https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257136#M9399 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/663134521">@M.Wempen</a>&nbsp;,</P> <P>&nbsp;</P> <P data-end="244" data-start="50">Based on the behavior described, this appears to be a compatibility issue between Sandboxie's DLL injection/hooking mechanism and Cortex XDR's process injection and exploit protection framework.</P> <P data-end="244" data-start="50">&nbsp;</P> <P data-end="584" data-start="249">The main indicator is that the applications launch successfully once a <STRONG data-end="358" data-start="320">"Disable Injection and Prevention"</STRONG> rule is applied. Since Sandboxie relies on injecting components into processes running inside the sandbox, Cortex XDR may be interfering with that initialization process even though no security alert or incident is generated.</P> <P data-end="584" data-start="249">&nbsp;</P> <P data-end="611" data-start="589">A few recommendations:</P> <UL data-end="1145" data-start="616"> <LI data-end="712" data-start="616" data-section-id="c6t4z2">Verify that both the Cortex XDR agent and Sandboxie are running the latest supported versions.</LI> <LI data-end="849" data-start="715" data-section-id="4gn962">Review Cortex XDR agent logs and diagnostic bundles for any injection- or exploit-protection-related entries during process startup.</LI> <LI data-end="951" data-start="852" data-section-id="1ag94ll">Use ProcMon or similar tools to compare process creation behavior with and without the exception.</LI> <LI data-end="1143" data-start="954" data-section-id="1crol3t">If possible, create a narrowly scoped exception for the Sandboxie service/broker process rather than excluding every sandboxed application (e.g., <CODE data-end="1114" data-start="1102">msedge.exe</CODE>, <CODE data-end="1125" data-start="1116">cmd.exe</CODE>, <CODE data-end="1141" data-start="1127">explorer.exe</CODE>).</LI> </UL> <P data-end="1502" data-start="1148">Since no alerts are being generated, this is likely a product compatibility issue rather than a standard prevention event. If the issue continues, I would recommend opening a Palo Alto Support case and providing agent diagnostics, Cortex XDR version, Windows build, and Sandboxie version so they can determine whether this is a known compatibility issue.</P> <P data-end="1502" data-start="1148">&nbsp;</P> <P>Please help other users by clicking ‘Accept as Solution’ if a post helps solve your problem.</P> <P><SPAN><BR /><A href="https://live.paloaltonetworks.com/t5/blogs/how-and-why-to-accept-solutions/ba-p/553827" target="_blank">Read more about how and why to accept solutions.</A></SPAN></P> <P data-end="1502" data-start="1148">&nbsp;</P> <P data-end="1502" data-start="1148">Best Regards,</P> <P data-end="1502" data-start="1148">Vinothkumar C</P> Tue, 23 Jun 2026 12:35:43 GMT Vinothkumar_SBA 2026-06-23T12:35:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257132#M9397 <P>Hello,</P> <P>&nbsp;</P> <P data-path-to-node="3">We have installed Cortex XDR on a VM that also runs a sandbox tool (Sandboxie). As long as Cortex XDR is enabled, processes cannot be started within the sandbox (e.g., <CODE data-index-in-node="168" data-path-to-node="3">msedge.exe</CODE>, <CODE data-index-in-node="180" data-path-to-node="3">cmd.exe</CODE>, <CODE data-index-in-node="189" data-path-to-node="3">explorer.exe</CODE>). It only works if I create a "Disable Injection and Prevention" rule for these processes.</P> <P data-path-to-node="4">How can I resolve this permanently? I suspect the issue is that Cortex prevents process hooking. Interestingly, we don't see any security cases or alerts being generated for this in the console.</P> <P data-path-to-node="4">&nbsp;</P> <P data-path-to-node="4">Greetings and thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 23 Jun 2026 11:26:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257132#M9397 M.Wempen 2026-06-23T11:26:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257136#M9399 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/663134521">@M.Wempen</a>&nbsp;,</P> <P>&nbsp;</P> <P data-end="244" data-start="50">Based on the behavior described, this appears to be a compatibility issue between Sandboxie's DLL injection/hooking mechanism and Cortex XDR's process injection and exploit protection framework.</P> <P data-end="244" data-start="50">&nbsp;</P> <P data-end="584" data-start="249">The main indicator is that the applications launch successfully once a <STRONG data-end="358" data-start="320">"Disable Injection and Prevention"</STRONG> rule is applied. Since Sandboxie relies on injecting components into processes running inside the sandbox, Cortex XDR may be interfering with that initialization process even though no security alert or incident is generated.</P> <P data-end="584" data-start="249">&nbsp;</P> <P data-end="611" data-start="589">A few recommendations:</P> <UL data-end="1145" data-start="616"> <LI data-end="712" data-start="616" data-section-id="c6t4z2">Verify that both the Cortex XDR agent and Sandboxie are running the latest supported versions.</LI> <LI data-end="849" data-start="715" data-section-id="4gn962">Review Cortex XDR agent logs and diagnostic bundles for any injection- or exploit-protection-related entries during process startup.</LI> <LI data-end="951" data-start="852" data-section-id="1ag94ll">Use ProcMon or similar tools to compare process creation behavior with and without the exception.</LI> <LI data-end="1143" data-start="954" data-section-id="1crol3t">If possible, create a narrowly scoped exception for the Sandboxie service/broker process rather than excluding every sandboxed application (e.g., <CODE data-end="1114" data-start="1102">msedge.exe</CODE>, <CODE data-end="1125" data-start="1116">cmd.exe</CODE>, <CODE data-end="1141" data-start="1127">explorer.exe</CODE>).</LI> </UL> <P data-end="1502" data-start="1148">Since no alerts are being generated, this is likely a product compatibility issue rather than a standard prevention event. If the issue continues, I would recommend opening a Palo Alto Support case and providing agent diagnostics, Cortex XDR version, Windows build, and Sandboxie version so they can determine whether this is a known compatibility issue.</P> <P data-end="1502" data-start="1148">&nbsp;</P> <P>Please help other users by clicking ‘Accept as Solution’ if a post helps solve your problem.</P> <P><SPAN><BR /><A href="https://live.paloaltonetworks.com/t5/blogs/how-and-why-to-accept-solutions/ba-p/553827" target="_blank">Read more about how and why to accept solutions.</A></SPAN></P> <P data-end="1502" data-start="1148">&nbsp;</P> <P data-end="1502" data-start="1148">Best Regards,</P> <P data-end="1502" data-start="1148">Vinothkumar C</P> Tue, 23 Jun 2026 12:35:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257136#M9399 Vinothkumar_SBA 2026-06-23T12:35:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257144#M9400 <P>For your recommendation<BR />"If possible, create a narrowly scoped exception for the Sandboxie service/broker process rather than excluding every sandboxed application (e.g.,<SPAN>&nbsp;</SPAN><CODE data-start="1102" data-end="1114">msedge.exe</CODE>,<SPAN>&nbsp;</SPAN><CODE data-start="1116" data-end="1125">cmd.exe</CODE>,<SPAN>&nbsp;</SPAN><CODE data-start="1127" data-end="1141">explorer.exe</CODE>)."<BR /><BR />Which exception should i create? How can i determine which exception is necessary</P> Tue, 23 Jun 2026 13:27:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-sandboxie/m-p/1257144#M9400 M.Wempen 2026-06-23T13:27:02Z