Sandboxie doesn't kill a process

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
123456
Posts: 16
Joined: Thu Jan 06, 2011 11:24 am

Sandboxie doesn't kill a process

Post by 123456 » Fri Mar 03, 2017 4:17 pm

Image

w7 x64, sandboxie 5.17.4

file: http://www88.zippyshare.com/v/AYwOjgh2/file.html

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2673
Joined: Mon Nov 07, 2016 3:10 pm

Re: Sandboxie doesn't kill a process

Post by Barb@Invincea » Fri Mar 03, 2017 4:22 pm

Hello 123456,

Which application was running? Or, what were you trying to do when the issue occurred?
Are you using an Antivirus? Does it close after you select "Terminate Program" ?

If you can provide repro steps, I'll check it out.

Regards,
Barb.-

123456
Posts: 16
Joined: Thu Jan 06, 2011 11:24 am

Re: Sandboxie doesn't kill a process

Post by 123456 » Fri Mar 03, 2017 4:31 pm

Barb@Invincea wrote:Hello 123456,

Which application was running? Or, what were you trying to do when the issue occurred?
Are you using an Antivirus? Does it close after you select "Terminate Program" ?

If you can provide repro steps, I'll check it out.

Regards,
Barb.-
hi Barb, thanks for the reply.

Are you using an Antivirus?
No.

Does it close after you select "Terminate Program" ?
No.


1- Right Click scvhost.exe and select "Run Sandboxed"
2- after, Right Click on Sandboxie Notification/System tray icon and select "Terminate All Programs" (but cant terminate)

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 621
Joined: Fri Nov 13, 2015 4:11 pm

Re: Sandboxie doesn't kill a process

Post by Syrinx » Fri Mar 03, 2017 5:33 pm

http://forums.sandboxie.com/phpBB3/view ... 2&#p123384
It is possible to make a process that cannot be terminated: https://blogs.technet.microsoft.com/mar ... processes/

Skype.exe is an example of one that makes it very difficult to terminate.

https://www.google.com/webhp#q=error+te ... +is+denied
In fact that quote comes from another thread where you encountered the same issue with a different piece of malware.

I tested it myself and neither task manager or process explorer were able to terminate it either.
Oddly enough I was able to kill it via taskkill /im scvhost.exe

This leads me to believe there is certainly room for some improvement on how sandboxie handles the termination process.
Maybe something like adding a check for anything still running in the box after the current method finishes and then if found, issue a taskkill cmd from the service [doubt this could reliably be done via sbie ctrl but maybe?] to terminate any leftover PIDs followed by another check and then suspending any remaining left over processes inside the box along with an alert to reboot the pc and the boxname so that a user can delete the related box afterward?

That way if something else comes along that even taskkill can't terminate then at least the user will be notified so that they can take action. Suspending the process would be to prevent ongoing harvests and leakage while the user absorbs the alert.

/end rambling
http://goo.gl/p8qFCf
https://www.youtube.com/watch?v=vIxWgVOCexU

123456
Posts: 16
Joined: Thu Jan 06, 2011 11:24 am

Re: Sandboxie doesn't kill a process

Post by 123456 » Sat Mar 04, 2017 2:28 am

Syrinx wrote:http://forums.sandboxie.com/phpBB3/view ... 2&#p123384
It is possible to make a process that cannot be terminated: https://blogs.technet.microsoft.com/mar ... processes/

Skype.exe is an example of one that makes it very difficult to terminate.

https://www.google.com/webhp#q=error+te ... +is+denied
In fact that quote comes from another thread where you encountered the same issue with a different piece of malware.

I tested it myself and neither task manager or process explorer were able to terminate it either.
Oddly enough I was able to kill it via taskkill /im scvhost.exe

This leads me to believe there is certainly room for some improvement on how sandboxie handles the termination process.
Maybe something like adding a check for anything still running in the box after the current method finishes and then if found, issue a taskkill cmd from the service [doubt this could reliably be done via sbie ctrl but maybe?] to terminate any leftover PIDs followed by another check and then suspending any remaining left over processes inside the box along with an alert to reboot the pc and the boxname so that a user can delete the related box afterward?

That way if something else comes along that even taskkill can't terminate then at least the user will be notified so that they can take action. Suspending the process would be to prevent ongoing harvests and leakage while the user absorbs the alert.

/end rambling
pchunter terminate it without any problem
http://www.xuetr.com/download/PCHunter_free.zip

Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Sandboxie doesn't kill a process

Post by Guest10 » Sat Mar 04, 2017 7:35 am

It would certainly be desirable to be able to kill a sandboxed instance of svchost.exe, but there are many instances that shouldn't be killed.
Even without anything running sandboxed there are many instances in use, as shown by Process Explorer, so I wouldn't try killing the process by using taskkill or any other external program.
Attachments
svchost.jpg
svchost.jpg (104.25 KiB) Viewed 1394 times
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

123456
Posts: 16
Joined: Thu Jan 06, 2011 11:24 am

Re: Sandboxie doesn't kill a process

Post by 123456 » Sat Mar 04, 2017 7:53 am

Guest10 wrote:It would certainly be desirable to be able to kill a sandboxed instance of svchost.exe, but there are many instances that shouldn't be killed.
Even without anything running sandboxed there are many instances in use, as shown by Process Explorer, so I wouldn't try killing the process by using taskkill or any other external program.
:) it's not svchost... scvhost

Guest10
Posts: 5133
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Sandboxie doesn't kill a process

Post by Guest10 » Sat Mar 04, 2017 10:00 am

123456 wrote::) it's not svchost... scvhost
Oh. Well, I guess that dyslexia often predates Alzheimers, so that's going to be my excuse for this mistake :lol:
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Firefox, Thunderbird
Sandboxie user since March 2007

Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests