Unable to block program using Network Firewall (WFP)

[typpos]

Describe what you noticed and did

Sandboxie-Plus 1.9.3 x64 on Win 10.

I'm unable to block outgoing internet requests with the WFP Network firewall. Where can I find a working example to (1) block a specific executable; (2) block all executables residing inside or outside the sandbox?

Repro:

• Global: Use WFP = yes (done on sb install)
• Create New Sandbox - Security Hardened Sandbox
• Select Block Using WFP.
• Network Firewall add: "All Programs - Block - - - Any"
• As a test program, copy curl.exe (https://curl.se/windows/) into a sandboxed folder
• Start boxed cmd.exe; navigate to curl.exe and ...
• curl.exe https://www.google.com

Expected: Request is blocked.
Actual: Request succeeds.

Same situation when running the default browser (installed outside of the sandbox) in this sandbox.

Related issues:

2. Incorrect security statement when creating sandbox

• Menu > Sandbox > Create New Box
• Select Security Hardened Sandbox
• Select Configure advanced options
• Next, Next
• Select Network Access = Block with WFP
• Next
• Summary states "Processes in this sandbox will not be able to access the internet"
• Finish
• Start default browser and navigate to a website

Expected: Browsing fails
Actual: Browsing succeeds

3. Confusing statement in Sandbox Settings dialog

• Double-click a sandbox > Network Options > Process Restrictions
• Fixed label (?) above programs table says "Note: Programs installed to this sandbox won't be able to access the internet at all".
  What is the meaning of this statement? I presume the idea is that if - and only if - "Block by denying access to Network devices" is selected, then the programs added to the list are not excempting executables that reside inside the sandbox folders?

4. Network Firewall "Test Rules" section is inconsistent

• There are various situations where the test rules, the firewall rules, and the colour highlights are out of sync.

5. Network Firewall rules change when touched

• Add a rule
• Click Apply
• Double click on "All Programs"
• "All Programs" changes to "*" and "Apply" becomes enabled
• Once "Apply" is clicked, * reverts to "All Programs"

6. What types of values can be entered for a firewall rule and how are they interpreted?

• File names? File paths? Wildcards? Empty? 127.(asterisk).(asterisk).4 ?

How often did you encounter it so far?

Always

Affected program

Chrome; curl

Download link

https://curl.se/windows/

Where is the program located?

The program is installed only inside a sandbox (NOT in the real system anyway).

Expected behavior

Web requests should be blocked.

What is your Windows edition and version?

Windows 10 Pro 22H2

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

MS Defender only

What version of Sandboxie are you running?

1.9.3

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

No response

In which sandbox type you have this problem?

In a security hardened sandbox (orange sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

no

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

[GlobalSettings]
NetworkEnableWFP=y
DefaultBox=DefaultBox
FileRootPath=D:\Sandbox\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%

[Box3]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#027df7,ttl
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseSecurityMode=y
UseFileDeleteV2=y
UseRegDeleteV2=y
FakeAdminRights=y
AutoRecover=n
AllowNetworkAccess=!<InternetAccess>,n
NetworkAccess=*,Block;Protocol=Any

[offhub]

1. WFP filtering doesn't seem to work after initial setup until the configuration is reloaded. bug? @DavidXanatos
2. Restart your system
5. It may indicate the * value in the configuration. (NetworkAccess=*,Block;Protocol=Any)
6. You can use commas and dashes.
   NetworkAccess=*,Allow;Port=80,443,49152-65535;Address=127.0.0.1,192.168.1.1,192.168.2.1-192.168.2.100;Protocol=TCP

[typpos]

Indeed. Thank you!

I restarted the driver (Menu > Maintenance > Stop All). Now WFP blocks requests.
But, I am unable to create any filters to allow access. Scary.

FWIW: Before the maintenance restart, when I enabled WFP, selected "Prompt user to allow an exemption", and denied permission when asked without "remember for this process", the request would pop up 6 or 7 times, and would succeed the 7/8th time.

[offhub]

Have you also created a rule for the process in the 'Process Restrictions' section of the 'Network Options'?

AllowNetworkAccess=!<InternetAccess>,n
NetworkAccess=curl.exe,Allow;Protocol=Any
NetworkAccess=*,Block;Protocol=Any
ProcessGroup=<InternetAccess>,curl.exe

[typpos]

Thanks again. That helped. I didn't understand I had to make exceptions in 2 places.

Maybe I make some incorrect assumptions, but I find the entire feature group quite hard to deal with. Other examples..
7. Set Process restrictions to "Allow Access"; add a program to be blocked. Why does it not block? The label above says "..for UNLISTED processes: Allow access".
8. Add a process restriction; apply; uncheck the check box; apply; (The access setting vanishes!? why?); check the check box; double click to set Access to previous value; click apply. bug: There are now 2 identical entries. with ini set to "ProcessGroup=,curl.exe,curl.exe"
9. Add a full path to an executable in the process restrictions. The UI accepts the setting but it doesn't do anything. Why?
10. Clear "Name" from one of the process restriction entries. click away. It now says "All Programs". Click Apply. The entire entry silently vanishes. Not good if I clicked "OK" and don't see it's gone.

[offhub]

7. Bug? It doesn't seem to create rules that should block programs added to the list in Allow access mode.

AllowNetworkAccess=<BlockNetAccess>,n
ClosedFilePath=<BlockNetDevices>,InternetAccessDevices

8. Bug
9. Full path usage is not supported.
10. Bug or feature? 😃

[typpos]

9. .. and therefore the UI must not accept that input.
10. I go with "user error". 😃

[typpos]

I'll add this one here:

11. Unable to add program name to "Process Restrictions" when name includes a comma:

• Sandbox Options > Network Options > Process Restrictions
• Click "Add Program"
• In Name, enter "Fix,me.exe"
• Click away
• Application shows input as expected
• Click Apply
• Bug: 2 entries appear. If I had pressed "OK" I wouldn't be aware of this issue.

I tried double-quoting this entry without success. Side note: not a priority for me, but this may cause other issues.

Section "Network Firewall" accepts this input but I don't know if the firewall correctly interprets the settng.

[DavidXanatos]

The entire feature group is indeed quite a bit confusing as there are 2 levels of blocking

There was an other bug not adding the required
AllowNetworkAccess=,n
ClosedFilePath=,InternetAccessDevices
sometimes this is now fixed, also the UI no longer allows to enter an empty name
and i fixed the issue causing unchecking to misbehave.

that said, not allowing comas in process names is a general sandboxie.ini issue and applies to all options.
So its out of the scope of this issue, feel free to create a separate one for that.
Same to not supporting full paths, it would be a nice improvement but would require a rework of how sandboxie handles options.