Two additional events for our research on WerFault.exe sandboxing:
About 7 hours ago, I updated Flash Player plugin, from 11.2.202.233 to 11.3.300.268. No WerFault.exe pop up untill some minutes ago.
About 10 minutes ago, I received a Google Chrome update (manual update) from 21.0.1180.60 to 21.0.1180.75. As usual, Chrome was automatically shutdown so that the latest version takes over. Then right when Google new version was trying to open, I got the message that chrome.exe was not recognised and was sandboxed. I, immediatelly click on do not isolate again.
When opening a browser (not sure if it was Firefox or Chrome, CIS alerted me that WerFault.exe was sandboxed.
So far 48 hours have passed in total, with about 4 or 5 hours of browsing, and no more WerFault.exe sandboxing reported.
So it seems Adobe Flash 11 Plugin updated version (11.3.300.268) triggers the WerFault, and then the Sandbox.
I am now running Adobe Flash 11 Plugin 11.2.202.233. No Flash Active X installed.
As to my initial tentative, ticking both, Protect the ARP Cache and Block Gratuitous Frames in Firewall > Firewall Behavior Settings > Advanced, they are not part of the solution. In fact both are now “unmarked” and strangely to me, Block Gratuitous Frames line is dimmed, that is I can read, but I have no access to it.
Any additional comment or information, I may be of help with, just let me know.
The setting “Block Gratuitous Frames” is a sub setting of Protect the ARP Cache. So when ARP cache protection is disabled the option to block gratuitous frames cannot be enabled either.
One more piece of information for you, and all that are following this thread.
Yesterday, August 17th, I tried once more to use the latest version of flash player plugin for windows (11.3.33.271). About 10 minutes after updating the plugin, I received the first alert from Defense+ about WerFault.exe, and returned to plugin previous version (11.2.202.233), and life went on.
Today, to satisfy my stubbornness, I reinstalled the latest version, but modifying one parameter in plugin´s configuration.
I deactivated the Protected Mode, a characteristic that was added to plugin to work in a safer condition with Firefox.
And, so far (this was about 9 hours ago), no WerFault.exe alerts from Defense +.
Note: Since this Protected Mode was added to Flash Player plugin, several crashes were reported in Mozilla Firefox´s forum. It was from one of forum´s participants (not a Mozilla´s member, but a user) that I got the direction to go back to the older plugin version I was running.
But, I still do not understand why Defense+ was sandboxing WerFault.exe as an unrecognised file, even after doing everything I could find to set it (WerFault.exe) as a safe / trusted file.