

I downgraded to v1.1.3 and everything was working. Few hours later the issue reoccurred.

After restarting a router, it works again. That's interesting

That does not sound like a sbie issue, and since it seams to be related to restarting your router it very likely a router issue

[ghost]

Maybe it was coincidence as restarting the router does not help anymore. Every https website in any sandbox shows the errors on Firefox and Edge. The same webpages work outside of sbie.

onet.pl has mixed content. New sandbox

[ghost]

Eset <—>sbie issue. There was eset build update lately.

Generally eset thinks every ssl certificate is corrupt. Switching this option to: 'ask about certificate validity' allows opening webpages in sbie.

IDK how to fix it. ESET certificate is installed outside and inside sbie.
If I disable ssl scanning, enter ssl webpage, it works

[joy-maruyama]

I have this problem too, but with Kaspersky Internet Security. With Sandboxie-Plus-x64-v1.1.3, everything works perfectly.

When I upgrade to Sandboxie-Plus-x64 1.2.0 or newer (I tested 1.2.1, 1.2.5 and 1.2.6), my sandboxed browser Vivaldi can't access HTTPS sites anymore, with the error ERR_CONNECTION_RESET.

Kaspersky Internet Security has an option "Encrypted connection scanning". The default selection is "Scan encrypted connections upon request from protection components".

If I change this option to "Do not scan encrypted connections", the sandboxed browser works normally.

I don't know if it is useful, but the Kaspersky manual says: "If the Scan encrypted connections upon request from protection components option is selected, Kaspersky Internet Security uses the installed Kaspersky certificate to verify the security of SSL connections if this is required by the Web Anti-Virus and URL Advisor protection components. If these components are disabled, Kaspersky Internet Security does not verify the security of SSL connections."

For some reason it stopped working on Sandboxie-Plus-x64 1.2.0. It worked well before, on 1.1.3 or older.

[DavidXanatos]

hmm.... strange, there were 2 changes in 1.2.x that may cause something:

1. the new token system, you can disable this and get the old behavior by unchecking this option
   
2. the hooking mechanism was changes as to allow proper resource freeing upon a dll unload
   this should not have caused such issues and can not be disabled by config.

Please test if 1 solves the problem if not we will need to do some more testing

[ghost]

I commented out every line from global section and created new sandbox. Issue was still there. It ain't an issue with latest version. I had it with previous versions as well. However instead of having it always, it was rare

[DavidXanatos]

Commenting everythign out wont help as that option was on by default, you need to add SandboxieLogon=n to your sandboxie ini

There does not seam to be a kaspersky trail but esset offets a 30 days trail I tested this scenario and it seams that the use of a custom token does not play well with esset.
Disabling the aforementioned option fixes the issue for me reliably.

[ghost]

Yes, disabling option 1 fixes it for me

[DavidXanatos]

Ok problem solved, but its not so cool, as I don't think there is a legit reason why this should fail this way,
perhaps these tools had a workaround in place for sandboxies old behavior,
since the new behavior is better it would be best if these tools would update their workaround to support the new behavior.

Please ask for it in the respective support forums.

On our side we will make this behavior for the time being disabled by default starting with 1.2.7

[joy-maruyama]

Unchecking the "Use a Sandboxie login instead of an anonymous token" worked for me too! Thank you very much, DavidXanatos!

[isaak654]

There does not seam to be a kaspersky trail

Sorry, but that's not true. I pointed the Kaspersky trial versions in another issue: #1989 (comment)
I would suggest to create more labels to keep track of these problematic AV vendors.

[ghost]

Thank you for the workaround. I am not sure what we are supposed to ask about exactly on AV forums

[isaak654]

Apparently the lead developer expects that someone provides detailed steps on both Kaspersky and ESET forums, because only third-party vendors seem affected.

For example, you could adopt a similar text (feel free to edit it as you wish and fill it in the missing parts):

Original issue posted on the open-source Sandboxie repository:
https://github.com/sandboxie-plus/Sandboxie/issues/2025

Requirements to reproduce the issue:
- Operating system: Windows ...
- Sandboxie Plus 1.2.6 x64
- ESET/Kaspersky (edition + version)

Reproducible steps:
1. Install ESET/Kaspersky (edition + version)
2. Download Sandboxie Plus 1.2.6 x64 and install it: https://github.com/sandboxie-plus/Sandboxie/releases/download/v1.2.6/Sandboxie-Plus-x64-v1.2.6.exe
3. Run the main executable SandMan.exe
4. Describe what you did to reproduce the SSL issue
5. Show the error in the browser's screenshot: link

Workaround:
I disabled the new SandboxieLogon feature, which is named in Sandboxie Plus as "Use a Sandboxie login instead of an anonymous token". 
Further explanations about how it works: https://github.com/sandboxie-plus/Sandboxie/discussions/2064

Note 1: The Sandboxie lead developer suggested that there might be an old workaround applied on your software for the old Sandboxie versions: https://github.com/sandboxie-plus/Sandboxie/issues/2025#issuecomment-1196343325
Note 2: Sandboxie versions after [v1.2.6](https://github.com/sandboxie-plus/Sandboxie/releases) won't have this issue simply because the Sandboxie developer is going to disable the SandboxieLogon feature by default because of the behavior described above.

If I forgot something, add it or fix it accordingly.

[bastik-1001]

Just to increase the chance of people affected by this bug, get to see another solution, David stated that:

(...)
you can even do the following
add SandboxieLogon=y globally
and SandboxieLogon=n to he box you run your browser in,
and et voila boxes are isolated and browser still works with ssl scanning

Changes are slim, since 1.2.7 disables the new feature and it does not seem likely that people will encounter an issue, and if they enable it, they may attribute that to the feature being experimental.

[ghost]

https://forum.eset.com/topic/34177-ssl-certificate-issues-sandboxie/

Thanks @isaak654

[isaak654]

@Mysteriously
In return for your effort, it was opened a new ticket about it through this form, but they continued to insist that Marcos reply was the correct one (in spite of your denial).

So it would be better if you could open a new independent ticket via that form and mention a more up-to-date version of Sandboxie.

[ghost]

It is not my issue he can't follow step by step instruction. Also, it is not first time he did it.
This dude ignored few of my requests including but not limited to a potential security hole in their products even if I posted debug logs.
I am afraid I don't want to waste my time anymore.

SBIE 1.4.2+ versions have more reported issues than previous releases

[isaak654]

The contact form I linked above seems to allow the choice of a different country, so I really doubt the same guy is going to supervise any ticket request, that's the reason of my previous suggestion.

Unfortunately I do not see another way, unless David or other contributors can provide an internal fix.