Unusual behavior when opening Word doc in Sandboxie [SOLVED]

Posted: Wed Feb 21, 2018 3:20 pm
by SoraNezumi
Apologies up front if my question has been answered in any way previously. I was unable to find a similar case via google search.

I opened a potentially dangerous (from China) word Document I had to view for work in a sandbox (v5.22 default) using MS Word 2010.
As soon as I opened the document, the 2010 office installer fired itself up and started trying to install stuff or some sort of update. Anyways, problem was that it tried to run or install Endnote (which I removed ages ago), and the Endnote application or installer was actually running OUTSIDE the sandbox, throwing up window after window after windows of errors.

I thought that any application ran in a sandbox stays inside the sandbox? How did the office installer launch a program outside the sandbox without my permission?

If this behavior is not intended, I may be able to send a truncated copy of the word doc (with sensitive info removed) for the devs of Sandboxie to investigate (only if required).

On a side note: I assumed opening a word doc in a (default settings) sandbox should work, but for some odd reason it keeps firing up the installer no matter what document I open.
Is there a workaround, or has my computer been compromised already? :?

Software information:
OS: Windows 7 x64 (OS updates applied until Nov 2017)
Sandboxie: x64 v5.22
Office: 2010 (some updates applied in late 2017)
Word doc: .DOCX
Sandbox settings: DefaultBox (drop rights option not enabled)

Thanks in advance for any replies to my questions and situation.

Following up on my post after more testing:

Turns out I did not uninstall EndNote.
Maybe the EndNote prompts that were generated came from word itself instead of the EndNote application?

I will delete my original post (if this forum supports it) if I can prove that EndNote was throwing messages using word instead of it's own exe.

Posted: Wed Feb 21, 2018 3:45 pm
by Barb@Invincea
Hello SoraNezumi,

Does Word work fine outside Sandboxie?
Does this happen with only 1 document?

Is the installer running outside Sandboxie? If you cannot tell if the yellow border or "#" symbol are present, you can check Task Manager to see what's the user that's triggering the action (Sandboxie uses ANONYMOUS LOGON for user).
Another option is to repro the issue, go to Sbie Control and click on File --> "Is Window Sandboxed?"
Drag the Finder to the installer Window and let us know the result.


Re: Unusual behavior when opening Word doc in Sandboxie

Posted: Wed Feb 21, 2018 3:57 pm
by SoraNezumi
Hi Barb,

Thank-you for the fast reply.

The "Is Window Sandboxed?" tool identified that the EndNote prompts are running as part of Word.
Thank-you for pointing me to the tool, that solved my dilemma.

In the end, EndNote was running as part of WinWord as opposed to running as a standalone executable.

Turns out the cause of the office installer / prompts were caused by myself, having turned off the software compatibility fix "Windows and Office Licensing Services" last month while I was tinkering around with Sandboxie for fun ...

Sorry for the trouble. Feel free to delete this thread :)