For about 2 weeks, back in June, I received the alert that WerFault.exe, an Winows legitimate application was partially isolated.
I have several times tried to add WerFault.exe to the safe application list for Firewall and Defense +, but the alert kept popping up. This lasted until July 1st, even though checking the Defense + Events I have found that application was checked on line and found safe.
After that date (July 1st) I no longer had that issue, until today, July 14th, when this alert came back in all of its glory. For the sake of assuring that the application had not being removed from the safe list, I once more tried to add WerFault.exe to the trusted file list of Defense+, and again got the feedbak from Defense+ that WerFault.exe was already a safe file.
So, why does Defense+ is isolating it, again?
A similar but much less frequent behavior happens with Mozilla Firefox executable, and Google Chrome´s chrome.exe.
Information about CIS version:
Product version: 5.10.228257.2253
Virus Signature Database: 12933
Defense+ is running in Clean PC Mode
Monitoring Settings of Defense+: all ticked (default)
Firewall is running in Safe Mode
Block all unknown requests if application is closed is not ticked.
I have just searched a little more in the forum and found the recommendation to tick the “Use the file name instead of hashes (not recommended)” and did it, that is I ticked it. Let´s see if this walk around does the trick.
WerFault.exe in C:\Windows\System 32 is shown as last modified on July 13th, 2009. Exactly 3 years ago.
Just turned on PC again and while browsing, got the same alert concerning WerFault.exe, despite all set up concerning Defense+, listed above.
Defense+ Events shows WerFault.exe was verified on line and found safe, again.
FF is 14.0.1 (stable).
I have uninstalled Comodo, cleaning as much registry entries as I could, using regedit. Installed CIS again, but problem remains.
Also, I have loaded an a previous configuration file, but popping up with “WerFault not recognised, sandboxed and partially limited” persists.
Thanks for the quick reply.
I have added WerFault.exe to the trusted file, via Defense > Trusted Files, and the program responds, after I have clicked on Add to Trusted File List, that WerFault.exe is already a safe file. So no change since I have created this post.
For reference, this is the location of the file: C:\Windows\System32\WerFault.exe.
In the Defense+ Events, the file is shown as verified on line and found safe. Yesterday (August 4th), this file was sandboxed 7 times. As additional information, I do not keep my PC on all the time. When I expect not to have activity in my PC, I turn it off.
I have ran the CHKDSK /F command, but the report shows no problem.
I tried to open the report to see it in a more detailed way, but going through this path: eventvwr > Windows Logs > Application > Right click on Application > Find > type: CHKDSK, and id not find any report with today´s date.
A new piece of information:
This morning, before I read Boris 3 suggestion, I went through Comoo CIS Firewall Behavior Settings, and ticked two options, in Advanced tab, that seem to come unmarked:
Protect the ARP Cache
Block Gratuitous ARP Frames
Since then, I have got no messages concerning blocking of WerFault.exe. Let me see what happens in the next hours.
Can a cause-effect relationship between these two items (ticked options and WerFault.exe sandboxing)?
I spoke (or wrote it) too soon. The sandboxing is back, and in all of its small glory.
Additional food for thought: Most of the present day I was browsing the internet with Google, version 21.
After I tried Firefox, I got the sandboxing message when closing FF (see ciddizzy´s post).
Please keep us posted about this. If these setting would coincide with werfault then that would be very strange and most likely worth a bug report.
Still I am wondering what triggers werfault so often on your machine. Could you check the Windows logs to see if there are system files or applications that are crashing around the time werfault gets activated.
Thanks for searching and posting the link here, but it does not seem to be part of such a program. Except for the entry included in my previous post, no other instances/references was found. I just removed it to the trash can, and will watch the effects.
For 10 hours now, I have not seen any other sandboxing for WerFault.exe. The change I made to my system was to roll back Adobe´s Flash Player Plugin from 11.3.300.268 to 22.214.171.124.
Flash plugin/active X has for some time been causing trouble when using FF in sites that present content requiring flash to open and run it. Adobe has updated their plugin constantly, and at least once for incompatibility with FF.
I am not aware if the problem is the plugin or active X.
Presently my PC has just the plugin outdated version. No Active X installed.
I would like to ask ciddizzy to inform us if there is any version of Flash Player or plugin installed in his PC. This information may give us an important clue to the cause of the reported problem.