I did some testing in a fully patched Xp Pro Sp3 VM machine. I first put the IE.exe on the desktop and just ran it. It indeed was deleted. Then with the file on the desktop I right clicked it and ran it sandboxed. It still was deleted. Finally I put it in a folder, forced the folder and ran it from that folder. It ran sandboxed and indeed did delete the file.

THen I ran it from Internet Explorer and of course it never got to run due to start restrictions.

Pete

I just did another test under a VM and I also can reproduce the behaviour. IE.EXE is able to delete itself from the sandbox.

The only way I can get this ie.exe to delete is right click on it > delete.

All versions should see an "unknown executable image", but deletion outside the sandbox should only happen in version 3.43. Thanks for pointing it out raid. It will be fixed in version 3.43.10.



I don't know what you mean about LSA. That svchost.exe process is really another copy of ie.exe with a fake process name. The name-faking is confusing Sandboxie 3.43 and keeping the process in a "partially initialized" state. In this state the program is not fully supervised.

I fixed this in version 3.43. But this name-faking causes Sandboxie to fail to inject SbieDll into the process. So svchost.exe (ie.exe) will not actually work under Sandboxie.

Please try version 3.43.10.

The file deletion problem is fixed for me. I do get the following Sandboxie messages:


Prior to 3.43.10, I was seeing 2313 & 2204. 1215 and 1214 are new with 3.43.10. I also now get the following Windows XP svchost.exe - Application Error alert:

That seems to have fixed it for me, thanks!

I don't know why you see 2313 and 2204. But 1215 and 1214 are intentional here: The games this malware plays are incompatible with how Sandboxie injects SbieDll.

I've seen these messages occasionally when running malware sandboxed. Where malware is concerned, I consider it a Sandboxie feature rather than a problem .