File Recovery dialog says every file "failed a security check"

[e-t-l]

Describe what you noticed and did

1. Open the File Recovery window for a sandbox
2. Select any file or folder
3. Click the recover button
4. Observe the dialog box that says "The file [filename] failed a security check, do you want to recover it anyway?"

How often did you encounter it so far?

Every file recovery action

Expected behavior

I expect to only see this dialog for files with actual security vulnerabilities, not for every single file.

Affected program

Not relevant

Download link

Not relevant

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

Sandboxie-Plus v1.14.5 64-bit

Is it a new installation of Sandboxie?

I just updated Sandboxie from a previous version (I remember which one it is).

Is it a regression from previous versions?

No; the issue has persisted for as long as I have had Sandboxie installed

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows 11 Enterprise 23H2 64-bit

In which Windows account you have this problem?

A local account (Administrator)., An account with UAC protection set to Always notify.

Please mention any installed security software

Avast One

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

[GlobalSettings]
Template=WindowsRasMan
Template=OfficeClickToRun
Template=OfficeLicensing
Template=WindowsLive
Template=WindowsDefender
ForceDisableSeconds=600000
PreferExternalManifest=msedge.exe,y
PreferExternalManifest=Spotify.exe,y
Template=Chrome_KB5027231_fix
Template=Avast_Antivirus
Template=Edge_Fix
OpenClsid={D713F357-7920-4B91-9EB6-49054709EC7A}
DisableWinNtHook=CreateEnclave
DisableWinNtHook=LoadEnclaveData
DisableWinNtHook=InitializeEnclave
DisableWinNtHook=CallEnclave
DefaultBox=DefaultBox
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
SandboxieLogon=y
EditAdminOnly=y
ForceDisableAdminOnly=y
ExternalManifestHack=msedge.exe,y
NoRestartOnPCA=y
ApproveWinNtSysCall=LoadKeyEx
FakeAdminRights=explorer.exe,n

[UserSettings_0CBE021F]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
SbieCtrl_EnableAutoStart=y
BoxGrouping=:DefaultBox

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00ffff,ttl,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
Template=Local_SysCallPresets
ConfigLevel=10
DropAdminRights=y
FakeAdminRights=y

[DavidXanatos]

for me it works fine, you must have installed the file checker addon: and it fails perhaps you did not allow sigcheck.exe internet access?

Cheers David

[offhub]

@DavidXanatos

Suggestion [3,General]: The command sigcheck.exe was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type: ".\sigcheck.exe". See "get-help about_Command_Precedence" for more details.

@e-t-l

1. Go to the C:\Program Files\Sandboxie-Plus\addons\FileChecker folder.
2. Copy sigcheck.exe to any location.
3. Disable the FileChecker addon.
4. Save the following codes to a file with the ps1 extension.
5. Copy the ps1 and exe files to a location of your choice.

Code

#### CheckFileCustom.ps1: ```ps1 param ( [string]$bin ) # Determine paths to the sigcheck executables $sigcheckExe = Join-Path -Path $PSScriptRoot -ChildPath 'sigcheck.exe' # Check if the selected sigcheck executable exists if (-not (Test-Path -Path $sigcheckExe)) { Write-Error "sigcheck executable not found at $sigcheckExe" exit 1 } try { # Run the selected sigcheck executable $sigcheckOutput = & "$sigcheckExe" -vt -accepteula "$bin" # Check for the expected detection pattern if (-not ($sigcheckOutput -match "^\s*VT\s+detection:\s+[0]+\/[^0][0-9]*.*$")) { Write-Output $sigcheckOutput exit 1 } } catch { Write-Error "An error occurred while running ${sigcheckExe}: $_" exit 1 } exit 0 ```

6. Add the following trigger to the Global Settings section. OnFileRecovery=powershell.exe -NoP -EP Bypass -F "LOCATIONOFYOURCHOICE\CheckFileCustom.ps1" -bin

[e-t-l]

and it fails perhaps you did not allow sigcheck.exe internet access?

I don't even see sigcheck attempting a connection in my firewall manager (Portmaster), nor do I see it in Windows Firewall. What server should it be connecting to?

[e-t-l]

Update: I don't think sigcheck.exe or CheckFile.ps1 are even being run. I didn't yet have a chance to do all the steps you describe, i.e. changing the directory of sigcheck etc, but as a quick test I tried two things:

1. Inserted a break and alert at the beginning of CheckFile.ps1, as a quick visual indicator of whether the script is being run.
2. Replaced the contents of \addons\FileChecker\CheckFile.ps1 with the contents you pasted above for CheckFileCustom.ps1 (without changing the actual script name)

Both times, I tried recovering a file and got the exact same behavior as before, which tells me that the CheckFile PS script is not actually being executed for some reason. Again, I haven't tried doing it with the custom path and global trigger like you described yet.

Also, idk if this is important, but I noticed that the sigcheck.exe file that is downloaded when installing File Checker is not the same size as the one included in the original SysInternals suite. Is it an older version of the executable?

[offhub]

Run from CMD to see the errors:

powershell.exe -NoP -EP Bypass -F "C:\Program Files\Sandboxie-Plus\addons\FileChecker\CheckFile.ps1" -bin "exeFile.exe"

Also, idk if this is important, but I noticed that the sigcheck.exe file that is downloaded when installing File Checker is not the same size as the one included in the original SysInternals suite. Is it an older version of the executable?

Version 2.9.0, but 32-bit. Maybe the version you have is 64-bit and its name does not end in 64.

[e-t-l]

Run from CMD to see the errors: powershell.exe -NoP -EP Bypass -F "C:\Program Files\Sandboxie-Plus\addons\FileChecker\CheckFile.ps1" -bin "exeFile.exe"

Replaced "exefile" with an existing filepath. It returns no errors or other messages.

I also tried opening a Powershell console and directly running "C:\Program Files\Sandboxie-Plus\addons\FileChecker\CheckFile.ps1" -bin "exeFile.exe" (again using a real filepath) and it returned a ParseError: "Unexpected token '-bin' in expression or statement."

I don't know what I'm supposed to be seeing here. What does the script return when you run it?

[e-t-l]

Update: trying random different files as arguments seems to return one of three results, without any identifiable pattern:

1. Nothing. The script does not return any output.

2. Appropriate sigcheck response.

Sigcheck v2.90 - File version and signature viewer Copyright (C) 2004-2022 Mark Russinovich Sysinternals - www.sysinternals.com

c:\sandbox\etl\malwaretestbox\drive\c\program files\adobe\acrobat dc\acrobat\Acrobat.exe: Verified: Signed Signing date: 8:44 AM 2/10/2024 Publisher: Adobe Inc. Company: Adobe Systems Incorporated Description: Adobe Acrobat Product: Adobe Acrobat Prod version: 23.8.20533.0 File version: 23.8.20533.0 MachineType: 64-bit VT detection: 2/79 VT link: https://www.virustotal.com/gui/file/f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628/detection

3. Null response from Sigcheck.

Sigcheck v2.90 - File version and signature viewer Copyright (C) 2004-2022 Mark Russinovich Sysinternals - www.sysinternals.com

c:\sandbox\etl\malwaretestbox\user\current\appdata\local\crashdumps\Acrobat.exe.23632.dmp: Verified: Unsigned File date: 2:43 PM 4/10/2024 Publisher: n/a Company: n/a Description: n/a Product: n/a Prod version: n/a File version: n/a MachineType: n/a VT detection: Unknown VT link: n/a

[offhub]

If the VT detection result is not 0/XX, a warning is issued. (security check failed)

It would be better if you provide a screenshot of the Sandboxie Plus warning. If it looks like the example below, the recovery script is not working properly.

Example:

[giannisp6]

If the VT detection result is not 0/XX, a warning is issued. (security check failed)

It would be better if you provide a screenshot of the Sandboxie Plus warning. If it looks like the example below, the recovery script is not working properly.

Example:

I am getting the exact same error in a popup message...

[stdedos]

In my case, it is an Enhanced Isolation / Data Protection sandbox. Could be it.