Sandbox isolates Microsoft sidebar.exe

Something similar happens to me. When I start Windows 7 64bit Sandbox isolates Microsoft’s Sidebar.exe. I click on the option to run outside the sandbox and also to trust sidebar.exe but next time Windows 7 starts or reboots it again isolates sidebar.exe and the popup appears.

I have split this topic, as this is a different issue.

Have you installed any software that might have modified in any way (even for cosmetic effect) sidebar.exe?

Best wishes

Mouse

I have the same problem. Please see the attached pic. All of these files were added to my Safe Files list from the Sandboxed. That means that all of them were sandboxed.

Since upgrading to V4.1 I have finally enabled the Sandbox to see how it works for day to day use. Many files were Sandboxed that I thought would be considered safe. I think something may have gone wrong, or is this somehow only on my computer.

As an example Microsoft Corporation is a trusted vendor, but a file signed by it was still able to be Sandboxed.

Please let me know what other information you need. Thanks.

[attachment deleted by admin]

Hi Chiron

As a starting point you need to check this sidebar.exe’s signature. You can do this by checking the file using microsoft sysinternals sigcheck.exe (Google to find it). Just type sigcheck /? at the CMD prompt for the syntax. sigcheck -a sidebar.exe should do it.

Then find out what CIS thinks of the file by trying to add the vendor as a trusted vendoir using the sidebar.exe file.

Please report exactly what output you get from each, and we’ll take it from there.

Best wishes

Mouse

First off, thank you for your reply. :wink:

I tried to add the file as a Trusted Vendor and it said it was already in the list.

I then decided to delete all file in the Safe List and reboot (so I did). That file was not sandboxed again. I’ve attached another screenshot I made earlier about a Windows File. It shows a file signed by Windows being Sandboxed.

I believe I may have chosen to add these as Trusted Vendors in the Alert and that maybe that is why the behavior has changed.

I would check these files using sigcheck.exe from:

The problem is that when I run the program the window for it flashes for a fraction of a second and disappears. I don’t know how to make it run. If anyone what’s going wrong I’d appreciate the advice.

I’m running Windows 7 x64, but it doesn’t say anything about 64 bit edition. I’d appreciate any help. Thanks.

[attachment deleted by admin]

Hi,

I did not install any software which might have modified Microsoft’s sidebar.exe. I tried to add sidebar.exe to “My Own Safe Files” but the message states that it’s already a safe file. Sandbox also isolates Eraser.exe after Windows 7 starts up but again when I try to add it to “My Own Safe Files” the message states that it is already a safe file.

Like Chiron, I downloaded sigcheck.exe but when it runs it appears for a split second and disappears. I’m running Windows 7 64 bit like Chiron.

Thanks.

Sorry should have explained more.

Do Start ~ Run ~ cmd. Then change directory to the directory in which you have sigcheck.

Then type sigcheck -a <path to file to be checked\filename>

Please post a screen shot of the result.

Best wishes

Mouse

Rather busy today so may not be able to respond further until tomorrow, sorry.

Best wishes

Mouse

c:\windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7600.1638
5_none_352647b674b9e378\sidebar.exe:

    Verified:       Signed
    Signing date:   04:01 14/07/2009
    Publisher:      Microsoft Corporation
    Description:    Windows Desktop Gadgets
    Product:        Microsoft« Windows« Operating System
    Version:        1.0.7600.16385
    File version:   6.1.7600.16385 (win7_rtm.090713-1255)
    Strong Name:    Unsigned
    Original Name:  sidebar.EXE.MUI
    Internal Name:  Windows Desktop Gadgets
    Copyright:      ® Microsoft Corporation. All rights reserved.
    Comments:       n/a

c:\windows\winsxs\amd64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7600.1638
5_none_2ad19d644059217d\sidebar.exe:

    Verified:       Signed
    Signing date:   04:01 14/07/2009
    Publisher:      Microsoft Corporation
    Description:    Windows Desktop Gadgets
    Product:        Microsoft« Windows« Operating System
    Version:        1.0.7600.16385
    File version:   6.1.7600.16385 (win7_rtm.090713-1255)
    Strong Name:    Unsigned
    Original Name:  sidebar.EXE.MUI
    Internal Name:  Windows Desktop Gadgets
    Copyright:      ® Microsoft Corporation. All rights reserved.
    Comments:       n/a

For some reason I was unable to run it with sidebar.exe, but I did get it to run with runonce.exe.
Here are the results:

c:\windows\syswow64\runonce.exe
Verified: Signed
Signing date: 11:17 PM 7/13/2009
Publisher: Microsoft Corporation
Description: Run Once Wrapper
Product: Microsoft<<Windows<<Operating System
File version: 6.1.7600.16385
Strong Name: 6.1.7600.16385 <win7_rtm.090713-1255>
Original Name: Unsigned
Internal Name: RunOnce
Copyright: r Microsoft Corporation. All rights reserved.
Comments: n/a

When I try to run it with sidebar.exe it doesn’t say the file doesn’t exist or anything, but it gives the copywright information for sysinternals and then gives the commands I can use.

I was in the same folder as I have sysinternals.exe, just as I was for runonce.exe. Here is what I typed:

sigcheck -a C:\Program Files\Windows Sidebar\sidebar.exe

Does anyone know what I did wrong? I went to the folder, and sidebar.exe was located there. Thanks.

I think I may have had a bad upgrade to V4.1. It appears that my Trusted Vendors List isn’t working. :-\

Please see the attached pics.

I’m going to uninstall CIS and reinstall it from a new installer and see if that solves my problems.

[attachment deleted by admin]

I had the same problem, trusted vendors list was gone on mine, I uninstalled and reinstalled and everything was fine.

Yep. I uninstalled it and then reinstalled. Everythings working the way it should. Only programs not in the whitelist are being sandboxed.

ss1ctm I don’t know if your problem is the same, but it’s worth trying it. See if it’s fixed if you reinstall.

That’s great seems like you guys have sorted it. Now, I wonder does this mean that CIS 4.1 is attempting to update rather than replace trusted vendor lists (ie keep users additions) when new versions are issued. It did not previously do this I think.

Maybe its trying to do an update/merge now, but not always succeeding?

Best wishes

Mouse

I uninstalled and reinstalled the latest version of CIS 4 but unfortunately it didn’t resolve the issue. After Windows 7 64bit starts I still get the Sandbox pop up isolating Microsoft’s Sidebar.exe.

Please post a screenshot of your defense+ logs, making sure all info is visible in the window first.

I would suggest using a good uninstaller, such as Revo to completely clean out traces of CIS. Make a restore point first of course.

I’m assuming you have not run any software that modifies or customises in any way the sidebar?

Finally you could try running sfc /scannow with your windows installation disk in the CD drive. Then rebooting. This will revert all windows files to correct signed versions.

If all these fail, please ask again!

Best wishes

Mouse

Many thanks for your help.

Attached is the Events log showing Sidebar is sandboxed as Limited after Sidebar.exe directly accesses the keyboard for some reason.

On the Sandbox pop up, I check the box to not run sidebar.exe in Sandbox again and check the box to trust sidebar.exe but to no avail. I noticed the Sandbox alert regarding Sidebar.exe is usually displayed when I open Internet Explorer 8…or it could be a coincidence.

[attachment deleted by admin]

Thanks. As you say that shows the sandboxing clearly.

These are over a short time period though. Would you mind rebooting, noting the time of reboot, and pasting a screenshot of the logs as they are say 5 mins after booting.

Of course if you did a reboot in the middle of the above logs just tell me!

Also can you check the my trusted vendors list. If this is correct there should be 7 entries for Microsoft. All starting ‘Microsoft’ - the list needs to be sorted first. It looks like it is sorted by default but it isn’t!

Best wishes

Mouse

Thank you for your reply.

Yes I was rebooting Windows 7 in the middle of the above logs.

Yes I have 7 entires for Microsoft in the Trusted Software Vendors list.

I don’t understand why I continue to get the Sandbox alert for sidebar.exe even though I checked the boxes on the pop up that sidebar.exe is to be trusted and not to alert again.

I only get the Sandbox alert for sidebar.exe soon after Windows 7 starts up or soon after reboot. There is no other Sidebar alert until the next start up or reboot (although sometimes after start up or reboot there is no Sandbox alert regarding sidebar.exe). There is no alert regarding sidebar.exe after Windows 7 comes out of Sleep mode.

Also, the Sidebar gadgets I’m using are those that come with Windows 7. There are no third party gadgets.

Thank you.

The explanation is that CIS checks Safe files for necessary files on reboot. If it finds one which should be covered by a Vendor rule then it boots it out.

OK so your logs reveal nothing complex. So now we need to know if CIS is happy that your fiile has a valid signature. To check this try adding the vendor using this in My Trusted Vendors. CIS will either report a corrupt signature or an attempt to make a duplicate entry. Then check it using sigcheck, as described earlier in this trace, and post the results. Remember that if your path contains spaces you need to enclose it in “”. Please use the -a -r -h switches.

Best wishes

Mouse