After upgrading to RU9, Windows Sandbox traffic began to be sent to CloudSWG from the Cloud Secure Access from WSSA within the RU9 SEP agent.

Before, when running RU8, the Windows Sandbox traffic was excluded from the CloudSWG tunnel. 

The Windows Sandbox uses virtual vSwitch for networking. Starting with WSSA 9.5.1 and in SEP 14.3 RU9 support was added for vSwitch filtering. It was a necessary update to close a hole that allowed traffic to egress the machine unprotected. 

Due to the changes, executable bypass is not supported in for this setup.

vSwitch support was added by L2 (MAC frame) hooks in the WSSA Windows driver. 

With WSSA 9.7.1 and later, there is an option to not install the L2 hooks. Without L2 hooks, the traffic from the virtual machine will not be filtered at all similar to pre-9.5.1 WSSA and SEP 14.3 RU8.

SEP does not support not installing L2 hooks. 

There are the following suggestions available:

1)  Use RU8 - which doesn't contain vSwitch filtering at all

2) Use standalone WSSA 9.7.1 instead of RU9

 If a customer encounters a situation where L2 hooks are impacting them and they would like to disable those hooks, they can pass the SKIP_L2_FRAME_HOOKS=1 option to the msiexec command:

3) Bypass the traffic by destination address or domain (cannot use executable bypasses)