Default install (no firewall or HIPS enabled yet)
I have one workstation running Windows 8.1 and a volume-licensed (KMS) Office 2013 ProPlus.
If CES is installed, the Office programs will randomly switch into “Non-Commercial Use” mode.
Checking the activation in the “FILE” menu says it is activated, but if I try to run “cscript ospp.vbs /act” in the Office15 folder, it complains it’s out of memory. On a 16GB machine with only 4GB in use.
I see lots of errors in the system log regarding Software Protection and AppX Deployment services failing to start due to timeout. Manually starting these services doesn’t seem to help. Speaking of AppX, this is probably why if I launch the Store, it often tells me to reboot or reinstall Windows, also not happening if CES isn’t installed.
If I uninstall CES, everything is back to normal.
I just now discovered, if I turn off “auto-sandbox” it is back to normal. So I guess the real question is, why are components of Software Licensing and/or Office 2013 getting sandboxed, and why is there no indication of this anywhere that I can find in the settings or sandbox items list?
If CES is installed and files have been auto-sanboxed,please check the Defense+ logs to check which files have been sandboxed and the reason for the auto-sandboxing
Locally on the endpoint CES->Tasks->General tasks->view logs->defense+ events-> click on the arrow and select the correct period.
OK, I found it. I added “C:\Program Files\Microsoft Office\Office15\OSPP.vbs” to the “Advanced Settings\Security Settings\Defense+\Behavior Blocker\Define Exceptions…” and that seems to have fixed that issue.
It appears in the log, but not in the actual sandbox nor in the sandbox list on the CESM where I’d have expected.
As part of a Microsoft application, should this not already be trusted?
…and it appears that my settings have been overwritten because the issue has popped up again on the same machine, and if I look where I looked before the file is no longer listed.
Nothing new in the Defense+ Log about it.
Where do I specify this in the policy, I assume that’s what is overwriting my local changes.
I have asked he CES devs to look in to this, will advise…
Heard anything yet from the devs?
Interestingly, same machine has an issue with the Windows Store. It tells me there are updates available, I click the notification, it spins for a while and then tells me that I need to reboot or maybe even reinstall Windows because the store is broken.
If I disable AV and auto-sandbox and try again, it works.
Because of this and other legit programs that are getting blocked, I’ve disabled auto-sandbox in policy.
I was really excited about the sandbox, but it seems more trouble than it’s worth at this point. Maybe after the next release I’ll take another look.
Further, it is still happening randomly. Office 2013 programs will either work correctly, or it will say “invalid license” and force exit, or it will display “Non-Commercial Use” in the title bar.
Forum seems to be dead or I’m on an ignore list, I will open a support ticket on this.
Definitely not being ignored…
I am guessing that the vbs file is changing shape and the trust’ signature being applied to the original vbs file is therefore no longer valid.
Please let me know the ticket number so I can keep an eye on it.
P.S. sorry if we take a while to respond to forum posts, we hope that operationally critical requests get sent straight to the support crew.
Ticket is #IQH-294770
Last thing they told me, they thought it was something to do with the “Software Protection” service. Even if set to automatic it doesn’t run all the time, it’s one of those on-demand things that starts up when needed but apparently is taking too long sometimes.
Revved the devs…will advise.
Contact me directly if you don’t hear anything back by Monday please (you have my email address).
I’m not 100% sure, but the issue seems to have gone away. Maybe a fix of some sort was included in the database update at some point. Who knows, if it’s working, I’m not complaining.
Glad to hear that it self-resolved. Oddly enough you are/were only the second person to report exactly the same issue with VLK’d Office 2013.
Our investigations were focused around the vb script that did the license checking and we think that, because this script called the registry to check a number of conditions and morphed in its method of doing so, our sandbox interpreted this as:-
Is the script on the A/V blacklist > No (it wouldn’t be as it is from MS)
Is the script on the HIPS whitelist > No (it wouldn’t be unless every version of it, it’s dependencies and the added applications it calls are on the whitelist)
This blacklist > whitelist > sandbox method exactly why it is practically impossible to infect a machine running CES.
Seems all is well for now though, sorry for the inconvenience and let us know if you come across such things again.
Please turn your sandbox on, it really is your best defense against 0-day/0-hour/0-minute malware.