Constant sandboxing of winpatrol.exe and systray during startup

CPU: 32 bit
OS: Windows XP SP3
Version: CIS 4.1.150349.920
Account: Administrator account

Symptoms: Constant sandboxing of winpatrol.exe and systray.exe
Diagnostic did not find anything wrong.
The problem happens at every system startup.
Have already placed them in My Own Safe Files and Trusted Vendors.

I am sorry you are having this problem.

The first thing to clarify is what happened when you added these files to My Safe files and the Trusted vendors list. Which did you add to which. Did the file in My Safe Files stay there after rebooting?

Secondly please post a screenshot of your defense plus event logs taken after rebooting. Faststone is a good program for this if you don’t have one, but needs to be made a safe file before use.

Best wishes


Thank you for the quick response. Yes they are still in the My Safe Files. But, anyway, I found the solution. It was to untick a box in defense + settings. something about blocking an application launching something when it is closed? Something like that. I just thought that by adding BillP Studios and Microsoft, and adding the executables to My Own Safe Files, they would be exempted from the rule. would you still want those screenshots and logs you were asking? I can give post them if you like.

!ot! It is only now that I realize that I really do have to spend some time with CIS, don’t I? great product. A little complex though

That’s very interesting actually. Partic if this still works after the next reboot. Please post before and after logs as I would like to know why this solved the problem. (Or one log and tell me when you made the change).

I suppose it is now blocking execution requests that would otherwise result in sandbox alerts. But if so it should be stopping systray and winpatrol from running. If you run winpatrol manually do you get a sandbox alert?

Patched versions of systray.exe have been known to be malware so I would do a signature check on systray. Use Start ~ Run ~ sigverif.exe ~ advanced button and change the directory and file extension to correspond to the location of systray and its extension according to the defence plus event logs. Then press start, and see if systray is listed as unsigned.

Glad you like CIS!

Best wishes


SysTray.exe is signed. ;D the problem was that it just kept getting sandboxed. I made the change after reviewing the settings of Comodo IS. I think it was July 5, i think? Defense + was set to block unknown requests if the application is closed. I unticked the box beside that option and it was fixed. ;D By the way, how do I post logs? and where do I find the Defense + logs?

!ot! I don’t like CIS. :-\ I love it. :-TU :-TU :-TU :-TU :-TU :-TU :-TU

Take a screen shot of “View defense plus events” making sure all info is viewable, using, say Faststone Capture (make it a safe file first).

I am glad you like it!

Best wishes


here are the logs O0

[attachment deleted by admin]

Thanks. Thats interesting. Can you post a log from say 5 mins after a re-boot now the problem is solved?

That would be very useful for the devs.

Best wishes


I too unchecked the box “Block all unknown requests if the application is closed” in Defense+ Settings and so far it has fixed the Sandbox problem of isolating safe and trusted files immediately after Windows startup. Thanks!