Curious Sandbox folders in server 2008

Posted on 2009-12-23
Last Modified: 2013-11-29
Hi All

I have a Windows Server 2008 file server where I have an external USB drive attached. In the last few weeks, a lot of folders with cryptic names have appeared in the root of this drive and every one of these folders has a folder called Sandbox inside it. There are no files in the folders and size is 0Kb.

Example folder names are


Could anyone help see what they are, what created them and if they can be safely deleted. I don't have much 3rd party stuff installed on my server. Clean Windows Server.

Question by:netstarukltd
    LVL 16

    Accepted Solution


    Try uploading some files within that Sandbox folder onto for a quick scan to see if they are any infections.

    I also read on some Microsoft webpage that using Windows Update Standalone installer might also create those folders.

    Hope it helps.
    LVL 41

    Expert Comment

    Are you running a version of Kaspersky anti-virus software?   If so, those directories are probably the locations where it has "quarantined" files that it found as dangerous.
    Open up Kasperksy and run a scan on that drive
    LVL 22

    Expert Comment

    Sandbox does not work with any version of Windows x64.
    kaspersky installs sandbox folder but under x64 architecture they are useless.
    You can delete these folders...

    LVL 41

    Expert Comment

    senad... just curious...  what lead you to believe that the Kaspersky "Safe Run" mode doesn't work in 64-bit windows?
    LVL 22

    Expert Comment

    Time ago I did some reading on sandboxie
    Kaspersky is using Ronen Tzur's technology (sandbox).
    Support for 64-bit is available in recent beta versions of Sandboxie.
    But that is only Beta and for older versions of Windows.
    However you can run Sandbox in 64-bit Windows 7 Professional/Enterprise
    Ultima in Windows XP Mode.To run a Sandbox directly in W7 x64 is impossible.
    It is due to kernel tampering protection x64 uses.
    Also I tried "Safe Run" in Kaspersky (it kind of sandboxed x32 browser) but
    it was 'mission failed'.It bloated my installation with folders ,something like the author
    Also,I am a little skeptical to its effectiveness also on x32 platform.
    LVL 41

    Expert Comment

    ... so, other than your personal experience, you don't have any references to cite to support your conclusion that Kaspersky's Safe Run doesn't work on Win7 x64?
    just curious where you're getting all this...

    Author Closing Comment

    Yes, it was Windows Update.

    Expert Comment

    We're seeing the same issues on all of our Windows 7 machines. Folders are being created on the root of C. They are named C:\hex value\sandbox. We delete them and then they come back. We've asked Microsof and Mcafee about it and nobody seems to have a solution. If anybody has any ideas where these folders are coming from and how to prevent them from being created I would greatly appreciate it. After searching google for the last hour is seems to be a very common occurance on both Windows 7 and Server 2008, but I have yet to find an answer. We could write a script to delete them and run the script on a recurring basis, but I would rather find root cause.
    LVL 1

    Expert Comment

    We had the same mysterious folder on one of our 2008 windows DC's. After some searching we found that they were related to a Kaseya patch scan script running at a preset time every 7 days called "WUA Patch Scan 1 (x64)". I believe it as something to do with Kaseya's Agent logs function. Hope that helps.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now