Defense+ is sandboxing WerFault.exe (Windows 7) again

For about 2 weeks, back in June, I received the alert that WerFault.exe, an Winows legitimate application was partially isolated.
I have several times tried to add WerFault.exe to the safe application list for Firewall and Defense +, but the alert kept popping up. This lasted until July 1st, even though checking the Defense + Events I have found that application was checked on line and found safe.
After that date (July 1st) I no longer had that issue, until today, July 14th, when this alert came back in all of its glory. For the sake of assuring that the application had not being removed from the safe list, I once more tried to add WerFault.exe to the trusted file list of Defense+, and again got the feedbak from Defense+ that WerFault.exe was already a safe file.
So, why does Defense+ is isolating it, again?
A similar but much less frequent behavior happens with Mozilla Firefox executable, and Google Chrome´s chrome.exe.

Information about CIS version:

Product version: 5.10.228257.2253
Virus Signature Database: 12933
Defense+ is running in Clean PC Mode
Monitoring Settings of Defense+: all ticked (default)
Firewall is running in Safe Mode
Block all unknown requests if application is closed is not ticked.

I have just searched a little more in the forum and found the recommendation to tick the “Use the file name instead of hashes (not recommended)” and did it, that is I ticked it. Let´s see if this walk around does the trick.
WerFault.exe in C:\Windows\System 32 is shown as last modified on July 13th, 2009. Exactly 3 years ago.

Just turned on PC again and while browsing, got the same alert concerning WerFault.exe, despite all set up concerning Defense+, listed above.
Defense+ Events shows WerFault.exe was verified on line and found safe, again.

I do not believe on Friday 13th´s curse.


Jose Pinho.

I get the same problem. Seems to happen when I close Firefox 14.0.1 (sometimes)

My Comodo is up to date 5.10.228257.2253 and I have only started to see this problem with the latest version

If werfault.exe gets started by a sandboxed program it will get sandboxed as well. May be that is going on?


Just closed Firefox got the sandboxed message for werfault.exe and no other programs showing as sandboxed.

Just werefault.exe showing as unrecognised/partially limited

Also zero intrusions.

Can also now report that I do sometimes get the problem when I am using firefox to browse the net. Not noticed it with any other programs so far.

Are you using nightly builds of FF or do you run a stable version?

Stable release version 14.0.1

Anyways… to give a further update.

I have done a clean install of CIS and the problem has not reappeared. It’s early days but by now I would have expected 3 or 4 sandbox messages.

I am now going through blocking a load of “trusted” programs that are getting thro the firewall when they have no reason for doing so. Bad,Bad…

Why isn’t there an easier way ?

It looks like the configuration of your installation was damaged. That sometimes happens when cfp.exe or cmdagent.exe have crashed.

If you want to avoid a clean installation you could import a default configuration from the installation folder and start from scratch. If that works then clean installing has been avoided.

This is the second time I have had to do a clean install after an update left me with problems.

So I have exported my config for next time !

Thanks for the idea.

FF is 14.0.1 (stable).
I have uninstalled Comodo, cleaning as much registry entries as I could, using regedit. Installed CIS again, but problem remains.
Also, I have loaded an a previous configuration file, but popping up with “WerFault not recognised, sandboxed and partially limited” persists.

What happens when you add Werfault to the Safe Files?


Thanks for the quick reply.
I have added WerFault.exe to the trusted file, via Defense > Trusted Files, and the program responds, after I have clicked on Add to Trusted File List, that WerFault.exe is already a safe file. So no change since I have created this post.
For reference, this is the location of the file: C:\Windows\System32\WerFault.exe.
In the Defense+ Events, the file is shown as verified on line and found safe. Yesterday (August 4th), this file was sandboxed 7 times. As additional information, I do not keep my PC on all the time. When I expect not to have activity in my PC, I turn it off.

WerFault.exe is a Windows process for the Windows error reporting service. It may be corrupted. You can run SFC/Scannow to check the System File for error following these instructions

Boris 3,

Thank you for the suggestion. This was already done, in two versions: sfc /scannow, e sfc /verify only. In both cases, no damaged or corrupted file was reported.

Please try running checkdisk to see if the file system is intact. Open a command prompt and run chkdsk /f and when asked to perform chkdks on the next boot allow it and reboot.


Thanks for the orientation.

I have ran the CHKDSK /F command, but the report shows no problem.
I tried to open the report to see it in a more detailed way, but going through this path: eventvwr > Windows Logs > Application > Right click on Application > Find > type: CHKDSK, and id not find any report with today´s date.

A new piece of information:

This morning, before I read Boris 3 suggestion, I went through Comoo CIS Firewall Behavior Settings, and ticked two options, in Advanced tab, that seem to come unmarked:

Protect the ARP Cache

Block Gratuitous ARP Frames

Since then, I have got no messages concerning blocking of WerFault.exe. Let me see what happens in the next hours.

Can a cause-effect relationship between these two items (ticked options and WerFault.exe sandboxing)?

Thanks for the support.


I spoke (or wrote it) too soon. The sandboxing is back, and in all of its small glory.
Additional food for thought: Most of the present day I was browsing the internet with Google, version 21.
After I tried Firefox, I got the sandboxing message when closing FF (see ciddizzy´s post).


Jose Pinho

Please keep us posted about this. If these setting would coincide with werfault then that would be very strange and most likely worth a bug report.

Still I am wondering what triggers werfault so often on your machine. Could you check the Windows logs to see if there are system files or applications that are crashing around the time werfault gets activated.

Thanks for the reply.

I am not an expert on Windows Logs.
Is there any specific reports you want me to check? If yes, how do I get it/them in a format I can attach to my posts?

And just for the sake of my curiosity, I found a Sandbox folder in this path:


Are these 2 folders, Spoon, and Sandbox part of CIS installation? Both are shown as 0 byte size folders.

Jose Pinho

Spoon Sandbox seems to be part a a browser extension; see here

Maybe you should check the installed extensions.

Boris 3,

Thanks for searching and posting the link here, but it does not seem to be part of such a program. Except for the entry included in my previous post, no other instances/references was found. I just removed it to the trash can, and will watch the effects.
For 10 hours now, I have not seen any other sandboxing for WerFault.exe. The change I made to my system was to roll back Adobe´s Flash Player Plugin from 11.3.300.268 to
Flash plugin/active X has for some time been causing trouble when using FF in sites that present content requiring flash to open and run it. Adobe has updated their plugin constantly, and at least once for incompatibility with FF.
I am not aware if the problem is the plugin or active X.
Presently my PC has just the plugin outdated version. No Active X installed.

I would like to ask ciddizzy to inform us if there is any version of Flash Player or plugin installed in his PC. This information may give us an important clue to the cause of the reported problem.