Author Topic: Silent Sandbox does more damage than Malware - how do I get alerts / pop-ups  (Read 3654 times)

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
I have a 2 week old SSD with new Windows 7 Ultimate (64 bit) and Macrium Reflect Server Edition.
I installed Comodo C.I.S. 5.9.22?? with default settings.

I chose to abandon Firefox (Installed) with its recent irresponsible silent/forced update policy,
and chose Palemoon Portable.
I installed Addons and all was well after restarting Palemoon.
I installed LastPass and Xmarks addons and they said installation would complete upon a restart,
but every restart demanded another - repeatedly.
I thought at first these addons could not run with the latest version of Palemoon.
Eventually I went the well worn route of disabling malware protection and then restart was successful.
SANDBOX  WAS  THE  CULPRIT  -  NO WARNINGS - NO POP-UPS

Macrium Reflect made a partition image of my system before I installed Comodo,
but not after - there were VSS errors which prevented any success.
Eventually I had success by launching the Macrium GUI and running that direct under Windows.
Then I found SANDBOX KILLED SUCCESS when I ran my *.BAT script that launches Macrium and organizes archiving of image backups.
My *.BAT script launched Macrium and its GUI as expected, and Macrium ran and analyzed my partitions,
but SANDBOX prevented Macrium from using VSS.

I found that Macrium Reflect is listed as Trusted.
I WISH Comodo would continue to trust anything that is trusted even when My scripts launch them
I NEED Comodo to put up a warning / pop-up when it is disrupting a trusted application.

There is an occasional rare appearance of an elusive "Application Isolated" pop-up.
I would love it if this always appeared until such time as I tick the box "Hide these alerts".
Unfortunately I have never seen the same one twice, even though I repeat my actions without ticking the box.

Incidentally, what does "Hide these alerts" do ?
i.e. is this a permanent end to any such pop-up regardless of situation,
or does it simply hide any future identical warnings from the same "unrecognized file".

Please advise how I should get warning pop-ups when the Sandbox is interfering,
otherwise I will have to leave the Sandbox permanently disabled.

Is it possible to tell Comodo/Sandbox to trust all my *.BAT files in a designated folder ?

Regards
Alan

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
Hi Alan

Sorry you are frustrated with the sandbox.

The main purpose of the sandbox is to keep people safe without too much hassle or interuption. For example the sandbox allows unrecognised files to run safely without (in general) requiring the user to answer alerts to allow program actions.

Instead of alerts you get notifications (which do not require a response to allow an action) the first time a file is sandboxed. Normally you should be able to ignose these - most files will work sandboxed, and will be removed from the sandbox when they have been whitetlisted. (Though this often take too long in my view). Sometimes the files won't work sandboxed and need to be made trusted by the user. This should happen less frequently in CIS 6, as risky actions will (hopefully) be virtualised instead of prevented.

To reduce hassle you don't get sandbox notifications on subsequent occasions when you run a sandboxed file, but you do get log entries. So you can always look at the log. Or you can look in unrecognised files. Or you can look in the active process list, if the file is still running.

You don't get sandbox notifications if a file is sandboxed because it is running in the context of another file which is sandboxed. But again you do get log entries. And you can see this happening in the active process list.

So if you want to get alerts every time CIS intervenes the best thing is to switch the sandbox off.

Re always trusting trusted files, this is not a safe thing to do. Trusted files run by trusted files are trusted. Trusted files run by untrusted files are not. This is because malware could use a trusted file to perform a malcious action.

Hope this helps you understand what is happening a bit.

Best wishes

Mouse
« Last Edit: March 23, 2012, 01:04:00 PM by mouse1 »

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
To reduce hassle you don't get sandbox notifications on subsequent occasions when you run a sandboxed file, but you do get log entries. So you can always look at the log. Or you can look in unrecognized files. Or you can look in the active process list, if the file is still running.
I believe I MAY have had a notification when installing THE FIRST OF MANY Addons to Palemoon.
The installation was successful because it did not attempt to alter anything Comodo considered vital.

Regrettably subsequent Addons DID attempt to alter things that Comodo prevented,
but there were zero notifications.
I previously used 32 bit Firefox.
Now I was trying 64 bit Palemoon with the knowledge that some Addons might fail on a 64 bit browser.
Comodo caused me to email LastPass support for advice on why their Addon was failing on 64 bit Palemoon.
Quote
You don't get sandbox notifications if a file is sandboxed because it is running in the context of another file which is sandboxed. But again you do get log entries. And you can see this happening in the active process list.

So if you want to get alerts every time CIS intervenes the best thing is to switch the sandbox off.
I am not happy with silent refusal to obey orders.
I prefer to be explicitly told when there is a problem.
I am not prepared to keep the active Process list on permanent display.

Because Comodo practiced dumb insolence the only advice I received upon the Macrium failure was to run some VSS tool in Debug mode.

I have wasted several hours due to Comodo protecting me from myself and saying nothing.
Quote
Re always trusting trusted files, this is not a safe thing to do. Trusted files run by trusted files are trusted. Trusted files run by untrusted files are not. This is because malware could use a trusted file to perform a malcious action.
I recognize that Malware could perform damage if it controlled CMD.EXE,
But do not see any danger if it ran my script to create a partition image.

I find that my *.BAT scripts are listed as Unrecognized.
Do I simply move them to Trusted Files so they will avoid aggravation ?

Do my *.BAT files lose trusted status if they are edited or relocated for execution from a different location ?

What happens if I tick the box "Hide these Alerts" ?
Does it mean I will never again see any such alert regardless of the specific unrecognized file that caused the notice,
or does it mean that this specific file will never again cause such an alert.

What happens to an unrecognized file if I click "Remove" ?
Will it give me one more notification the next time I run the file - or will it be crippled / rmoved / never to run again ?

Incidentally, I cannot get any on-line help.
I have clicked on the Help button on the MORE Tab.
I refuse to allow I.E.8 and Active 'X to run - does Comodo depend upon these security hazards  >:-D

Regards
Alan


Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
I believe I MAY have had a notification when installing THE FIRST OF MANY Addons to Palemoon.
The installation was successful because it did not attempt to alter anything Comodo considered vital.

Regrettably subsequent Addons DID attempt to alter things that Comodo prevented,
but there were zero notifications.
I previously used 32 bit Firefox.
Now I was trying 64 bit Palemoon with the knowledge that some Addons might fail on a 64 bit browser.
Comodo caused me to email LastPass support for advice on why their Addon was failing on 64 bit Palemoon.I am not happy with silent refusal to obey orders.
It may be that Palemoon is getting sandboxed, and  thus everything that runs in its context is. To try to work out what is happening, we'll need to have a look at your full active process list and D+ event logs after a reboot, with Palemoon and add-ons running. Alternatively maybe you have an installation problem (see below), or maybe some software is causing a buffer overflow by being run in a 64bit browser. Generally I would not expect a 32 bit add on to work reliably in a 64 bit browser. Maybe the adds-ons are only just running, and doing some rather bad things in the process (eg buffer overflows) and CIS is stepping in a bit flakily (due to the overal context). You can exclude executables from buffer overflow protection in D+ settings ~ execution control settings.
Quote
I prefer to be explicitly told when there is a problem.
I am not prepared to keep the active Process list on permanent display.
I'm sorry but you would probably be better off turning off the auto-sandbox, really. Or you can check the logs if there is a problem. Sorry no other way round this AFAIK.
Quote
I recognize that Malware could perform damage if it controlled CMD.EXE, But do not see any danger if it ran my script to create a partition image.

I find that my *.BAT scripts are listed as Unrecognized.
Batch files can do enormous damage. How abaout a batch file that does del *.* /s.
Quote
Do I simply move them to Trusted Files so they will avoid aggravation ?
Yes
Quote
Do my *.BAT files lose trusted status if they are edited or relocated for execution from a different location ?
Yes, so to avoid this you need to tick the box that say 'trust by name'. Then any file by that name on that path will be trusted.

Quote
What happens if I tick the box "Hide these Alerts" ?
Does it mean I will never again see any such alert regardless of the specific unrecognized file that caused the notice,
or does it mean that this specific file will never again cause such an alert.

I think it means hide all this type of alert in future, but I have never used it so I am not sure. Did you tick this?
Quote
What happens to an unrecognized file if I click "Remove" ?
Will it give me one more notification the next time I run the file - or will it be crippled / rmoved / never to run again ?
It removes it from the unrecognised files list, which means you will get an alert next time it is sandboxed. It does not make it trusted.

Quote
Incidentally, I cannot get any on-line help.
I have clicked on the Help button on the MORE Tab.
I refuse to allow I.E.8 and Active 'X to run - does Comodo depend upon these security hazards  >:-D

I don't think so. This is probably determined by what file is listed to handle the .html file type in file associations. Or possibly bearing in mind all the above you have an installation problem. We can guide you on re-installation if you wish, but probably best to understand more what is going on first.
Here is a link to help just in case: http://help.comodo.com/topic-72-1-284-2942-Introduction-to-Comodo-Internet-Security.html
« Last Edit: March 23, 2012, 12:14:43 PM by mouse1 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
As a further thought it can be that sandbox notifications are hidden by the larger D+ alerts. You can move the D+ alerts to one side to see.

Also I have occasionally seen sandbox notofications time out before display on slow XP systems. Basical;ly CIS prioritises defending your computer if cpu time is scarce. Unfortuantely notification timeout cannot be adjusted - I have requested thiu.

Best wishes

Mouse

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
It may be that Palemoon is getting sandboxed, and  thus everything that runs in its context is. To try to work out what is happening, we'll need to have a look at your full active process list and D+ event logs after a reboot, with Palemoon and add-ons running. Alternatively maybe you have an installation problem (see below), or maybe some software is causing a buffer overflow by being run in a 64bit browser. Generally I would not expect a 32 bit add on to work reliably in a 64 bit browser.
Possibly true, but the addons ColorfulTabs and TabUtilities installed and ran without any Sandbox aggravation,
whilst LastPass and Xmarks could only instal if the sandbox was disabled.
My focus is on the fact that the two which had no aggravation did not meddle with Windows, they only affected the Browser Display,
but the two which needed the Sandbox disabled must protect all my passwords and all my Bookmarks,
and may possible write data into "protected space".
I could launch and use Palemoon with Sandbox protection active, I only had to disable the Sandbox after selecting the Addon but before clicking "Install".

I have in fact tried both Palemoon x32 and also Palemoon x64, with identical results.
Quote
AFAIK.Batch files can do enormous damage. How abaout a batch file that does del *.* /s.YesYes, so to avoid this you need to tick the box that say 'trust by name'. Then any file by that name on that path will be trusted.
Agreed, but I will be content if I can designate a *.BAT file to be trusted because I know I did not use del *.* /s
Quote
I think it means hide all this type of alert in future, but I have never used it so I am not sure. Did you tick this?
No, I definitely did not tick that.
I find out the potential consequences of an action before I take action.
Quote
It removes it from the unrecognised files list, which means you will get an alert next time it is sandboxed. It does not make it trusted.
Thanks.
Quote
I don't think so. This is probably determined by what file is listed to handle the .html file type in file associations. Or possibly bearing in mind all the above you have an installation problem. We can guide you on re-installation if you wish, but probably best to understand more what is going on first.
Here is a link to help just in case: http://help.comodo.com/topic-72-1-284-2942-Introduction-to-Comodo-Internet-Security.html
Thanks for the advice and the link
I was going to check my file associations for html as you suggest,
but I then looked closer at your link and it concludes with .html
Your link works in Palemoon so I guess my file associations are as they should be.

I do not think large D+ alerts have been occurring, which I assume is because Sandbox does not allow such "danger" to arise.

Regards
Alan

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
Possibly true, but the addons ColorfulTabs and TabUtilities installed and ran without any Sandbox aggravation,
whilst LastPass and Xmarks could only instal if the sandbox was disabled.
My focus is on the fact that the two which had no aggravation did not meddle with Windows, they only affected the Browser Display,
but the two which needed the Sandbox disabled must protect all my passwords and all my Bookmarks,
and may possible write data into "protected space".
I could launch and use Palemoon with Sandbox protection active, I only had to disable the Sandbox after selecting the Addon but before clicking "Install".
Yes whether the sandbox prevents operation or not depdends on what the executble does and how it does it.

Quote
I have in fact tried both Palemoon x32 and also Palemoon x64, with identical results.
OK

Quote
I do not think large D+ alerts have been occurring, which I assume is because Sandbox does not allow such "danger" to arise.
The large alerts are simply D+ alerts. Some still may occur when the sandbox is active, though very few. The guide to the sandbox in my sgnature may help you understand the sandbox.

If you post your active process list and D+ logs we may be able to help more

Best wishes

Mouse

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
Thanks for your signature sandbox guide.

I am now headed for bed, but intend to post logs tomorrow.

Regards
Alan

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
Thanks for your signature sandbox guide.

I am now headed for bed, but intend to post logs tomorrow.

Regards
Alan


OK away later today, so mabybe Sunday before I can reply. Hope this is OK. Other mods may reply in my place though.

Mouse

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
I can export the Defense+ logs,
but cannot find any way to export or capture the active process list other than a screen snapshot of a very short-lived item.

I have nothing worth posting at this stage.

All I can see with Macrium is that you are correct.
When I have a new *.BAT file I get an alert that it is being sandboxed,
and unfortunately no clue is given that Macrium is consequently prevented from using VSS,
only an obscure Defense+ Log that states macrium/Reflect is sandboxed as partially limited.
After ignoring that alert I never get any other warning at all, unless I look in the logs.
It works as you say,
not as I want  >:-D

Regards
Alan

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028
I can export the Defense+ logs,
but cannot find any way to export or capture the active process list other than a screen snapshot of a very short-lived item.

I have nothing worth posting at this stage.

All I can see with Macrium is that you are correct.
When I have a new *.BAT file I get an alert that it is being sandboxed,
and unfortunately no clue is given that Macrium is consequently prevented from using VSS,
only an obscure Defense+ Log that states macrium/Reflect is sandboxed as partially limited.
After ignoring that alert I never get any other warning at all, unless I look in the logs.
It works as you say,
not as I want  >:-D

Regards
Alan


The logs may help, also the active process list. Re the active process list, yes a screenshot is the only way. Even if you cannot capture the precise monent an add-on is running, the APL will tell us what permissions the briwser is running with. Also tell us about other programs which maybe sandboxed or running with hybrid permissions.

Best wishes

Mouse

Offline Alan Borer

  • Comodo's Hero
  • *****
  • Posts: 524
I give up.
This website wasted 1 hour of typing and compilation and threw it all away because it refused to accept the requested log which C.I.S. exported as htm.
It threw away my HTM
It threw away all that I typed.

I will not go through this again

Regards
Alan

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 10028

I give up.
This website wasted 1 hour of typing and compilation and threw it all away because it refused to accept the requested log which C.I.S. exported as htm.
It threw away my HTM
It threw away all that I typed.

I will not go through this again

Regards
Alan


Sorry you have had this frustration. Please note we are volunteers so have no control over the web site!

If you can bear to continue, you should find the html file still there. You unfortunately need to zip it to append it. (Sorry I did not mention this - a jpeg screenshot - which is what I refer to above does not need to be zipped).

Don't worry about the explanation, just append the files and we will try to sort it out from there.

Best wishes

Mouse

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek