Sandboxing + HIPS broken

Using well known CLT try this:

Proactive profile, everything - Safe, nothing new in rules and clt is not in trusted list.

  1. XP SP3+, admin
  2. EAV4

case 1: disable cloud file checks, enable sandboxing and run CLT with “Allow” not sandboxed and have a failed HIPS.

case 2: make sure CLT is in unrecognized list after 1st run with case 1. Use same above settings (c1) +disable sandboxing and run CLT again. HIPS fails to protect from unrecognized app.

case 3: same above settings (c2: disable sandboxing) +enable cloud file checks, clean CLT from unrecognized list and run CLT again.
Ignore cloud’s “Malware” message (just drag it off overlapping CLT’s window) and proceed using CLT test - HIPS silently does its job. Then close CLT and do whatever to cloud’s “Malware” window, which actually should not only inform user’s about malware also it could somehow prevent from execution even if not in sandboxed mode.

case 4: enable sandboxing and enable cloud file checks and run CLT: get file access error before cloud’s “Malware” window with possible actions closed and/or selected for execution, e.g. allow this time/ignore else… Why explorer gets results first prior to user’s choise?

case 5: “Run sandboxed” shell context menu produces vulnerable and different results to run via dbl-click and then “Sandbox” button.

Obvious serious synchronization problems within different HIPS modules observed. Unrecognized app list gives Installer’s privileges and fails HIPS to detect app and its behavior.

We would very much appreciate it if you would submit your bug report in the format requested here. For the reasons why see below.

Many thanks in anticipation


Bugs/issues can be impossible or very time consuming to fix if not well described. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

And again - serious and vulnerable “Run sandboxed” in shell menu option:
I doesn’t clean out the \VritualRoot\ after CLT as dbl-click sandboxing does. And as said “Run sandboxed” gives 160/340 or less results and doesn’t update unrecognized file list with app (possibly deliberately).

Found out that when CLT is run via “Run sandboxed” all spawned process are sandboxed incl IE which interacts with disk storage and hence \VirtualRoot\ is full of files by IE and CLT.
But the question is why other (dbl-click) method doesn’t produce the same file in this virt. directory? Spawn processes aren’t sandboxed? Or so-called virtual manager deletes that files in this case and this can explain why i don’t get the final results with scores to my browser after CLT is run sandboxed and \VirtualRoot\ is empty of files as empty of final report.

Or just file visualization doesn’t work in this case (via dbl-click and “Sandbox” button in dialog)?

We would very much appreciate it if you would edit your first post to make a bug report in the requested format.

Best wishes


Tested “Run sandboxed” option from the main D+ window. it worked the same as “Run sandboxed” shell menu option with results 200/340 and leftover files in virtual directory - virtualization worked but couldn’t catch relative “virtual” files to filenames like GetModuleFileName\clt log…htm and report didn’t show up again althou was created/prepared.

SO the results:
dbl-click sandboxing silently protects from invasion with broken files (or maybe else - registry?) virtualization.
“Run sandboxed” from shell and main window virtualises somehow correctly files but fails the whole HIPS checkes with scores 160(200)/340.

Have you testes this like and this much on some or all OSes Microsoft based?