Help needed! Unable to run sandboxed Firefox or Chrome on new Windows 10

Hi everyone,

I just purchased a new PC with Windows 10 Pro x64.

Much to my surprise, I am no longer able to open either Firefox (my default browser) or Chrome in Sandboxie. Nothing is happening when I click on "Run Sandboxed". Or I should say "almost nothing":.. I can see the little red dots on the Sandboxie icon located on the status bar (as it usually does when you are running any sandboxed program), but that's about it! No error message displayed. If I open the Sandboxie Control window, I  see a list of the browser processes running (see images below)... but  the browser itself never opens!

 

 

 

 

So, in search of a temporary alternative browser, I tried two other browsers that were still running fine (with Sandboxie) on my old PC (Win7 x64): Brave and Iridium.

Ironically, Brave and Iridium managed to launch normally on Windows 10 even though they are not officially supported by Sandboxie. However, I get error messages from Sbxie every now and again when starting these browsers. Because they are chromium-based browsers, here are the error messages just in case it would be of any help for resolving the issue with Chrome:

 

Iridium + Sandboxie:

 

Brave + Sandboxie:

 

Please note that all the issues with FF and Chrome described above did not occur on my old PC (Win7 x64), with an exception regarding the issue with Firefox. This issue involving FF had been occurring every now and again over the last few months. However, there was a way to get around it:

  1. Right-click on the Sandboxie icon (status bar), select DefaultBox and then Terminate Programs.
  2. Empty DefaultBox.
  3. Click on the "Sandboxed Browser" shortcut again in order to restart Firefox (which usually restarted "normally" in Sandboxie).

Unfortunately, my "get around method" no longer works in Win10, as I never get Firefox to restart normally (in Sandboxie).

 

Because of this difference in behavior between my Win7 PC and Win10, I ran the "Troubleshoot compatibility" program on my new PC to test Sandboxie.

Here are the steps I followed:

  1. Right clicked  on "Sandboxed Web Browser" shortcut and selected Troubleshoot compatibility
  2. "Troubleshoot program" selected
  3. "I don't see my problem listed" selected
  4. Windows 7 selected
  5. Clicked on "Test program"

Results of the test: no change. (i.e. same issues persisted with FF and Chrome while testing in Win7 mode)

 

Additional info (programs installed, version #, etc.):

  • Sandboxie v.5.33.3
  • New sandbox with default settings
  • Windows 10 x64, v.1909
  • Firefox 73.0.1
  • Chrome v.80.0.3987.132
  • Extension installed on both FF and Chrome: only Webroot Filtering Extension (for now).
  • Antivirus software: Webroot SecureAnywhere complete v9.0.27.64, with default settings except for the following: "Warn if any new, untrusted process connects to the Internet" is selected (in Firewall/Webshield). No "warning" or prompt when launching browsers in sandbox. Same antivirus installed on both PCs (Win7 and Win10).
  • Windows Firewall

 

Please let me know if there are any log files hidden somewhere - or any other data - that I could provide to help resolve this issue.

Any help will be much appreciated!

Parents
  • Well, as soon as I read Webroot SecureAnywhere and saw Sandboxie Control pics.  I remembered whats probably your issue.

    Are you familiar with Webroot SA.  Maybe, Webroot SA installed with new computer.
    Note: As long as Chrome and Firefox run okay outside Sandboxie. 

    Open Webroot "Application Protection" module.  Find list of Applications > firefox.exe and chrome.exe.  Move Protection bullet at firefox.exe from "Protect" to "Allow" and launch Firefox.  
    Same with chrome.exe and launch Chrome.   

    Last time I ran Webroot SecureAnyWhere + Sandboxie.  I needed to move "Protect" to "Allow" in order to launch supported browsers.  Then I'd move Protection bullet from "Allow" to "Protect".

    Please review: https://docs.webroot.com/us/en/home/wsa_identityshield_userguide/wsa_identityshield_userguide.htm#ManagingIdentityProtection/ManagingProtectedApplications.htm

    I suggest running browsers in discrete sandbox for each supported browser.     
    And for testing my suggestion "Protect" to "Allow" to "Protect".  I suggest all Webroot SA Advanced Settings at default.   

    Regarding Webroot SA so called Firewall. IMO - Webroot SA Firefox is not a true software Firewall.  Think Connection Watcher.  And think Webroot SA so call Firewall may not prompt for trusted programs.   If you want further information - help regarding Webroot SA Firewall.  I suggest Webroot Community > https://community.webroot.com/ and Wilders Security Forum > https://www.wilderssecurity.com/threads/webroot-secureanywhere-discussion-update-thread.364655/

  • Thanks a lot for your detailed answer! You correctly put your finger on the cause of this issue with Firefox and Chrome. As soon as I moved the Protection bullet (in Webroot SecureAnywhere) from "Protect" to "Allow", the issue was resolved: I could run FF and Chrome normally in Sandboxie!

    However, the solution that you proposed (i.e. to move back Protection bullet from "Allow" to "Protect" afterwards) didn't work for me. As soon as I moved back from "Allow" to "Protect", I was back to square one. And that, even though I had reset Webroot SA settings to default. Based on this information, is there anything else you could suggest?

    In your previous post, you also suggested to run these two browsers in a "discrete sandbox". I don't know exactly what you meant by that, as I've always used Sandboxie's sandboxes with its default settings. I looked at the different settings I could possibly edit (Sandboxie Control > Sandbox > DefaultBox > Sandbox Settings), but I couldn't find anything related to a "discrete sandbox". Could you explain a little more?

    Thanks again for your help!

     

    p.s.: If we don't completely resolve this issue in this forum, I will certainly follow your advice and get in touch with Webroot Community. I will first wait for your answer. ;)

  • nelfakus said:
    However, the solution that you proposed (i.e. to move back Protection bullet from "Allow" to "Protect" afterwards) didn't work for me. As soon as I moved back from "Allow" to "Protect", I was back to square one. And that, even though I had reset Webroot SA settings to default. Based on this information, is there anything else you could suggest?

    Ahh, it's been awhile since I've run WebrootSA.    Maybe, we're not on the same page.  Moving Protection bullet "Protect - Allow - Protect" is per browser session.... is needed each browser session.  Moving bullet is not a fix.  Moving bullet is a work around.   Sandboxie + WebrootSA is a choice and I've always chosen Sandboxie.  

    nelfakus said:
    In your previous post, you also suggested to run these two browsers in a "discrete sandbox". I don't know exactly what you meant by that, as I've always used Sandboxie's sandboxes with its default settings. I looked at the different settings I could possibly edit (Sandboxie Control > Sandbox > DefaultBox > Sandbox Settings), but I couldn't find anything related to a "discrete sandbox". Could you explain a little more?

    Create new default sandbox for each supported browser.  Mixing executable in same sandbox is not best practice.  Sandboxie is about "Isolation".  Isolate web facing applications from real system and Isolate web facing applications from other.  

    Default is as Sandboxie creates new sandbox - unrestricted - without copying settings over from another sandbox.   Then for each separate (discrete) sandbox.  User may customize with restrictions n settings unique for that sandbox use.   
    For example: my PDF reader is not the same as my browser nor the same as my media viewer or zip program or Windows Explorer.

    It's not an absolute requirement.  Just long established recommendation by long time Sandboxie users on old Sandboxie Forum and over on Wilders.  
    https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/

    If you need help with Sandboxie.  I urge posting on Wilders where you'll meet long time loyal Sandboxie users that do not contribute here.  As you can imagine Sandboxie users are not Sophos fans.  

Reply
  • nelfakus said:
    However, the solution that you proposed (i.e. to move back Protection bullet from "Allow" to "Protect" afterwards) didn't work for me. As soon as I moved back from "Allow" to "Protect", I was back to square one. And that, even though I had reset Webroot SA settings to default. Based on this information, is there anything else you could suggest?

    Ahh, it's been awhile since I've run WebrootSA.    Maybe, we're not on the same page.  Moving Protection bullet "Protect - Allow - Protect" is per browser session.... is needed each browser session.  Moving bullet is not a fix.  Moving bullet is a work around.   Sandboxie + WebrootSA is a choice and I've always chosen Sandboxie.  

    nelfakus said:
    In your previous post, you also suggested to run these two browsers in a "discrete sandbox". I don't know exactly what you meant by that, as I've always used Sandboxie's sandboxes with its default settings. I looked at the different settings I could possibly edit (Sandboxie Control > Sandbox > DefaultBox > Sandbox Settings), but I couldn't find anything related to a "discrete sandbox". Could you explain a little more?

    Create new default sandbox for each supported browser.  Mixing executable in same sandbox is not best practice.  Sandboxie is about "Isolation".  Isolate web facing applications from real system and Isolate web facing applications from other.  

    Default is as Sandboxie creates new sandbox - unrestricted - without copying settings over from another sandbox.   Then for each separate (discrete) sandbox.  User may customize with restrictions n settings unique for that sandbox use.   
    For example: my PDF reader is not the same as my browser nor the same as my media viewer or zip program or Windows Explorer.

    It's not an absolute requirement.  Just long established recommendation by long time Sandboxie users on old Sandboxie Forum and over on Wilders.  
    https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/

    If you need help with Sandboxie.  I urge posting on Wilders where you'll meet long time loyal Sandboxie users that do not contribute here.  As you can imagine Sandboxie users are not Sophos fans.  

Children
  • Thank you so much for bringing these clarifications.

    Before I read your answer, I found something peculiar about the "Application Protection" in Webroot SecureAnywhere. I discovered that the issue that I reported here about Firefox and Chrome does not even exist with Internet Explorer 11 - at least on my PC! In other words, even if IE is always "protected" under "Application Protection", I don't have any problem to run it sandboxed.

    So, considering that all three browsers are officially supported by Webroot SA, it makes you wonder why only IE is "allowed" to start when sandboxed (at least in Win10).

    I think I will contact Webroot support and find out what they'll have to say about that...

  • Chrome & Firefox as modern browsers offer more built-in protections vs legacy browser IE.  Even Microsoft advises to only use Internet Explorer for few non-compatible websites. 

    Chrome & Firefox as modern browsers object more to code injection from outside sources.  

    Chrome & Firefox are multi-process vs Internet Explorer.

    Sandboxie has dated list of Know Conflicts https://www.sandboxie.com/KnownConflicts.

    Security programs have always offered challenge for Sandboxie. 

    Sandboxie has always recommended Windows Defender vs third party security solutions. 

    SandboxIE was originally designed to work with IE. 

    Then over time during Sandboxie golden days....more web facing apps were added. 

    Last few years....less attention was paid to applications compatibility while focus shifted to Windows 10 compatibility. 

    We can only hope Sandboxie once open source ....finds developer/s interested in maintaining our favored Sandboxie. 

    If you're not married to WebrootSA.  Try Windows Defender. 

    Webroot Threat Shield filtering extension from Microsoft Store works in new Edge with WebrootSA license key.

      

  • Thanks again for the detailed explanations and for putting things in context! I understand the problem better now (and hope, just like you, that some people will keep maintaining Sandboxie in the future!).