Unusual behavior when opening Word doc in Sandboxie [SOLVED]
Posted: Wed Feb 21, 2018 3:20 pm
Apologies up front if my question has been answered in any way previously. I was unable to find a similar case via google search.
Situation:
I opened a potentially dangerous (from China) word Document I had to view for work in a sandbox (v5.22 default) using MS Word 2010.
As soon as I opened the document, the 2010 office installer fired itself up and started trying to install stuff or some sort of update. Anyways, problem was that it tried to run or install Endnote (which I removed ages ago), and the Endnote application or installer was actually running OUTSIDE the sandbox, throwing up window after window after windows of errors.
I thought that any application ran in a sandbox stays inside the sandbox? How did the office installer launch a program outside the sandbox without my permission?
If this behavior is not intended, I may be able to send a truncated copy of the word doc (with sensitive info removed) for the devs of Sandboxie to investigate (only if required).
On a side note: I assumed opening a word doc in a (default settings) sandbox should work, but for some odd reason it keeps firing up the installer no matter what document I open.
Is there a workaround, or has my computer been compromised already?
Software information:
OS: Windows 7 x64 (OS updates applied until Nov 2017)
Sandboxie: x64 v5.22
Office: 2010 (some updates applied in late 2017)
Word doc: .DOCX
Sandbox settings: DefaultBox (drop rights option not enabled)
Thanks in advance for any replies to my questions and situation.
-----------MERGED POST -----------------
Following up on my post after more testing:
Turns out I did not uninstall EndNote.
Maybe the EndNote prompts that were generated came from word itself instead of the EndNote application?
I will delete my original post (if this forum supports it) if I can prove that EndNote was throwing messages using word instead of it's own exe.
Situation:
I opened a potentially dangerous (from China) word Document I had to view for work in a sandbox (v5.22 default) using MS Word 2010.
As soon as I opened the document, the 2010 office installer fired itself up and started trying to install stuff or some sort of update. Anyways, problem was that it tried to run or install Endnote (which I removed ages ago), and the Endnote application or installer was actually running OUTSIDE the sandbox, throwing up window after window after windows of errors.
I thought that any application ran in a sandbox stays inside the sandbox? How did the office installer launch a program outside the sandbox without my permission?
If this behavior is not intended, I may be able to send a truncated copy of the word doc (with sensitive info removed) for the devs of Sandboxie to investigate (only if required).
On a side note: I assumed opening a word doc in a (default settings) sandbox should work, but for some odd reason it keeps firing up the installer no matter what document I open.
Is there a workaround, or has my computer been compromised already?
Software information:
OS: Windows 7 x64 (OS updates applied until Nov 2017)
Sandboxie: x64 v5.22
Office: 2010 (some updates applied in late 2017)
Word doc: .DOCX
Sandbox settings: DefaultBox (drop rights option not enabled)
Thanks in advance for any replies to my questions and situation.
-----------MERGED POST -----------------
Following up on my post after more testing:
Turns out I did not uninstall EndNote.
Maybe the EndNote prompts that were generated came from word itself instead of the EndNote application?
I will delete my original post (if this forum supports it) if I can prove that EndNote was throwing messages using word instead of it's own exe.