CIS 2011 Free Breaks Sandboxie 3.46 & 3.50 [NBZ]

TOPIC TITLE
CIS 2011 Free Breaks Sandboxie 3.46 & 3.50 Unless Defense+ Security Level Is Permanently Disabled


The bug/issue

  1. What you did:

    On 10/30/10, I downloaded the current build of Comodo Internet Security 2011 from the Comodo web site. After installation, this was reported by CIS as Comodo Internet Security 5-0-162636-1135. The Check Updates option said that none were available.

I then prepared a stable system, which had been running Avast Free Anti-virus 5-0-667and SBIE 3.50 successfully for about 10 days, for a potentially troublesome installation by disabling Avast’s real-time shields, and closing all running applications. During the installation, I chose not to install the anti-virus, and only installed the firewall, with the Defense+ Maximum Protection option. I restarted the system, and responded as well as possible to the blizzard of warnings which CIS presented. I have many utilities set to autostart, and many were “unrecognized” by CIS. Whenever possible, I enabled the full options view on the CIS warning dialog, and identified the programs as Trusted or Windows System Applications. By the end of that process, when CIS stopped throwing up warnings or automatically sandboxing programs, I checked the CIS Summary screen, and found 16 applications running in the sandbox. One was SBIECtrl. Nothing was shown for any Avast component.

I repeated this restart procedure several times. Each time, CIS would warn, or attempt to sandbox, various applications or components, and I would indicate that the application should not be sandboxed again, and/or responded to the warning dialog. Eventually, I could restart the system without any protest from CIS about any of my regular autostart programs.

At that point, I created an exception for Avast so that its Real Time File shield would not respond to any file activity in the Comodo install directory or its subdirectories, or in the SBIE directory. I then ran a ran a whole system scan with Avast, which showed no problems. I then set CIS to “Clean PC” mode, and rebooted.

I then tried SBIE for the first time. I clicked on the Quick Launch icon I normally use to launch Firefox sandboxed. Instead of starting, however, the Sandboxie message dialog window appeared, and displayed the error message “SBIE2204 Cannot start sandboxed service RpcSs.” A JPG file showing that screen is attached. Reviewing the Defense+ Events log later, I found that nothing had been recorded.

I then tried to launch other applications, like Internet Explorer and Outlook Express, that I normally launch sandboxed. All failed to launch, and produced the same error message. I then tried to launch those applications by right-clicking on the file name in Windows Explorer. The same error occurred. Finally, I tried to launch applications from the menu system in the Sandboxie Control Window, but met the same result.

I then uninstalled CIS, and manually removed all traces from the Registry and file system. After rebooting, all Sandboxie function returned immediately. Following the procedures outlined above, I then reinstalled CIS. The SBIE errors returned immediately, again regardless of the application being opened.

  1. What actually happened or you actually saw:

    What happens, and what I see, differs depending on what I try to launch, and how I try to launch it. SBIE allows applications to be launched by using the menu system on the Sandboxie Control window, by using a context menu option available when right-clicking on any application file displayed in Windows Explorer, from shortcuts created on the desktop or other locations, or from scripts.

    For the sake of simplicity and reproducibility, I’ll describe the sequence which occurs when attempting to launch Windows Explorer from the menu system in the SBIE Control window. This will also make it possible to describe circumstances occurring before the display of the error messages, which indicates that at least one CIS setting has a major impact on SBIE’s operations: the Detect Shellcode Injections setting. JPG screenshots of each step are attached.

All of the following experiments were conducted with Comodo’s Defense+ Security Level set to Safe Mode, and a clean installation of SBIE which used the default configuration file. SBIE was installed to a location other than its default, so that these results were not influenced by the Comodo configuration changes described in Section 4. With one exception, which I describe in the last paragraph, these same results also occur after booting into Windows with the Security Level temporarily set to Disabled.

The Sandboxie Control Window looks like this when awaiting an attempt to launch an application: “Sandboxie 3-50 Control window_empty, awaiting attempt to launch any application Sandboxed.jpg”

By using this sequence of dropdown menus, Windows Explorer can be launched: “SBIE Ctrl Window_menu bar and cascaded menus used to attempt to launch Windows Explorer.jpg”

When using this menu sequence, the attempt to launch Windows Explorer first produces an informational dialog: “SBIE Ctrl Window_informational dialog displayed from 1 second to infinity after trying to launch Windows Explorer from menus_Comodo Detect Shell Code Injections enabled, no exceptions created.jpg” This appears almost immediately. It seems that it will remain onscreen indefinitely, and SBIE will take no further action until/unless it is dismissed by clicking the “OK” button.

If this is the first time SBIE has attempted to launch an application during this Windows session, after clicking “OK” a purchase reminder screen is displayed: “Sandboxie 3-50 purchase reminder screen.jpg”. This does not appear on subsequent occasions during the same session when the Control Window is opened.

The attempt to launch Windows Explorer through the menus on the Control Window always produces the informational dialog, and/or the purchase reminder screen, regardless of the Comodo settings. When CIS allows SBIE to operate properly, almost immediately after dismissing the informational dialog, the Control Window will be populated with an icon for Start.exe (“SBIE Ctrl Window_normal operation_1 second after clicking informational dialog.jpg”). Within 3 more seconds, the Start.exe icon has disappeared, and the Control Window is populated with 3 icons, including one for Explorer, which has been launched, as shown in “SBIE Ctrl Window_normal operation_4 seconds after clicking informational dialog_Defense+ disabled permanently, Sandbox off, Detect Shell Code Injections enabled.jpg.” However, as indicated by the file name, this could only be achieved after permanently disabling Defense+ and rebooting.

When Defense+ is active, what happens after dismissing the informational dialog differs significantly, depending on the configuration of the Detect Shellcode Injections setting (Defense+ panel, Execution Control Settings tab). Hopefully, these differences will indicate something about the nature of the problem.

With the Detect Shellcode Injections enabled and no exceptions created, almost immediately after dismissing the informational dialog, the Control Window is populated by an icon for Start.exe, as it would be during normal operations. However, with Defense+ enabled, it never disappears, and is never replaced by icons for other processes. About 17 seconds later, a “Messages from Sandboxie” window appears: (“SBIE Ctrl Window_18 seconds after clicking informational dialog_Comodo Detect Shell Code Injections enabled, no exceptions created.jpg”). The text “SBIE2204 Cannot start sandboxed service RpcSs” is comprised of an error code (SBIE2204), followed by a description of the problem .

Start.exe apparently repeats its processing sequence every 10 seconds, so by 28 seconds, a new pair of error descriptions is displayed in the Messages window: “SBIE Ctrl Window_28 seconds after clicking informational dialog_Comodo Detect Shell Code Injections enabled, no exceptions created.jpg.”

The process leading to the display of the repeated error messages will apparently repeat indefinitely, until the “Close” button on the Messages window is clicked, and the Start.exe process is terminated (either from the “Terminate All Programs” choice on the Control Window File menu or on the right-click menu available on the Sandboxie tray icon).

The appearance of this display of error messages is not unique to the attempt the start Explorer through the menus. The error occurs for all applications, using any of the methods of starting applications through SBIE described in the first paragraph of this section, UNLESS the Detect Shellcode Injections setting is modified by creating an exception for all the contents in the SBIE installation directory, or is disabled.

Under those conditions, a different sequence happens. The informational dialog still appears, but when it is dismissed the Control Window is populated not only with Start.exe, but also with its helper applications, SandboxieRpcSs.exe and SandboxieDcomLaunch.exe: “SBIE Ctrl Window_1 second after clicking informational dialog_Comodo Detect Shell Code Injections enabled, exception created for all files in SBIE install folder.jpg”; “SBIE Ctrl Window_1 second after clicking informational dialog_Comodo Detect Shell Code Injections disabled.jpg”. All three icons appear simultaneously, almost immediately after clicking to dismiss the informational dialog. However, they all also disappear simultaneously, about 1 second after they appeared. The Control Window is left empty again.

With either Detect Shell Code Injections disabled, or an exception created for all the contents in the SBIE installation directory, I have also observed slightly different results when I keep the Control Window open, and repeat the attempt to launch Windows Explorer from the menus several times in succession without closing the window. The sequence is the same: the Control Window is populated with icons almost immediately, and they disappear spontaneously almost immediately after appearing. Although I have always seen the three applications described above on the first attempt to launch after opening the Control Window, on subsequent attempts the icons which are displayed show some variability. I have seen the combination of the 2 helper applications without Start.exe (“SBIE Ctrl Window_Start-exe not displayed_1 second after clicking informational dialog_Comodo Detect Shell Code Injections disabled.jpg”), Start.exe together with one helper (“SBIE Ctrl Window_Start-exe + RpcSS_1 second after clicking informational dialog_Comodo Detect Shell Code Injections disabled.jpg”), and both helper apps together with the target app, Explorer.exe (“SBIE Ctrl Window_2 helper apps + Explorer_1 second after clicking informational dialog_Comodo Detect Shell Code Injections disabled.jpg”).

When the Defense+ Security Level is set to “Safe” Mode, and the setting to Detect Shell Code Injections is enabled, but the Sandbox is disabled, a new pattern emerged. Both the Start.exe and Explorer icons appeared in the Control Window almost immediately {"SBIE Ctrl Window_1 second after clicking informational dialog_ Safe Mode, Sandbox off, Detect Shell Code Injections enabled.jpg’). Over the next few seconds, however, the Explorer icon disappeared, and SBIE began to display the repeating error messages (“SBIE Ctrl Window_36 seconds after clicking informational dialog_Safe Mode, Sandbox off, Detect Shell Code Injections enabled.jpg”). The effect of disabling Detect Shell Code Injections was not tested.

When the Defense+ Security Level is temporarily set to Disabled, changing the settings for Detect Shell Code Injections no longer causes different responses. Whether detection is enabled or disabled, the response follows the pattern seen in Safe Mode when detection is enabled: an icon for Start.exe appears in the Control Window, and about 18 seconds later the “Messages from Sandboxie” window appears with the error message.

  1. What you expected to happen or see:

    I wanted SBIE to launch programs and operate normally, as it had for many months using CIS 4.x.

  2. How you tried to fix it & what happened:

    All of the following were tried, in approximately this order, with no effect:

I checked the Comodo Defense+ Events log to see if any blocking events had occurred. It showed no listings related to any SBIE component other than the one mentioned previously for SBIECtrl, and another for SBIESvc. Both of these had occurred during the first launch of Windows after installing CIS.
None were listed, which was not surprising, since the SBIE failure never was accompanied by any popup warning.

I checked the Windows System and Application Event logs, but found no record of information, warnings, or errors.

I opened the CIS Trusted Files dialog, and browsed to add the entire SBIE installation folder, as well as the Avast installation folder.

I returned to the Trusted Files dialog, and removed the entry for the SBIE installation folder. I then browsed to select each of the executables in that folder individually.

I checked to see if Sandboxie was shown as a Trusted Vendor as defined by Comodo. It was.

I changed the CIS Image Execution Control Level from enabled to disabled.

I created exceptions for the Avast 5 real-time File System Shield so that it was set to ignore file read/write/execute in both the SBIE and Comodo installation folders.

I disabled the Avast 5 real-time File System Shield.

I disabled all Avast 5 real-time shields.

I changed the Defense+ Security Level from “Clean PC” to “Safe” Mode, and rebooted.

I changed the Defense+ Security Level from “Safe” Mode to Disabled, and rebooted.

I reset the Defense+ Security Level to “Safe” Mode, disabled the Sandbox, and rebooted.

NOTE:  This test was only completed after the change caused a system crash.  After moving the slider in the "Sandbox Settings" tab to disable the Sandbox, and clicking on the OK button to accept the change, Windows crashed with a BSOD.  The error description was BAD_POOL_CALLER.  The file which was the probable cause was not identified.  The Stop Error was:  000000C2 (00000007, 00000CD4, 00000000, 89125838).  Using the !analyze -v command in WinDbg to examine the dump file created indicated that the problem was caused by the aswSP.sys driver, identified in the file properties as "avast! self protection module."  Both the output of the WinDbg analysis and the dump file are attached ("Comodo Internet Security 5_WinDbg output of !analyze command for crash dump produced by BSOD after disabling Sandbox.jpg"; "Avast 5 component crashes system when resetting Comodo 5 Sandbox setting_Mini110210-01.dmp").  The WinDbg output also gives a view of all the drivers typically loaded into memory on my system. 

I disabled the Comodo Internet Security Helper Service from the Services Snap-in of the MMC. I ran SysInternals AutoRuns utility, and disabled 4 Comodo components shown there which were set to autostart. After rebooting, even though CmdAgent and CFP.exe were not active processes, the errors continued.

NOTE:  The tests described in the three preceding paragraphs were not conducted until after completing the others described below.  They are mentioned here because they should have been taken as the next logical steps in the test sequence.

I uninstalled SBIE (which had been upgraded to version 3-50 from version 3-48), and rebooted. I then downloaded a fresh copy of version 3-50 from the Sandboxie web site and reinstalled. The error appeared immediately after installation, and after rebooting.

At the suggestion of Jacob (a moderator in the Defense+ / Sandbox Help Forum, where a description of this problem was first posted), I then repeated this uninstall/reinstall/reboot routine for an installation of SBIE in a directory directly under the root directory of a non-system partition, instead of using the normal location (Program Files in the Windows Drive). Jacob said that he had encountered this same problem with his SBIE installation, until he reinstalled on a different partition. However, it had no effect on my system.

These reinstallations of SBIE confirmed that the problem occurs regardless of whether SBIE is installed after Comodo, or Comodo is installed after SBIE. They also confirmed that it does not matter whether Sandboxie is installed with with the default Sandboxie.ini configuration, or a highly customized configuration file, as mine was for the initial installation. Third, the location of the installation directory is not a factor.

I uninstalled SBIE 3-50, and rebooted. I then reinstalled the copy of SBIE 3-46, which had worked well with CIS 4.x before being upgraded to SBIE 3-50, and rebooted. When the same errors appeared, I uninstalled, rebooted, and reinstalled SBIE 3-50, which I continued to use for the rest of the tests described below.

I then created a package of tweaks designed to try to let CIS run as intended in Safe Mode, but remove any restrictions or interactions with any SBIE files. I started by accessing the Computer Security dialog from the Defense+ tab of the main CIS interface. In the Computer Security dialog, I opened the “Protected Files and Folders” tab, and clicked the Groups button. In the File Groups dialog, I clicked “Add,” and created a new File Group which I called “Sandboxie Files.” I then added the contents of the Sandboxie installation folder, which includes its driver.

I then clicked on the “Predefined Policies” tab, and created a new Predefined Security Policy, which I named “Sandboxie.” I then edited the new Policy, and customized its Protection Settings and Access Rights. On the Protection Settings tab, I set all Protection Types to Inactive. On the Access Rights tab, I set all the listed Access Names to “Allow.” For the Access Name “Run as Executable.” I kept the “Ask” setting, since “Allow” is not an option. I then modified that setting under the “Exclusions” column by adding exclusions for all the standard Predefined File Groups, plus the newly created Sandboxie group.

Finally, on the Defense+ Rules tab, I added the Sandboxie File Group, and then set it to use the Sandboxie Predefined Security Policy.

At that point, as I understand it, Comodo has been set to ignore every file in the Sandboxie installation folder, each of those files should be allowed to interact with any other file on the system in any way without interference, and each should be able to take any possible action which would normally trigger action by Defense+. The errors, however, persist.

  1. If its an application compatibility problem have you tried the application fixes?:

    Yes

  2. Details (exact version) of any application involved with download link:

    Sandboxie version 3.50. Downloaded from http://www.sandboxie.com/index.php?DownloadSandboxie.

  3. Whether you can make the problem happen again, and if so exact steps to make it happen:

    The problem happens every time SBIE is used to launch any application, by any means.

  4. Any other information (eg your guess regarding the cause, with reasons):

    In case some configuration anomaly is playing a role in the problem, I have attached a REG file showing the Registry entries for the CIS configuration as of 11/1/10 at 10:52pm: “Comodo Internet Security 5 Registry entries_HKLM_System_Software_Comodo.reg.”

    So that you could see the interaction of CIS with the other components on my system during a failure sequence, I have attached a log of a system activity capture performed by SysInternals Process Monitor. The file is in the SysInternals proprietary PML format. The file can be opened and read by SysInternals by selecting the it in the Process Monitor File Menu. The trace shows all system activity (including file and registry access attempts) from just before the moment I used SBIE to open the target application (IsoBuster) to just after the error messages began to appear on screen. Since you know what sort of accesses your program is supposed to be making, and how it actually blocks programs from running, I expect that you’ll be able to see how it stopped SBIE from launching IsoBuster after it was loaded into memory.

    As you consider possible causes, keep in mind that this is not a CIS problem, but a CIS 5 problem. I have used both Comodo and SBIE together for many years without any problem. During that time, I’ve also had numerous anti-virus programs installed at various times as well. Most recently, CIS 4.x (starting with the installation of version 4-0-141842-828 soon after its release, and continuing through all updated versions issued until 9/28/10) was working perfectly with SBIE 3-46 and 3-50 until the day I uninstalled it to update to CIS 5. During that time, both also coexisted peacefully with Avira Antivir and Spyware Doctor as well as Avast. Something that was changed is the source of the problem.

Files appended. (Please zip unless screenshots).

NOTE: All the screenshots and other documentation described in #1 - 4 below are included as part of one ZIP file: “Comodo Internet Security 5 bug report concerning problem with Sandboxie_attachments.zip”

  1. Screenshots illustrating the bug:

    Attached: multiple JPG files, with their purpose and name identified in the problem narrative above.

  2. Screenshots of related event logs and the active processes list:

    Attached: “Comodo Internet Security 5_Defense+ Events Log_103010 – 11011.htm,” exported from the Comodo Firewall Log Viewer. The only events relating to any SBIE component, other than the ones described above which occurred during the initial startup of Windows after installing CIS, occurred on 11/1/10, when attempting to launch applications through my usual AutoIT3 scripts. These same scripts had been used during the initial testing of SBIE on 10/30, but no events were recorded.

    Attached: “Dell XPS-410_process list recorded by AnVir Task Manager_110110.htm” This was recorded when I had booted into Windows with CIS Defense+ Security Level set to Disabled. Most of the listed processes are active on almost every system start.

  3. A CIS config report or file.

    Attached: “Comodo Internet Security 5 Configuration File_110110.cfgx,” exported from “Manage My Configurations.”

    Attached: “Comodo Internet Security 5_Configuration Changes Log_103010 – 11011.htm,” exported from the Comodo Firewall Log Viewer.

  4. Crash or freeze dump file:

    The error produces no crash or freeze dump.

Your set-up

  1. CIS version, AV database version & configuration used:

    Comodo Internet Security 5-0-162636-1135; no AV installed; Proactive Security configuration

  2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:

    The problems described here occurred after a clean installation, but occurred previously after updating from CIS 4 without uninstalling

  3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:

    No.

  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )

    None when the problem first occurred; other changes as described above in an attempt to find a workaround.

  5. Defense+ and Sandbox OR Firewall security level:

    As described above, the problem occurred at all Defense+ Security Levels, including Disabled.

  6. OS version, service pack, no of bits, UAC setting, & account type:

    Windows XP SP2, with all updates; 32 bit; UAC no a feature of XP; Administrator

  7. Other security and utility software running:

    Security software: Avast Free Anti-virus 5-0-667; SBIE 3.50
    Utility software: multiple processes, as detailed in the attached file “Dell XPS-410_process list recorded by AnVir Task Manager_110110.htm”

  8. Virtual machine used (Please do NOT use Virtual box):

    None.

[attachment deleted by admin]

I’m running SandboxIE 3.50 64bit just fine.
:-TU

I ran the Diagnostics selection on the Help Menu, and received the response that the installation was correct.

I uninstalled Avast 5, rebooted, manually cleaned the registry and file system, rebooted, and found that the error persisted.

I uninstalled CIS, rebooted, manually cleaned the registry and file system, and rebooted. I then reinstalled CIS with the Optimum Proactive Defense option, instead of the Maximum Proactive Defense option which I used originally. I again chose not to install the antivirus. After rebooting several times, and configuring the applications which were to be considered trusted, I reinstalled SBIE 3-50. The error persisted.

Could please try instead of disabling Defense+ could you please enable Defense+ then unticked the box shown in screenshot.

Thank you

Dennis

[attachment deleted by admin]

Disabling this monitor had no effect.

sorry, your text was too long.
i use sandboxIE and all is fine. i disabled the comodo sandbox, as i know what i load. and when i want to use a sandbox, i use sandboxIE.
firefox is running in sandboxIE, so nothing can load itself on the computer.

you dont get additional security with the comodo sandbox then anyways. choose the better sandbox. and disable the other. done :slight_smile:

Ther is also this topic from KomodoDragon: here.

Asking for CIS, Sandboxie and Avast to work together is a bit of a tall order. I agree it would be nice however.

Moving to format verified and marking [NBZ]

This means that devs will look at this post to see if a fix is possible, but mods won’t track it, as few people (maybe only you) are affected.

Hope this is OK

Many thanks

Mouse

hi.
i have cisv5 and sandboxie installed just fine.no problems at all.

i did have an issue with them on 32-bit vista but all i did was change the start-up order and it cured the problem.

I haven’t read your text carfully but I don’t think you need sandboxie; CIS comes with a sandbox.

Regards,
Valentin

hi.
sandboxie is totally different to the comodo sandbox as far as i can make out.

true; sandboxie collects all malware at once place. look here
https://forums.comodo.com/news-announcements-feedback-cis/introduction-to-the-comodo-auto-sandbox-t63916.0.html

valentinchen, before you make short opinion posts, make sure that you know what you are talking about.

you just told us with your post, that you didnt use sandboxie before. otherwise you would know that there are many reasons for using sandboxie if you want a full sandbox…

when i would see a “suite” which has lasting “incompatibillities” with programs that are featuring “better” things, i would not use it.
luckily comodo gives us the choice :slight_smile:

valentinchen again

sandboxie lets everything what is started in it “play in a sandbox”. if you close the last running program in the sandbox EVERYTHING is reversed to the state before…

while comodo sandbox allows things to run until reboot … and allows things to drop staying things…

you dont understand sandboxie. and i think, you dont understand comodo sandbox also.

sandboxie is like a time machine… comodo sandbox is made for userfriendlyness and less questions from defense+. total different philosophy.

I don’t have that much knowlegde when it’s about sandbox-technology. The only thing I know about sanbox-technology is that it isolates the malware from the rest of the system.

I have only said that it’s enough with comodo’s sandbox.

Regards,
Valentin

@mouse1

Thanks for moving this along to the next level.

I too am interested in using CIS 2011 together with Sandboxie on Win XP x86 and Win 7 x86 & x64. KomodoDragon999, have you tried the delayed-start utility for Sandboxie here?

https://forums.comodo.com/orphanedresolvedoutdated-issues-cis/dont-update-if-you-use-sandboxie-t57169.0.html;msg402551#msg402551

I saw this thread before posting my bug report, but it relates to the 4.x version of CIS, which worked with SBIE. With CIS 5, I did not experience the problem with loading the driver, as described in the thread. The driver was loaded, but SBIE couldn’t start the target app.

I was running CIS-Sandboxie-Avast together for about 4 months with no issues.
About 10 days ago I uninstalled Avast because I now feel secure with CIS as my sole anti-virus.

Have you posted over at the Sandboxie forum about your problem?
Maybe somebody over there has an answer…and Tzuk might even have a suggestion.

I’m running Win7 so I realize that my OS is different, but when I upgraded from CIS4 to 5, I uninstalled CIS4 with Revo uninstaller set to advanced.
Then I ran EUSING free registry cleaner (recommended by Languy, so you know it’s good!!)
Then I ran EUSING free registry defrag.
Then I stopped Avast completely (not just disabling realtime scanning)
Then I installed CIS5.
I have 80+ programs on my computer but only 2 are unsigned, and none of the 80+ are set to run at start-up.
Please don’t be mad, but when I read that you had 13 (?) programs running in the sandbox I was amazed. And whenever I read about people manually deleting things in their registry I get worried.
I hope you get Sandboxie up and running, good luck.