ESET issue with Sandboxie - Persistent holding of registry keys

[Tetranitrocubane 1]

Hello,

Recently, changes to either ESET's definitions or modules have caused a problem with the program Sandboxie. Everything was working splendidly until yesterday morning (03July2019, ~7:00AM Pacific Standard Time).

I have a Sandbox set up so that Chrome will launch within it automatically, and upon closure of Chrome, the sandbox is purged via an auto-delete command. The autodelete command is now failing due to the fact that ESET is keeping files within the sandbox open, even after all processes in the sandbox are closed.

Tracking the issue with Process Explorer reveals that, even after shutting down and terminating all other programs, EKRN.EXE maintains interaction with the registry key "HKU\Sandbox_(UserName)_(SandboxName)". This prevents deletion of the REGHIVE file in the sandbox root, and causes Sandboxie to throw an "Access Denied" error as a result.

Other users of Sandboxie and ESET are reporting the same issue on other forums.

Is there a possibility to resolve this issue, or revert the change that caused this sudden shift in behavior? Thank you.

[itman 1,659]

Did you perhaps create an Eset HIPS user rule to monitor any modification to that registry key?

It would be odd that Eset would monitoring a third party security software registry key by default.

Edited July 4, 2019 by itman

[Tetranitrocubane 1]

12 minutes ago, itman said:

Did you perhaps create an Eset HIPS user rule to monitor any modification to that registry key?

It would be odd that Eset would monitoring a third party security software registry key by default.

No, nothing of the sort. In fact, I made no changes whatsoever. On the 2nd of July, everything was fine. Suddenly on the 3rd, this started happening - Despite my not installing any software, updates, or changing settings between those two times. That being said, I do agree that it's rather odd.

Some other folks on other forums have observed this behavior before - apparently it's not the first time that it's been happening. When I asked in the Sandboxie realm, the advice was to uninstall ESET to get Sandboxie working.

I'm hoping that the advice from ESET isn't to uninstall Sandboxie! I rather like having both pieces of software working together, and they lived harmoniously for so many years.

[itman 1,659]

The only thing I can think of is Eset has detected some suspicious activity in regards to activity against this registry key and is monitoring same for future like activity. This might very well be an Eset "hiccup" in regards to sandboxie.

I read your posting on the Sophos forum. I don't beleive any type of Eset exclusion will help with this. Appears Eset might be somehow interrupting what is accessing this registry key as suspect.

Best you open an Eset support ticket request with your in-country Eset support vendor.

Edited July 4, 2019 by itman

[Tetranitrocubane 1]

Thanks very much for your insight and advice, Itman! I'll try reaching out to ESET via their official support channels. In the event that I find a reasonable resolution, I'll report back here for sure.

[beethoven 0]

Tetranitrocubane,

just to confirm you are not the only one. I am also using sandboxie and noticed this change however the issue started a bit earlier. Previously the sandboxes did not autodelete as expected but I could still do this manually. Nowadays (and only very recently) even the manual deletion does not work and only a reboot may help. While the issue is mostly affecting chrome, I have had it on Firefox too.  Not sure if any specific file from the sandboxie program can be excluded in NOD but setting sandboxie/start.exe as excluded did not fix the issue. 

Other than trying the exclusion I did not change any settings in either NOD or sandboxie and other pc using other AV are not affected by this issue.

Edited July 4, 2019 by beethoven

[URBAN0 14]

Are you guys referring to https://www.sandboxie.com/

I'm not sure if  Zuk is still the developer but sandboxie its all screwed up and I think that's solely source of issue.  I was one of the very first beta tester ( years ago) with # of lifetime licensees and about 3 months ago I have ditched SB due to # of issues that cannot be solved.....period.

FYI.

Zuk won't say it and again maybe someone else owned SB since,  but he's letting sanboxie paying users expire and sandboxie is no longer in development...look for alternatives.

 

[Marcos 5,070]

8 hours ago, Tetranitrocubane said:

I have a Sandbox set up so that Chrome will launch within it automatically, and upon closure of Chrome, the sandbox is purged via an auto-delete command.

I've tried to reproduce it to no avail. Chrome is set as default browser, the sandbox is configured to delete the content when the application quits. I open Chrome through the "Sandboxed Web Browser" icon, close Chrome after a while but no error occurs and everything seems to be fine.

[hulduet 0]

I can confirm this issue. It started a few days ago. I am unable to delete the content of the sandboxie because something is stopping the deletion(ESET). Very easy to reproduce this problem by just having sandboxie and ESET together since a couple of days ago. 

[Marcos 5,070]

5 hours ago, hulduet said:

I can confirm this issue. It started a few days ago. I am unable to delete the content of the sandboxie because something is stopping the deletion(ESET). Very easy to reproduce this problem by just having sandboxie and ESET together since a couple of days ago. 

I have no clue what I did differently but I was unable to reproduce it on Windows 10.
Does temporarily disabling self-defense make a difference?

Please enable logging of blocked operations in the advanced HIPS setup, reproduce the issue, disable logging, then collect logs with ESET Log Collector and upload the generated archive here.

[beethoven 0]

@ Urbano -- Tzuk sold his product many years ago to Sophos and despite some concerns at the time, the product has continued to work well with regular updates  - there is a mammoth thread at Wilders Securities

https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213 with this issue discussed on the last few pages and the Sandboxie forum is now housed at Sophos. Lifetime licenses have been honoured by Sophos, so I am not sure what you are talking about.

@Marcos  - don't know about Win 10 - still using Win 7/64 bit - if I have time over the weekend I will try to generate the logs but looking at the posts here and at the sandboxie/sophos site,

https://community.sophos.com/products/sandboxie/f/sandboxie-forum/113844/sandboxie-fails-to-purge-sandbox---access-denied-error-on-delete-invocation

the isssue should be reproducible by ESET

[URBAN0 14]

3 hours ago, beethoven said:

@ Urbano -- Tzuk sold his product many years ago to Sophos and despite some concerns at the time, the product has continued to work well with regular updates  - there is a mammoth thread at Wilders Securities

https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213 with this issue discussed on the last few pages and the Sandboxie forum is now housed at Sophos. Lifetime licenses have been honoured by Sophos, so I am not sure what you are talking about.

@Marcos  - don't know about Win 10 - still using Win 7/64 bit - if I have time over the weekend I will try to generate the logs but looking at the posts here and at the sandboxie/sophos site,

https://community.sophos.com/products/sandboxie/f/sandboxie-forum/113844/sandboxie-fails-to-purge-sandbox---access-denied-error-on-delete-invocation

the isssue should be reproducible by ESET

 

 

Yes I meant Tzuk.

Either I didn't make it clear or you misunderstood me.  My comment it's not directed towards license, the only reason I have mentioned is that even thou I have about 30 lifetime licenses I had no choice but to ditch sandboxie due to similar and other unresolved issues.

I was experiencing very similar symptoms that you guy do but with avast Pro, so it's not only related to ESET, although, ESET might work around it, sandboxie has too many flows now.

I use DeepFreeze Enterprise with centralized Admin console, so I really wouldn't have to use any other isolating programs but it was pleasure of using Sandboxie while was still functioning admirable until recently.

Anyhow, what I'm referring to is that sandboxie has serious ongoing issues e.g. dealing with too many conflicts. leaking security outside box and other issues.

It seems that the dev of SB struggles to address the issues and that is one of the reasons why you can no longer purchase or renew the license and in due time SB will vanish, Its not speculation, its a fact, mark my word.

Running SB with security hols its like running AV with long overdue virus definitions, its pointless.

 

Edited July 5, 2019 by URBAN0

[Tetranitrocubane 1]

4 hours ago, Marcos said:

I have no clue what I did differently but I was unable to reproduce it on Windows 10.
Does temporarily disabling self-defense make a difference?

Please enable logging of blocked operations in the advanced HIPS setup, reproduce the issue, disable logging, then collect logs with ESET Log Collector and upload the generated archive here.

Hi Marcos,

I will do my best to enable logging and get the files upload here when I'm able. Before I do that, is there any risk of personal information being included with the log, since I'll be uploading it to a public location? I admit that I don't know what the logging will record.

At present, even a reboot of my machine doesn't let me clear out the sandbox - or even manually delete the files in the sandbox. Even uninstalling Sandboxie isn't an option now, as the files in the sandbox (specifically the RegHive files) are still being opened and constantly accessed. EKRN.EXE is the process responsible, and it seems to be opening and accessing this file as soon as the computer boots.

I'll try my best to get the logs generated once I know it's safe to do so.

Thanks very much for your help on this matter! I really do appreciate it. This has been tricky to get tracked down.

[Marcos 5,070]

3 hours ago, Tetranitrocubane said:

Before I do that, is there any risk of personal information being included with the log, since I'll be uploading it to a public location?

Files uploaded in our forum are accessible only by ESET staff.

[Tetranitrocubane 1]

Hi Marcos.

I have collected the requested logs and uploaded them here. I do want to note that since I posted this message that the issue has gotten worse - That is to say, I have been unable to delete the contents of the sandbox at all, even after multiple reboots. This means that if the HIPS issue is happening at the initiation of the Sandbox population, the logs won't capture this. 

I switched my logging options as you indicated, then tried to close all programs in the sandbox. This initiated the access denied error. I then disabled that logging option, and exported the log files through the ESET log collector. I've uploaded those logs here, at your request. I hope that this will not be publicly accessible.

I've also included a screenshot of Process Explorer showing EKRN holding on to the registry key, just to give you a better glimpse of what I'm seeing on my end.

Thanks much.

eav_logs_1.zip

Edited July 6, 2019 by Tetranitrocubane

[itman 1,659]

I am wondering if what is going on here is a classic "deadly embrace" situation.

Eset detected something amiss in access to the Sandboxie registry key and/or data within and started monitoring it. Sandboxie in turn needs exclusive control of that registry key and can't get it. Normally, this should be resolved after a reboot and this appears not to be happening.

You might try to disable Eset's HIPS which will require a reboot. Then delete the contents of Sandboxie's sandbox. Then re-enable Eset's HIPS and see if the issue reoccurs. If it does, then at least Eset's HIPS can be ruled out as the source.

[Urashima Taro 0]

I am experiencing a very similar issue as reported by Tetranitrocubane.  I run Win7x64 / Sandboxie 5.30 / ESET NOD32 12.1.34.0 all running without any issues until I received Detection Engine update 19640 (20190705) and Rapid Response module 14501 (20190706).   I am still able to clear the contents from the sandbox after a cold boot.  No other updates and/or changes has been introduced to my system with the exception of the ESET updates.  Any assistance in this matter is much appreciated.

Edited July 7, 2019 by Urashima Taro

[Marcos 5,070]

There were no records related to Sandboxie in the HIPS log. Almost all blocked operations were related to Process Explorer. Does temporarily disabling HIPS and rebooting the machine make a difference?

[Tetranitrocubane 1]

Temporarily disabling HIPS and rebooting does in fact allow me to empty the sandbox.

[itman 1,659]

9 minutes ago, Tetranitrocubane said:

Temporarily disabling HIPS and rebooting does in fact allow me to empty the sandbox.

Continue monitoring to determine if the problem reoccurs.

Edited July 8, 2019 by itman

[itman 1,659]

Believe I know what might be the "culprit" here.

Eset recently implemented "Deep Behavior Inspection" in the HIPS. For anyone having this issue with Sandboxie, do the following:

1. Open the Eset GUI and navigate to the HIPS section.

2. Verify that a Deep Behavior Inspection section exists there. If so, add exceptions for all of Sandboxie's executables there. -EDIT- Or alternatively, just whitelist Sandboxie's entire directory using the "\*.*" notation.

Hopefully, this will resolve the registry access issues with Sandboxie.

Edited July 8, 2019 by itman

[Marcos 5,070]

I've tried to install the latest version of Sandboxie on Windows 7 to no avail. Getting an error while installing the driver:

[itman 1,659]

11 minutes ago, Marcos said:

Getting an error while installing the driver:

As far as I am aware of, Sandboxie's driver is validly signed. Did you download it from here: https://www.sandboxie.com/DownloadSandboxie .

Edited July 8, 2019 by itman

[Marcos 5,070]

7 minutes ago, itman said:

As far as I am aware of, Sandboxie's driver is validly signed. Did you download it from here: https://www.sandboxie.com/DownloadSandboxie .

Yes, exactly from that link.

[itman 1,659]

10 minutes ago, Marcos said:

Yes, exactly from that link.

Try a manual download from here: https://www.sandboxie.com/AllVersions

As shown on this site, there are many vers. of Sandboxie. So far, no one has mentioned what ver. they are running or if it's 32 or 64 bit.