Jump to content
Tetranitrocubane

ESET issue with Sandboxie - Persistent holding of registry keys

Recommended Posts

Posted (edited)

This suggestion was posted on the Sandboxie forum by Sophos:

Quote

Since you mentioned Ekrn.exe , you may want to try blocking that file in the Sandbox and test what happens (it may or may not work, as it it may trigger error messages).

Right-click on your Sandbox
Sandbox settings---> Resource Access ---> File Access --> Blocked access
Add the following entry:
*\ekrn.exe
Ok and Apply
Re-test

Remove the changes if they don't help/cause problems.

This coupled with excluding Sandboxie processes or entire directory as noted above, might do the trick.

Personally, I suspect Eset might go "bonkers" if its access was denied to Sandboxie system use areas.

Edited by itman

Share this post


Link to post
Share on other sites

Hi Itman,

I've tried adding the exception for Deep Behavior Inspection in ESET, but unfortunately the behavior seems to be persisting. I've seen the suggestion on the Sandboxie forums - but I am similarly worried that blocking ESET in Sandboxie will cause more problems than it will solve.

Marcos,

I'm currently using Sandboxie 5.31.2 64-bit on Windows 10. I recommend using the latest Sandboxie beta, as there are some lingering issues on the 5.30 build.

The latest betas are here:

https://community.sophos.com/products/sandboxie/sandboxie-beta-versions/f/sandboxie-beta-5-31/113038/sandboxie-beta-sandboxie-beta-5-31-latest-version-5-31-2

Share this post


Link to post
Share on other sites
1 hour ago, Tetranitrocubane said:

I've tried adding the exception for Deep Behavior Inspection in ESET, but unfortunately the behavior seems to be persisting.

The only other culprit I can think of is the Advanced Machine Leaning module. This also was just introduced into Eset.

Also, it appears there is no way to add exceptions to it or disable it short of completely disabling the HIPS.

Share this post


Link to post
Share on other sites

I am testing the option of setting up all Sandboxie files to be excluded under ESET NOD32/HIPS/DEEP BEHAVIORAL.  I will report back in about a week worth of use.

Share this post


Link to post
Share on other sites
13 hours ago, Urashima Taro said:

  I will report back in about a week worth of use.

No reason to wait a week.

If the Eset DBI Sandboxie exclusions are working, it would be apparent immediately by no conflict with clearing the sandbox after browser termination.

Share this post


Link to post
Share on other sites

@Marcos this might be the reason for the Win 7 driver errors when attempting to install Sandboxie:

Quote

SHA-2 Code Signing
For Windows 7 Users, the SHA-2 Code Signing Support becomes mandatory in July. You will need to have KB4474419 (the SHA-2 update) and KB4490628 (2019-03 Servicing Stack) installed for Win7 SP1, Server 2008 R2 SP1, and Server 2008 SP2 prior to August updates.

 

Share this post


Link to post
Share on other sites
On 7/4/2019 at 10:05 PM, hulduet said:

I can confirm this issue. It started a few days ago. I am unable to delete the content of the sandboxie because something is stopping the deletion(ESET). Very easy to reproduce this problem by just having sandboxie and ESET together since a couple of days ago. 

Same problem with me. I use Privacy Eraser and that will delete the sandbox contents.

Share this post


Link to post
Share on other sites
32 minutes ago, itman said:

@Marcos this might be the reason for the Win 7 driver errors when attempting to install Sandboxie:

 

Yes, I've realized that it was actually a VM with Windows 7 without SP1. All attempts to install it failed so I gave up, however, the issue was reproduced also on Windows 10 but it took effort and it was not easy to reproduce. It appears that the issue could be caused by some changes in a recent update of the Cleaner modules. We're on it and investigating the issue. Will keep you posted.

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

No reason to wait a week.

If the Eset DBI Sandboxie exclusions are working, it would be apparent immediately by no conflict with clearing the sandbox after browser termination.

You are correct, it took less than 2 hours of work to see that this option (ESET DBI Exclusions) did not work.  I have disabled ESET NOD32 HIPS and are trying again.  WIll post my findings soon.

Share this post


Link to post
Share on other sites

Okay, disabling ESET NOT32 HIPS did not work as well.  I have re-enable it along with DBI and have disabled "Protocol Filtering" completely and so far so good.   Will continue testing.

Share this post


Link to post
Share on other sites

Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. If you want to get the fix among the first, switch to pre-release updates in the advanced update setup. The module will be released for all users a little bit later.

Share this post


Link to post
Share on other sites
Posted (edited)
20 hours ago, Bob_D said:

Been plagued here with the same issue (on Win 10 only). Seems to be resolved now. See "Program Stop > Leader Programs": https://www.sandboxie.com/ProgramStopSettings#leader

No compromise of Eset's protection required.

To clarify, did adding ekrn.exe to Sandboxie's "leader programs" list stop the issue of the sandbox not being able to be cleared?

-EDIT- per postings on wilderssecurity.com here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2839871 , the "leader programs" proposed solution doesn't work.

Edited by itman

Share this post


Link to post
Share on other sites
8 hours ago, Marcos said:

Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue. If you want to get the fix among the first, switch to pre-release updates in the advanced update setup. The module will be released for all users a little bit later.

That sounds awesome, Marcos.  Looking forward to the new Cleaner module.  😊

Share this post


Link to post
Share on other sites

So far, the Sophos suggested Sandboxie mitigation posted previously: https://forum.eset.com/topic/20056-eset-issue-with-sandboxie-persistent-holding-of-registry-keys/?do=findComment&comment=97716 appears to be working as observed through testing here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840059

Appears to be no conflicts with Eset by doing this.

Share this post


Link to post
Share on other sites
18 hours ago, itman said:

So far, the Sophos suggested Sandboxie mitigation posted previously: https://forum.eset.com/topic/20056-eset-issue-with-sandboxie-persistent-holding-of-registry-keys/?do=findComment&comment=97716 appears to be working as observed through testing here: https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840059

Appears to be no conflicts with Eset by doing this.

An edit was made to the above-linked post on Wilders ...

Quote

Edit: Regrettably, I must report that I did receive the dreaded "Could not move the sandbox folder out of the way" error message once after having blocked ekrn.exe. I've probably closed a couple dozen browser sessions without any issue, but just now the Sandboxie deletion failure did happen, and I had to reboot to delete. I made note of the numbers, in case we begin to look at the size of the space (or number of files or folders) as a potential trigger. 98 files and 44 folders occupying 45 MB of space. :(

Back to waiting for ESET's release of new Cleaner module 1197 on pre-release update servers next week. :thumb:

 

Share this post


Link to post
Share on other sites

The latest on the Sophos mitigation:

Quote

Quick update on the sandbox deletion issue...

Other than the one occurrence to the contrary, I have had very good success with Barb@Sophos' ekrn.exe blocking suggestion. I encourage others to try it while they wait for ESET to release a possible fix.

https://www.wilderssecurity.com/threads/sandboxie-acquired-by-invincea.357312/page-213#post-2840378

Share this post


Link to post
Share on other sites
Posted (edited)

I have taken the dive into ESET's 1195 pre-release cleaner module.  I am not sure why I did not receive the 1197 pre-release cleaner module after opting for it.  For the most part it works but I do still receive the sandbox deletion issue 2 times out of 6 cold boots.  I am attempting to find if there is a relation between how soon I log into OS desktop from a cold boot and open a sandboxed browser session with the sandbox deletion issue.  1195 pre-release is better but not a solution to the problem.  I will attempt the blocking of ekrn.exe with Sandboxie after I revert from the 1195 pre-release.

Edited by Urashima Taro
correction with version of the pre-release cleaner module

Share this post


Link to post
Share on other sites
Quote

I am not sure why I did not receive the 1197 pre-release cleaner module after opting for it. 

Please read my last post from last week:
Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue.

The Cleaner module 1197 addressing the issue has not been released to pre-release update servers yet.

Share this post


Link to post
Share on other sites
3 hours ago, Marcos said:

Please read my last post from last week:
Most likely next week we'll release a new Cleaner module 1197 to pre-release update servers which should address this issue.

The Cleaner module 1197 addressing the issue has not been released to pre-release update servers yet.

Understood, thank you for the clarification. 

 

13 hours ago, itman said:

The Sophos mitigation did not work as well in my case.

Share this post


Link to post
Share on other sites

@Marcos

We are half way into "next week", do you have an ETA for pre-lease cleaner module 1197?  Your response is appreciated.

Share this post


Link to post
Share on other sites
2 minutes ago, Urashima Taro said:

We are half way into "next week", do you have an ETA for pre-lease cleaner module 1197?  Your response is appreciated.

Cleaner module 1197 was put on pre-release servers on Monday. Today it's been released to several millions of users with regular update channel with the rest to follow soon.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Cleaner module 1197 was put on pre-release servers on Monday. Today it's been released to several millions of users with regular update channel with the rest to follow soon.

Just downloaded the new Cleaner module 1197 pre-release update.  I'll post back with any info.  TY!

Share this post


Link to post
Share on other sites
On 7/17/2019 at 4:01 PM, Page42 said:

Just downloaded the new Cleaner module 1197 pre-release update.  I'll post back with any info.  TY!

It's scary how well this new Cleaner module has fixed the problem.  I've been opening and closing browser sessions like crazy, trying to get Sandboxie to throw another  "Could not move the sandbox folder out of the way" error message, but all is well.  Sandboxie is deleting sandboxes like it used to.  :)

Share this post


Link to post
Share on other sites

That's what you call it exceptional support👍

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...