Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
OS: Windows 10 x64 1809
Sandboxie Version: 5.30
Anti Virus: Kaspersky Internet Security v2019
Steps to reproduce: Simply run Firefox(v57) in Sandboxie mode
Screenshot(not mine, but same): filedb.experts-exchange.com/.../LSAsrv-Error2.JPG
Event ID in Event Viewer: 6033
After upgrading Windows 7 to Windows 10, whenever I launch Firefox in Sandbox mode I get the following error in the Event Viewer:
"An anonymous session connected from [MY COMPUTER NAME] has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa\TurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
As confirmed by https://www.tenforums.com/general-support/84319-event-id-6033-lsa-lsasrv.html it is a Sandboxie problem.
I never saw this event before, I run Sandboxie on multiple machines, all Windows 7, this is now the only one running Windows 10 and the only one with this issue.
The anonymous "attack", if so it can be called, is coming from my own machine.
Is this a known issue?
Edit: I clean installed Windows 10 v1809 and the problem persists.
I'm having this exact same error but I'm using Win7 64-bit, Sandboxie v5.30.
All drivers and OS updates are current. I'm using Firefox and Waterfox.
In reply to Sam777:
Thank you for the update, I'm glad I'm not the only one. Never had such issues on Windows 7 myself, did you have them before installing v5.30?
With all that has been going on with Sandboxie in the last few months I prefer not see such errors which could be interpreted as some sort of Malware infection.
In reply to sandboxieuser456:
I've shared the info with the devs. I will update this thread once I receive a response.
In reply to Barb@Sophos:
Thank you Barbara, very kind.
I was not able to repro the message on Win 10 1809 + FF 67, so it may be a combination of FF and certain AV software, or an extension. Try a new FF profile and a new Sandbox with default settings to see if the behavior continues.
The devs stated that this is something on the program's end that not liking Sandboxie using Anonymous Logon (as nothing has changed with Sandboxie in that regard, and there is no malware in our code).
Here's an example of a similar situation:https://support.microsoft.com/en-us/help/839569/you-may-not-be-able-to-connect-to-an-instance-of-sql-server-by-using-a
You may want to reach out to Mozilla's support and see if they can verify the message and the steps.
Hi Barbara.This is what I tested today:1. I created a new Firefox profile2. I closed KIS 20193. I created a new Sandbox4. I launched the browser in the new Sandbox and no event was logged1. I rebooted2. I launched the browser in the new Sandbox without closing KIS 20193. The event was loggedSo the issue is not with my regular Firefox profile and/or my regular Sandbox.It seems to be a conflict with KIS 2019(which I don't have installed on my other machines).
As this event is only logged once per day, I will try again tomorrow with KIS 2019 closed.Thank you.
Sorry for taking so long to respond, I was having challenges getting logged into this forum using a vpn. I'm good now.
I did notice the problem didn't arise until v5.30 but I also know Windows update for May has been problematic. Coincidence? I don't know yet. It could be one or the other as the culprit; or perhaps both.
I re-imaged my drive and installed all updates till April. Sandboxie is v5.28. I'm going to let it run for 3 days to see if any issues arise. Then I'll update SB to v5.30 to see if it creates the LsaSrv error. Depending on the results, I'll install the Windows May updates. Hopefully, something will present itself.
Curious, do you by any chance use Intel Turbo Booster? Have you experienced any BSOD around the time of the LsaSrv error?
I believe by Windows May update you mean 1903? I did not install it as I'm aware of issues.
No BSODs on my side, I will check the BIOS for Intel Turbo Boost later on today.
By the way, do you have KIS installed?
Good day Barbara.
This morning I proceed with the following tests:
1. Closed KIS 2019
2. Loaded Firefox in Sandboxie mode
3. Closed Firefox and re-opened it
4. Repeated steps 2 and 3 for 5 times
5. No event logged
6. Rebooted machine
7. I loaded Firefox in Sandboxie mode, with KIS 2019 active
8. Event logged
This pretty much confirms that it is a conflict with KIS 2019.
Can you kindly ask your developers to proceed with the test case on a machine with KIS 2019 installed and active?
Our currently supported apps are listed here
Please, reach out to the AV support team so that they can review the situation. Did you get a chance to look at the link provided before? It may help with your scenario.
You may also try Resource Access Monitor. (although not sure we will see anything there, worth a shot). Ensure you are working in an empty SandboxStart Res. Acc. MonImmediately reproduce the problem then close Res. Acc. MonPost the output.
I'm not sure I understand. Do I have to contact Kaspersky? The problem is not with Kaspersky, if I don't use Sandboxie no events are logged in Event Viewer.
I will Resource Access Manager and post the results.
Per my original response, this is what the devs said:
I'm afraid that is not a similar situation.
I am aware that SQL Server, when installed, can either connect with an anonymous account or an account on the machine but my issue has absolutely nothing to do with this, especially since SQL Server is not even installed on my machine.
The closest case I found similar to mine, if we really want Google to fix this issue for us, is this one:
But since the old forums are down after last month's disaster, I cannot find the thread opened by that user.
All I'm asking if for your developers to install KIS 2019 on a machine with Windows 10 to try and replicate my test case.
We don't test Kaspersky. Please, follow my previous suggestions to see if Res. Acc. Mon shows anything.
Otherwise, please reach out to the vendor to find out if they are triggering the event/monitoring anonymous logon events
(if you post the full event, we may be able to see more info within it. The screenshot/post you provided is from years ago - which also shows this i not a new scenario. As sated, nothing has changed in Sandboxie, things run as anonymous logon as usual) .
I would appreciate it if you take me more seriously.
The post I linked to is not "from years ago", it's from last March, the user went on the old Sandboxie forum to report the problem but the forums are down, I have no way to see what feedback he received.
Is there a way for you to find the thread opened by the user three months ago for me to have more input on the problem, ideally something more than a workaround accompanied with a warning, "Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround"?