When selecting Reset Sandbox it Never Finishes Resetting [M390] [v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Yes, I can reproduce this every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    I’ve tested this two ways. For both of them I made a clean install of CIS (and performed all necessary scans and restarts).

If I select Reset Sandbox without running anything in the sandbox the window keeps spinning and saying it’s resetting the sandbox. If I click the X for that window it’s minimized to a background task, as seen in the CIS task window. However, the task says it’s starting. I’ve attached a screenshot of this. Note that I have waited up until the 20 minute mark to restart the computer and the resetting never progressed past saying that it was starting. Also, I checked before running the RESET Sandbox button, and there was already a file in the registry for VritualRoot. I’m not sure if it is supposed to be entirely removed by resetting the sandbox, but I did notice that it was not reset when clicking the RESET Sandbox button.

I have also tested this by first running a browser as virtualized. Then I select Reset sandbox. What I see in this circumstance is that the virtualized browser process is killed. Also, there was a folder in the C-drive created called VTroot, that I can see deleted when running this. Thus, it does appear that the Reset button is doing what it’s supposed to do for the files. However, after allowing it to run for a minute I checked the registry entries at Computer => HKEY_LOCAL_MACHINE => SYSTEM. What I found was that there is a folder there named VritualRoot, which has multiple folders within it. This was never removed. Nor were any of the folders within it. Therefore, it appears the RESET Sandbox button is not deleting the relevant registry keys on my computer. (However, I did notice that after a full uninstall, along with running both uninstall tools, the Vritual Root registry folder is deleted.) Also, the exact same behavior manifests itself by which the the task manager shows that it never gets past starting.

This behavior does not change after restarting the computer. No matter what I do it does not finish resetting the sandbox. Also, I allowed the Reset to run overnight and in the morning it said that it had finished resetting. However, the registry folder was still there (note that this was reset before I ever ran anything virtualized), which I believe should have been removed. Also, the computer went to sleep sometime overnight. Also, if I try to run RESET before restarting the computer it says that an error occurred, and will not reset.

  • If not obvious, what U expected to happen:
    Rest sandbox should always be able to reset the sandbox entirely, and in good time.
  • If a software compatibility problem have U tried the conflict FAQ?:
    NA
  • Any software except CIS/OS involved? If so - name, & exact version:
    NA
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    I’m not sure, perhaps it’s related to the virtualized registry entries, as I believe those should have been reset as well. Thus, perhaps it’s getting hung up because it can’t delete the registry entries. However, I’m not sure whether this is a symptom of the actual problem, or if this is the problem.

Also, I will note that resetting the sandbox worked correctly in previous versions of CIS.

  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
    I have attached the diagnostics and KillSwitch Process dump. Both of these were run while the reset sandbox task was run as a background task, as otherwise CIS wouldn’t let me run them. I also attached a screenshot of the CIS task window after the reset process was moved to background. Please let me know if other attachments would be helpful.
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS version 6.1.276867.2813
Default IS Configuration

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Default
  • Have U made any other changes to the default config? (egs here.):
    No, it is default settings.
  • Have U updated (without uninstall) from a CIS 5?:
    No, this was a clean install.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    NA
    [/li]- Have U imported a config from a previous version of CIS:
    No
    [li]if so, have U tried a standard config - if not please do:
    NA
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 x64 (fully updated), UAC disabled, Real System, run as administrator.
  • Other security/s’box software a) currently installed b) installed since OS: a)None b)None
    [/ol]

[attachment deleted by admin]

Ah thanks Chiron so that’s why people are saying the task completes in the GUI but continues as a task, they close it and maybe forget they have.

If so this is like 265, but the underlying question is why it is not resetting. Any further ideas?
From the options I refer to here, it seems like the most likely is changed permissions on a registry key. Or possibly a registry key being held open, in which case a reboot, particularly with as many autoruns disabled as possible would resolve.

It would be interesting to see of my batch file would resolve, but only if you back up everything first.

Or I guess this could be a more general malfunction…

Meanwhile if you think it’s the same now the link with the background task is established maybe I will merge with 265?

Best wishes

Mouse

I’m not sure it’s the same bug. The symptoms are similar, but for me this happens every time. It’s not possible to Reset the sandbox every.

Thus, for now I think it’s probably best to keep it separate. Also, I’ll do a little more digging about this bug, so for now please hold off on moving it to format verified.

Thanks.

That’s fine. I think this symptom has multiple different causes

Thank you.

I updated the information in my first post. Please review it and see if you have any questions, or any ideas for what else I could check. I want to have as many bases covered as possible before this is forwarded to the devs. Also, can you let me know if the VritualRoot registry folder is supposed to be entirely removed by resetting?

Thank you.

On my machine, I get the same behavior, depite exiting Kiosk first. But (don’t do this yet), after a reboot I can reset.

This suggests a program is keeping a handle open, most likely a virtualised progarm.

So is any virtualised program surviving a reset?

If you have not rebooted look for programs still running FV and list them.

In last version cmdvirthost was but this did not appear to cause problems - it may be doing now of course. new process is the dragon helper process, that is staying open I think according to a bug report

Having checked usig procmon, it is cmdagent that does the reset.

It is therefore difficult to monitor/dump using Killswitch, as it’s memory is protected and not by HIPS. (You can dump see my preview board batch file text for how, but it requires two reboots and that may lose the hang).

But procmon works.

I cannot cause the hang again for the moment, but if you are still experiencing the problem you can.

Important to note that procmon normally logs every event on you machine while event capture is on, and you tell it with filters what to display from that log. So it’s all always there if you want it - just change the filter. But don’t remove the default filters unless you know what you are doing.

Filterwise, you are looking for registry operations on keys including HKLM\system\vritualroot (HKLM=HKEY_LOCAL_MACHINE), or on paths inclusing c:\vtroot. Try these one by one in a filter as filters mostl;y combine by ANDing. You can start/stop event capture and you need to or you may run out of virtual memory within an hour or so and lock your machne. So save any data and preferably back up first. You can clear the screen, highlight according to criteria.

You are looking for events or event sets it stops on or keeps cycling round. What keys or paths is it trying to access/delete? Then we can look at permissions, handles open etc.

Close explorer and regedit windows first to avoid confusion.

Best wishes

Mouse

Should I create a filter for Operation is HKLM\system\vritualroot (HKLM=HKEY_LOCAL_MACHINE)?

I ask because when I do that I see nothing at all. Am I using this wrong?

Thanks.

No try path contains HKLM\system\vritualroot*

As soon as you know what exact path cannot be deleted (if that is the conclusion), tell me and I can help you with how to investigate further.

Okay, I’m not sure why there seems to be an incompatibility between myself and this program :stuck_out_tongue: but I just can’t seem to capture any events when creating filters.

I have attached a screenshot of the filter I used. After adding it, and disabling all the others, I clicked apply. I then clicked OK. Only then did I tell the sandbox to reset, which already had a virtualized instance of IceDragon running inside it.

However, I saw no events at all. Can you please tell me what I’m doing wrong?

Thanks.

[attachment deleted by admin]

OK just checking the obvious.

First you need to collect them by doing something with collect events switched on.

Have you tried entering and exiting S/B?

Then you can try the filter. Try the expanded form of HKLM - cannot remember which it uses

I’ll be here for 5 mins, then dinner, then will not be able to reply for a couple of hours

Sorry

Mouse

Sorry just seen you unchecked the standard filters that’s what is wrong. You need them all from Procmon downwards else it’s going to disappear up the proverbial.

Back in 2 mins.

Capture events is checked.

Also, I tried this with exactly what is shown in my screenshot only with all boxes selected.

Let me restart the computer and see if I see anything when entering and exiting the Kiosk. It won’t start as long as the reset process is still active.

OK it may be showing nothing cos its completely hung so is doing nothing

Off for dinner now will check before bed

Mouse

Okay, the plot thickens.

CIS can start virtualized browsers fine. However, when I tried to open the Kiosk it said that I didn’t have Dragon and Silverlight installed on my computer (which by the way I do). It asked if I wanted to download them and I selected no, as I didn’t care about using the tablet view.

It said that the Virtual Kiosk is loading. However, it’s spinning indefinitely and not loading. Also, ProcMon did not show any events with that filter. This same behavior continues even after a full re-install.

Is this actually a different bug than I thought. Perhaps the problem with the sandbox not resetting is actually just a symptom of the actual bug, which is related to the FV Sandbox not working correctly, as shown by the Kiosk not being able to load.

What do you think?

Can you please let me know if there is anything else you think I should investigate?

Also, please let me know if this matches any bugs currently being processed?

Thank you.

OK Chiron, will ponder it overnight if that’s OK, get back to you tomorrow am?

Could be partial reset, could be deeper. Do you have the means to fully backup the computer?

No problem.

I can image it, although that will take some time. Why? What do you have in mind?