Sandboxie causing "An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle ..." on Windows 10

OS: Windows 10 x64 1809

Sandboxie Version: 5.30

Anti Virus: Kaspersky Internet Security v2019

Steps to reproduce: Simply run Firefox(v57) in Sandboxie mode

Screenshot(not mine, but same): filedb.experts-exchange.com/.../LSAsrv-Error2.JPG

Event ID in Event Viewer: 6033

 

Hello.

After upgrading Windows 7 to Windows 10, whenever I launch Firefox in Sandbox mode I get the following error in the Event Viewer:

"An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day."

As confirmed by https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html it is a Sandboxie problem.

I never saw this event before, I run Sandboxie on multiple machines, all Windows 7, this is now the only one running Windows 10 and the only one with this issue.

The anonymous "attack", if so it can be called, is coming from my own machine.

Is this a known issue?

Edit: I clean installed Windows 10 v1809 and the problem persists.

Thank you.

  • I'm having this exact same error but I'm using Win7 64-bit, Sandboxie v5.30.

    All drivers and OS updates are current. I'm using Firefox and Waterfox.

  • In reply to Sam777:

    Hi Sam.

    Thank you for the update, I'm glad I'm not the only one. Never had such issues on Windows 7 myself, did you have them before installing v5.30?

    With all that has been going on with Sandboxie in the last few months I prefer not see such errors which could be interpreted as some sort of Malware infection.

  • In reply to sandboxieuser456:

    All,

    I've shared the info with the devs.  I will update this thread once I receive a response.

    Regards,

  • In reply to Barb@Sophos:

    Thank you Barbara, very kind.

  • In reply to sandboxieuser456:

    Hi all,

    I was not able to repro the message on Win 10 1809 + FF 67, so it may be a combination of FF and certain AV software, or an extension. Try a new FF profile and a new Sandbox with default settings to see if the behavior continues. 

    The devs stated that this is something on the program's end that not liking Sandboxie using Anonymous Logon (as nothing has changed with Sandboxie in that regard, and there is no malware in our code).

    Here's an example of a similar situation:
    https://support.microsoft.com/en-us/help/839569/you-may-not-be-able-to-connect-to-an-instance-of-sql-server-by-using-a

    You may want to reach out to Mozilla's support and see if they can verify the message and the steps. 

    Thanks!

  • In reply to Barb@Sophos:

    Hi Barbara.

    This is what I tested today:

    1. I created a new Firefox profile
    2. I closed KIS 2019
    3. I created a new Sandbox
    4. I launched the browser in the new Sandbox and no event was logged

    1. I rebooted
    2. I launched the browser in the new Sandbox without closing KIS 2019
    3. The event was logged

    So the issue is not with my regular Firefox profile and/or my regular Sandbox.

    It seems to be a conflict with KIS 2019(which I don't have installed on my other machines).

    As this event is only logged once per day, I will try again tomorrow with KIS 2019 closed.

    Thank you.

  • In reply to sandboxieuser456:

    Sorry for taking so long to respond, I was having challenges getting logged into this forum using a vpn. I'm good now.

    I did notice the problem didn't arise until v5.30 but I also know Windows update for May has been problematic. Coincidence? I don't know yet. It could be one or the other as the culprit; or perhaps both.

    I re-imaged my drive and installed all updates till April. Sandboxie is v5.28. I'm going to let it run for 3 days to see if any issues arise. Then I'll update SB to v5.30 to see if it creates the LsaSrv error. Depending on the results, I'll install the Windows May updates. Hopefully, something will present itself.

    Curious, do you by any chance use Intel Turbo Booster? Have you experienced any BSOD around the time of the LsaSrv error?

     

  • In reply to Sam777:

    Hi Sam.

    I believe by Windows May update you mean 1903? I did not install it as I'm aware of issues.

    No BSODs on my side, I will check the BIOS for Intel Turbo Boost later on today.

    By the way, do you have KIS installed?

    Thank you.

  • In reply to Barb@Sophos:

    Good day Barbara.

    This morning I proceed with the following tests:

    1. Closed KIS 2019

    2. Loaded Firefox in Sandboxie mode

    3. Closed Firefox and re-opened it

    4. Repeated steps 2 and 3 for 5 times

    5. No event logged

    6. Rebooted machine

    7. I loaded Firefox in Sandboxie mode, with KIS 2019 active

    8. Event logged

    This pretty much confirms that it is a conflict with KIS 2019.

    Can you kindly ask your developers to proceed with the test case on a machine with KIS 2019 installed and active?

    Thank you.

  • In reply to sandboxieuser456:

    Hi sandboxieuser456,

    Our currently supported apps are listed here

    Please, reach out to the AV support team so that they can review the situation.  Did you get a chance to look at the link provided before? It may help with your scenario. 

    You may also try Resource Access Monitor. (although not sure we will see anything there, worth a shot). 
    Ensure you are working in an empty Sandbox
    Start Res. Acc. Mon
    Immediately reproduce the problem then close Res. Acc. Mon
    Post the output. 

    Regards,

  • In reply to Barb@Sophos:

    Hi Barbara.

    I'm not sure I understand. Do I have to contact Kaspersky? The problem is not with Kaspersky, if I don't use Sandboxie no events are logged in Event Viewer.

    I will Resource Access Manager and post the results.

  • In reply to sandboxieuser456:

    Hi sandboxieuser456,

    Per my original response, this is what the devs said:

    The devs stated that this is something on the program's end that not liking Sandboxie using Anonymous Logon (as nothing has changed with Sandboxie in that regard, and there is no malware in our code).

    Here's an example of a similar situation:
    https://support.microsoft.com/en-us/help/839569/you-may-not-be-able-to-connect-to-an-instance-of-sql-server-by-using-a

    Regards,

  • In reply to Barb@Sophos:

    Hi Barbara.

    I'm afraid that is not a similar situation.

    I am aware that SQL Server, when installed, can either connect with an anonymous account or an account on the machine but my issue has absolutely nothing to do with this, especially since SQL Server is not even installed on my machine.

    The closest case I found similar to mine, if we really want Google to fix this issue for us, is this one:

    https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html

    But since the old forums are down after last month's disaster, I cannot find the thread opened by that user.

    All I'm asking if for your developers to install KIS 2019 on a machine with Windows 10 to try and replicate my test case.

  • In reply to sandboxieuser456:

    Hi sanboxieuser456,

    We don't test Kaspersky. Please, follow my previous suggestions to see if Res. Acc. Mon shows anything.

    Otherwise, please reach out to the vendor to find out if they are triggering the event/monitoring anonymous logon events 

    (if you post the full event, we may be able to see more info within it. The screenshot/post you provided is from years ago - which also shows this i not a new scenario. As sated, nothing has changed in Sandboxie, things run as anonymous logon as usual) .

    Thanks!

  • In reply to Barb@Sophos:

    Hi Barbara.

    I would appreciate it if you take me more seriously.

    The post I linked to is not "from years ago", it's from last March, the user went on the old Sandboxie forum to report the problem but the forums are down, I have no way to see what feedback he received.

    Is there a way for you to find the thread opened by the user three months ago for me to have more input on the problem, ideally something more than a workaround accompanied with a warning, "Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround"?

    Thank you.