D+ Engine could not able to intercept malware properly

[Guest]

[foxman]

It does, the problem is you hit allow on the first one!

There we go again.... hey man, this guy is LAUNCHING an INSTALLATION program! So what did you expect? wanna install something and then tell D+ to block it???  While I am using CIS3.9 and love it, still think Comodo could/should something about this kind of passing the ball back to user situation.... and my threatcast still not working... dang...

[foxman]

Yep. Thats our bug fixed version to be released soon. It will address some of the issues with antivirus engine.

UUH!!  Can't wait... hope it fixed the threatcast problem also!

[egemen]

UUH!!  Can't wait... hope it fixed the threatcast problem also!

We are working on TC problem.

[J2897]

I think the problem could be very similar to this harsha_mic... (See Screenshot)

Though I wouldn't worry about your System (if you are that is), 'Sandboxie' is a great program! 

[J2897]

i'm using proactive internet security and more importantly i could able to see below entry under D+ --> My Protected Files = %windir%\system32\*. So, logically i guess an alert or entry should be blocked. or else am i missing some thing??

The install.exe did not try to access this Path...

%windir%\system32\

Because it was running in the Sandbox, it tried to access this Path instead...

C:\Sandbox\Harsha\DefaultBox\drive\C\WINDOWS\

It seems that 'Sandboxie' allows it to make changes INSIDE the Sandbox, and then Defense+ Stops it because it thinks its about to try to do something OUTSIDE of the Sandbox.

This would explain why you saw the Host File had changed INSIDE the Sandbox.

I could be wrong, I'm just guessing here... 


Hope this helps.

[EricJH]

Yep. Thats our bug fixed version to be released soon. It will address some of the issues with antivirus engine.

Soon? When?

[harsha_mic]

Thanks Egemen and J2045 for your kind analysis and replys...

Good news is that CIS could able to intercept properly outside the sanboxie... But i still wanted to get clarifed on some questions -

1. Is that BO alert came from Antivirus or Image Exec Ctrl Settings --> Detect Shell Code? Bcoz i have disabled real time virus scanner and using NOD32 for real time.

The install.exe did not try to access this Path...
%windir%\system32\
Because it was running in the Sandbox, it tried to access this Path instead...
C:\Sandbox\Harsha\DefaultBox\drive\C\WINDOWS\
It seems that 'Sandboxie' allows it to make changes INSIDE the Sandbox, and then Defense+ Stops it because it thinks its about to try to do something OUTSIDE of the Sandbox.

This would explain why you saw the Host File had changed INSIDE the Sandbox.

2. If thats the case then how come it got alerted for sysgaurd.exe when it tried to create [at] c:\Sandbox\Harsha\DefaultBox\drive\C\...\.. path but not for host file changes

Thanks,
Harsha.

[OmeletParty]

1. Is that BO alert came from Antivirus or Image Exec Ctrl Settings --> Detect Shell Code? Bcoz i have disabled real time virus scanner and using NOD32 for real time.

It came from D+ Detect Shell Code

2. If thats the case then how come it got alerted for sysgaurd.exe when it tried to create [at] c:\Sandbox\Harsha\DefaultBox\drive\C\...\.. path

You could try adding Sandbox folder to My protected files/folders.
Also Detection for this rouge with CAV's has been added!

[harsha_mic]

Omletguy,

I believe you did not understand my 2nd question clearly i guess. i have updated it again....nywayz here it is --
Why CIS alerted only for file creation (sysguard.exe) but not for host file changes even though their path is same for the both C:\Sandbox\Harsha\DefaultBox\drive\C\WINDOWS\ which is not in the My Protected Files List. Or else am i missing something?

Thanks,
Harsha.

[OmeletParty]

That alert you get is the installer reading the real windows folder

you see sandboxie lets anything running in it read outside folders but cant change them all changes happen in sanboxie folder thats not protected.

Hope this explains it!

[harsha_mic]

Ok! Omletguy...ThanX for the explanation..

[Tags:]