itman 1,659 Posted July 8, 2019 Share Posted July 8, 2019 (edited) This suggestion was posted on the Sandboxie forum by Sophos: Quote Since you mentioned Ekrn.exe , you may want to try blocking that file in the Sandbox and test what happens (it may or may not work, as it it may trigger error messages). Right-click on your Sandbox Sandbox settings---> Resource Access ---> File Access --> Blocked access Add the following entry: *\ekrn.exe Ok and Apply Re-test Remove the changes if they don't help/cause problems. This coupled with excluding Sandboxie processes or entire directory as noted above, might do the trick. Personally, I suspect Eset might go "bonkers" if its access was denied to Sandboxie system use areas. Edited July 8, 2019 by itman Link to comment Share on other sites More sharing options...
Tetranitrocubane 1 Posted July 9, 2019 Author Share Posted July 9, 2019 Hi Itman, I've tried adding the exception for Deep Behavior Inspection in ESET, but unfortunately the behavior seems to be persisting. I've seen the suggestion on the Sandboxie forums - but I am similarly worried that blocking ESET in Sandboxie will cause more problems than it will solve. Marcos, I'm currently using Sandboxie 5.31.2 64-bit on Windows 10. I recommend using the latest Sandboxie beta, as there are some lingering issues on the 5.30 build. The latest betas are here: https://community.sophos.com/products/sandboxie/sandboxie-beta-versions/f/sandboxie-beta-5-31/113038/sandboxie-beta-sandboxie-beta-5-31-latest-version-5-31-2 Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 9, 2019 Share Posted July 9, 2019 1 hour ago, Tetranitrocubane said: I've tried adding the exception for Deep Behavior Inspection in ESET, but unfortunately the behavior seems to be persisting. The only other culprit I can think of is the Advanced Machine Leaning module. This also was just introduced into Eset. Also, it appears there is no way to add exceptions to it or disable it short of completely disabling the HIPS. Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 10, 2019 Share Posted July 10, 2019 I am testing the option of setting up all Sandboxie files to be excluded under ESET NOD32/HIPS/DEEP BEHAVIORAL. I will report back in about a week worth of use. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 10, 2019 Share Posted July 10, 2019 13 hours ago, Urashima Taro said: I will report back in about a week worth of use. No reason to wait a week. If the Eset DBI Sandboxie exclusions are working, it would be apparent immediately by no conflict with clearing the sandbox after browser termination. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 10, 2019 Share Posted July 10, 2019 @Marcos this might be the reason for the Win 7 driver errors when attempting to install Sandboxie: Quote SHA-2 Code Signing For Windows 7 Users, the SHA-2 Code Signing Support becomes mandatory in July. You will need to have KB4474419 (the SHA-2 update) and KB4490628 (2019-03 Servicing Stack) installed for Win7 SP1, Server 2008 R2 SP1, and Server 2008 SP2 prior to August updates. Link to comment Share on other sites More sharing options...
Sammo 8 Posted July 10, 2019 Share Posted July 10, 2019 On 7/4/2019 at 10:05 PM, hulduet said: I can confirm this issue. It started a few days ago. I am unable to delete the content of the sandboxie because something is stopping the deletion(ESET). Very easy to reproduce this problem by just having sandboxie and ESET together since a couple of days ago. Same problem with me. I use Privacy Eraser and that will delete the sandbox contents. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted July 10, 2019 Administrators Share Posted July 10, 2019 32 minutes ago, itman said: @Marcos this might be the reason for the Win 7 driver errors when attempting to install Sandboxie: Yes, I've realized that it was actually a VM with Windows 7 without SP1. All attempts to install it failed so I gave up, however, the issue was reproduced also on Windows 10 but it took effort and it was not easy to reproduce. It appears that the issue could be caused by some changes in a recent update of the Cleaner modules. We're on it and investigating the issue. Will keep you posted. Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 10, 2019 Share Posted July 10, 2019 6 hours ago, itman said: No reason to wait a week. If the Eset DBI Sandboxie exclusions are working, it would be apparent immediately by no conflict with clearing the sandbox after browser termination. You are correct, it took less than 2 hours of work to see that this option (ESET DBI Exclusions) did not work. I have disabled ESET NOD32 HIPS and are trying again. WIll post my findings soon. Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 10, 2019 Share Posted July 10, 2019 Okay, disabling ESET NOT32 HIPS did not work as well. I have re-enable it along with DBI and have disabled "Protocol Filtering" completely and so far so good. Will continue testing. Link to comment Share on other sites More sharing options...
Bob_D 0 Posted July 11, 2019 Share Posted July 11, 2019 Been plagued here with the same issue (on Win 10 only). Seems to be resolved now. See "Program Stop > Leader Programs": https://www.sandboxie.com/ProgramStopSettings#leader No compromise of Eset's protection required. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted July 12, 2019 Administrators Share Posted July 12, 2019 Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. If you want to get the fix among the first, switch to pre-release updates in the advanced update setup. The module will be released for all users a little bit later. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 12, 2019 Share Posted July 12, 2019 (edited) 20 hours ago, Bob_D said: Been plagued here with the same issue (on Win 10 only). Seems to be resolved now. See "Program Stop > Leader Programs": https://www.sandboxie.com/ProgramStopSettings#leader No compromise of Eset's protection required. To clarify, did adding ekrn.exe to Sandboxie's "leader programs" list stop the issue of the sandbox not being able to be cleared? -EDIT- per postings on wilderssecurity.com here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2839871 , the "leader programs" proposed solution doesn't work. Edited July 12, 2019 by itman Link to comment Share on other sites More sharing options...
Page42 6 Posted July 12, 2019 Share Posted July 12, 2019 8 hours ago, Marcos said: Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. If you want to get the fix among the first, switch to pre-release updates in the advanced update setup. The module will be released for all users a little bit later. That sounds awesome, Marcos. Looking forward to the new Cleaner module. 😊 Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 12, 2019 Share Posted July 12, 2019 So far, the Sophos suggested Sandboxie mitigation posted previously: https://forum.eset.com/topic/20056-eset-issue-with-sandboxie-persistent-holding-of-registry-keys/?do=findComment&comment=97716 appears to be working as observed through testing here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840059 Appears to be no conflicts with Eset by doing this. Link to comment Share on other sites More sharing options...
Page42 6 Posted July 13, 2019 Share Posted July 13, 2019 18 hours ago, itman said: So far, the Sophos suggested Sandboxie mitigation posted previously: https://forum.eset.com/topic/20056-eset-issue-with-sandboxie-persistent-holding-of-registry-keys/?do=findComment&comment=97716 appears to be working as observed through testing here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840059 Appears to be no conflicts with Eset by doing this. An edit was made to the above-linked post on Wilders ... Quote Edit: Regrettably, I must report that I did receive the dreaded "Could not move the sandbox folder out of the way" error message once after having blocked ekrn.exe. I've probably closed a couple dozen browser sessions without any issue, but just now the Sandboxie deletion failure did happen, and I had to reboot to delete. I made note of the numbers, in case we begin to look at the size of the space (or number of files or folders) as a potential trigger. 98 files and 44 folders occupying 45 MB of space. Back to waiting for ESET's release of new Cleaner module 1197 on pre-release update servers next week. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 14, 2019 Share Posted July 14, 2019 The latest on the Sophos mitigation: Quote Quick update on the sandbox deletion issue... Other than the one occurrence to the contrary, I have had very good success with Barb@Sophos' ekrn.exe blocking suggestion. I encourage others to try it while they wait for ESET to release a possible fix. https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840378 Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 14, 2019 Share Posted July 14, 2019 (edited) I have taken the dive into ESET's 1195 pre-release cleaner module. I am not sure why I did not receive the 1197 pre-release cleaner module after opting for it. For the most part it works but I do still receive the sandbox deletion issue 2 times out of 6 cold boots. I am attempting to find if there is a relation between how soon I log into OS desktop from a cold boot and open a sandboxed browser session with the sandbox deletion issue. 1195 pre-release is better but not a solution to the problem. I will attempt the blocking of ekrn.exe with Sandboxie after I revert from the 1195 pre-release. Edited July 15, 2019 by Urashima Taro correction with version of the pre-release cleaner module Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted July 15, 2019 Administrators Share Posted July 15, 2019 Quote I am not sure why I did not receive the 1197 pre-release cleaner module after opting for it. Please read my last post from last week: Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. The Cleaner module 1197 addressing the issue has not been released to pre-release update servers yet. Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 15, 2019 Share Posted July 15, 2019 3 hours ago, Marcos said: Please read my last post from last week: Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. The Cleaner module 1197 addressing the issue has not been released to pre-release update servers yet. Understood, thank you for the clarification. 13 hours ago, itman said: The latest on the Sophos mitigation: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840378 The Sophos mitigation did not work as well in my case. Link to comment Share on other sites More sharing options...
Urashima Taro 0 Posted July 17, 2019 Share Posted July 17, 2019 @Marcos We are half way into "next week", do you have an ETA for pre-lease cleaner module 1197? Your response is appreciated. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted July 17, 2019 Administrators Share Posted July 17, 2019 2 minutes ago, Urashima Taro said: We are half way into "next week", do you have an ETA for pre-lease cleaner module 1197? Your response is appreciated. Cleaner module 1197 was put on pre-release servers on Monday. Today it's been released to several millions of users with regular update channel with the rest to follow soon. Link to comment Share on other sites More sharing options...
Page42 6 Posted July 17, 2019 Share Posted July 17, 2019 2 hours ago, Marcos said: Cleaner module 1197 was put on pre-release servers on Monday. Today it's been released to several millions of users with regular update channel with the rest to follow soon. Just downloaded the new Cleaner module 1197 pre-release update. I'll post back with any info. TY! Link to comment Share on other sites More sharing options...
Page42 6 Posted July 19, 2019 Share Posted July 19, 2019 On 7/17/2019 at 4:01 PM, Page42 said: Just downloaded the new Cleaner module 1197 pre-release update. I'll post back with any info. TY! It's scary how well this new Cleaner module has fixed the problem. I've been opening and closing browser sessions like crazy, trying to get Sandboxie to throw another "Could not move the sandbox folder out of the way" error message, but all is well. Sandboxie is deleting sandboxes like it used to. Link to comment Share on other sites More sharing options...
URBAN0 14 Posted July 19, 2019 Share Posted July 19, 2019 That's what you call it exceptional support👍 Link to comment Share on other sites More sharing options...
Recommended Posts