Sandbox Delayed Response Even After Sandbox Is Manually Re-enabled [M931]

This bug report is a continuation of this thread:;msg718055#msg718055

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?: No
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1. Opened Firefox.
    2. Disable Sandbox for 15 minutes.
    3. Update Firefox.
    4. Re-enabled Sandbox.
    5. Opening Firefox doesn’t get a Sandbox alert for the new firefox.exe (FX just opens).
    6. About 15 minutes later, I start getting Sandbox prompts.
  • If not obvious, what U expected to happen:
    The new executable for firefox.exe should immediately be flagged as unknown and prompt a sandbox alert.
  • If a software compatibility problem have U tried the conflict FAQ?:
    Not a conflict problem.
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    This same behavior happens when updating Thunderbird. It seems as if re-enabling the Sandbox is ignored and the 15 minute delay has to time-out before the Sandbox is working properly again.
    No dumps or crashes involved. Killswitch shows firefox.exe as Safe during the lag time.

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS 7.0.313494.4115 Proactive Security (modified)

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    All enabled.
  • Have U made any other changes to the default config? (egs here.):
    BB-Untrusted, HIPS-Safe Mode, Firewall-Custom Ruleset, AntiVirus-Stateful, TVL-Disabled (config attached)
  • Have U updated (without uninstall) from a CIS 5?:
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Win7 Pro SP1 64 Bit, UAC Disabled, Administrator
  • Other security/s’box software a) currently installed b) installed since OS:
    a= SAS, MBAM on Demand b= Yes

[attachment deleted by admin]

I made some small changes to the replications and expectation parts of your first post. Please look it over and make sure it is still correct.

Also, can you please attach the Defense+ log for a time which shows this delay? In addition also attach the diagnostics report and the process list.

If you have any questions please feel free to ask.

Thank you.

The changes to the post seem fine. I’m beginning to think this problem is related to updating CIS. I have two separate HDDs. I have hot swap bays in my machine and both drives are identical clones of each other. Drive 1 is my main drive that I use daily. Drive 2, I update every two weeks (not by cloning, I update changed programs manually). Today, I updated my second drive. I updated CIS to v6.3.302093.2976. While I didn’t update FX and TB, I did start getting blasted with explorer.exe prompts from HIPS whenever I opened any program. explorer.exe is on my TFL and also allowed in the HIPS rules by default. I messed with it for a while without getting the alerts to stop. I eventually cured the problem by deleting my Configuration and re-importing a saved copy. It seems to me that CIS was ignoring the settings in either the TFL or HIPS rules.

I’ve attached the files you requested. Drive 01 is my main drive Drive 02 is my backup (note that these two drives are in the same machine, so all hardware is the same for both). I don’t know what you mean by the process list. Please give me more info on how to supply you with it.

[attachment deleted by admin]

Interesting. Can you please save your configuration before updating CIS and then compare it with the configuration after updating CIS. If they in fact are different please provide both configurations and we will forward this as an update bug which changes the configuration, although it should leave it intact.

As re-importing the configuration seems to solve the problem, perhaps that is the problem.

Let me know what you find.


I’ll do that at next update. I updated my Laptop yesterday to v6.3.302093.2976 with similar results regarding FX and TB updates. It’s a WinXP 32 Bit machine. It seems like when you turn the Sandbox back on, CIS is ignoring the switch and staying with the interval chosen when it was disabled (only a guess).

You can check this by uninstalling the current version. Then restart and install the previous version. Older versions can be downloaded from filehorse.

Then configure that one as you wish, or import the old configuration. Then allow it to update and compare the configuration file.

For the time being I will move this to the Non-Format Verified board.

Once you are able to test this please make sure to have the configuration file from just before the update and the one from just after. This should give the devs enough information, in addition to what you have already supplied, to replicate and fix this bug.

If you have any questions please do not hesitate to ask.

Thank you.

Well, I’m glad I didn’t go through all of the uninstall and re-install of CIS to check my previous theory. I updated Firefox today as described in my posts relating to this problem. The problem is still present as described. It seems, as if, when the Sandbox is turned back on, CIS is ignoring the re-enabling and running the timer out. I usually set the timer to disable for 15 minutes and it seems like after those 15 minutes the Sandbox returns to normal (although I turned it back on after the FX update).

So, just to make sure I am understanding this bug, I will state what I believe you are saying is happening.

  1. You disable the sandbox by disabling it for a set amount of time (say 15 minutes).
  2. You then update Firefox.
  3. You then enable the sandbox (before the 15 minutes has run out).
  4. Firefox is not sanboxed immediately, but after some time (perhaps after the 15 minutes has run out).

If this is what you are experiencing can you do a quick check for me. Disable the sandbox for a longer period of time and try this again. Then see if the file is sandboxed roughly after the amount of time it was originally supposed to be sandboxed for.

If this does replicate than I think it’s safe to say you have entirely narrowed down the bug. That then puts us in a very good position for forwarding this.

Thank you.

Yes, you understand the bug correctly. I just updated FX and TB and disabled the SB for 30 minutes. Everything went fine. It may be a bug in selecting the 15 minute delay only (this is the selection I’ve been using). It will take me a few days to test out this theory. I’ll post back if I come to any conclusions.

I’ll test tomorrow with the 60 minute delay and then go back to the 15 minute delay at the next FX update. In a few days, I should know something.

Thank you. It certainly seems odd, but hopefully you can narrow this down enough for a detailed bug report. Let me know if there’s anything I can do to help.

Updated FX today with the delay set at 60 minutes. Everything went smoothly. I will go back to a 15 minute delay tomorrow.

Edit – I just don’t think we’ll be able to nab this bug. I swapped out my main HDD for my backup and updated FX with a 30 minute delay and the bug reared its ugly head. I then updated TB with a 60 minute delay and the bug was still present. It seems like it’s random. If I can’t reproduce it consistently, I don’t think I’ll be able to catch it. It’s not that big of a deal. It is just a curious behavior. I’ve never been a big fan of the Sandbox since its inception, so I always have HIPS running. HIPS catches the update changes when the SB hiccups, so I’m not too worried. If I come up with anything else concrete, I’ll post back with my findings.

Thank you. If you can work out a way to replicate this, or have an idea for catching enough information while it is happening, please let me know. I’ll think about it as well.

Okay, I will again move this to the Non-Format Verified board. If you can figure out a way to replicate this, or believe you have collected enough information for a bug report, let me know and I can move it back and process it.

Thank you.

Can you please check and see if this is fixed with the newest version (7.0.313494.4115)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are mainly not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments), so I can forward this to the devs and get this problem fixed.

Thank you.

PM sent.

It will take a while to see if this bug is present in v7.0. I only experience it during Mozilla updates. If I run into it again, I’ll post back.

Thank you. If it still does exist be sure to let me know. I can then move this report to the main bug reporting topic and make sure that it includes everything the devs would need to replicate this. Remember that reports in this section of the forum are not viewed by the devs. Thus, in order to get this fixed enough information needs to be supplied (and be in the correct format) so that I can forward this to the devs.


You’re welcome. If the bug still exists, the bug format will be the same except for the CIS version number. I have set up v7.0 the same as v6.3. I guess the only difference would be enabling Viruscope.

Let me know what you find. Thanks.

This bug is not fixed in v7.0.313494.4115. I updated FX and TB today and the Sandbox didn’t recognize the new files right after re-enabling the Sandbox. My method was the same as described in the original post. The only settings change was enabling Viruscope. The only other difference from the first post is the new CIS version number.


  1. Opened Firefox.
  2. Disable Sandbox for 15 minutes.
  3. Updated Firefox.
  4. Re-enabled Sandbox.
  5. Opening Firefox doesn’t get a Sandbox alert for the new firefox.exe (FX just opens).
  6. About 15 minutes later, I start getting Sandbox prompts.

This same behavior happens when updating Thunderbird. It seems as if re-enabling the Sandbox is ignored and the 15 minute delay has to time-out before the Sandbox is working properly again.