Great news. I only checked back on spec.

Thanks tzuk for reconsidering your position about supporting the 64-bit OS. I heard from a reliable source that Win7 was going to be the last 32-bit OS so your timing couldn't be better.

I didn't read the whole 9 pages of this thread, so I apologize if someone has already mentioned what I'm about to say. Within the first 2 pages or so, people were talking about finding a way to disable PatchGuard. If you guys are still interested in this, someone created a bootkit that does just that. I can't verify one way or another if it works, (it's beyond my scope of knowledge) but I thought it might be good to mention.

Here's more info:
http://forum.exetools.com/showthread.php?t=12628

This patch is for Windows 7 X64 RTM. It directly modifies ntoskrnl.exe & winload.exe to remove Microsoft's "PatchGuard" and requirement of driver signing.

This is accomplished by patching 6 bytes inside ntoskrnl.exe and four bytes inside of winload.exe ... it is file patch version of my existing bootkit

I originally made this for myself... wanting to again be able to hook inside of ntoskrnl like with X86 Windows.

Thanks for the information. But, in my opinion, disabling PatchGuard, or just recommending it, is not something that legitimate software can afford to do.

I didn't consider the legal ramifications of that modification. You're right, need to keep Sandboxie legit.

@tzuk:
Just a curiousity... why have you chosen to disable support for XP/Win2k x64, leaving however to sandboxie the possibility to be launched in these operating systems?
I dont' find the reason, because all topics found about that, are objectively a waste of time.

I explained this earlier in this topic. I had not actually taken any steps to disable support for 64-bit XP/2003. (There is no 64-bit Windows 2000.) And as I only tested with Windows Vista/7, I did not know for certain if it would work on earlier Windows or not. Now, I know: It doesn't work on earlier Windows. So in version 3.43.22, I revised the 64-bit installer to check for Windows Vista or later.

If im not mistaking sandboxie already patches the kernel when installed on x86 systems?
How is that so much different from patching ntoskrnl and winload to disable patchguard for full sandboxie support?

Ofcourse the user should be notified, and i'm not sure how much impact disabling patchguard has on security, i'm still using x86 because of sandboxie right now but next install i'll try to go with the x64 release.

Tzuk, you had a realy good point in refusing to support x64, maybe if big AV companies made the same stand it would have made a difference. I'm glad you picked it up again since we have to deal with it anyway...

Sandboxie uses Detours, not file patching.

Im pretty sure it does need to patch the kernel to ensure full isolation at the low level. Sbie is not merely a file and registry redirect tool that detours them from their supposed location on c:\ to the sandbox.

does the Mautosec service communication, leak test on x64, still work with dropmyrights enabled? Also is dmr sufficient to block bypasses at the low level or just usermode?

I'm sure it would have ... But free market competition makes that sort of thing very difficult, if not altogether unrealistic.

Just with Symantec and NAI putting pressure on Microsoft the tale probably would have changed.

Symantec did put pressure on Microsoft, and got the two APIs they needed. But they weren't going around and asking everyone what kind of APIs they also need. And I'm sure you would not have expected them to do this.