There are several common reasons for Windows and other trusted files getting sandboxed:
[ol]- Block all unknown requests when the application is closed is ticked. This should not normally be ticked unless you know or suspect your machine is infected. This problem can cause other early-loading autorun files to be sandboxed too. If you have this problem you will probably get both sandbox alerts and log entries.
- Sandboxed applications are running Windows or other trusted files. Sandboxing Windows or other trusted applications under these circumstances is intentional - malware can use windows files to cause damage to your system. If you have this problem you should get log entries for Windows files but not alerts, which you can safely ignore. Common windows files which get sanboxed like this are verclsid.exe, smss.exe, msfeedsync.exe
- The file is from a trusted vendor but has an invalid certificate or has been patched. Note that much Beta and pre-release software may have no certificate or an invalid test certificate. Also shell32.dll is commonly patched by third parties. You may use Start ~ Run ~ sigverif.exe to check such files certificates. Select the advanced tab, navigate to the directory you require, and make sure you enter the correct file extension, before running the tool. If your file is NOT on the resulting list its certificate is OK. Files like this could be malware and so should be be made trusted only if you are sure you trust them.
- You, or software you have started, are running an MSDOS or other 16bit application, maybe invoked from a .pif shortcuts file. Although what CIS is doing (sandboxing the virtual machine) is correct, as the virtual machine executes the file’s instructions, the alert which talks about ntvdm.exe (the virtual machine) being sandboxed is confusing and has been registered as an bug/issue.[/ol]