bypass sandbox (partially limited)

[Guest]

[a256886572008]

System: XP SP3

Configuration: Internet Security

Mode: Safe mode

sandbox:enabled

Treat unrecognized files as: partially limited

Automatically quarantine threats found during scannig

GMER:



defense+  logs:

2010-11-13 15:47:45   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Sandboxed As   Partially Limited  

2010-11-13 15:47:46   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Modify File   C:\Documents and Settings\Roger\Local Settings\Temp\564.tmp  

2010-11-13 15:47:53   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Modify Key   HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations  

2010-11-13 15:49:01   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Scanned Online and Found Malicious      

-------------------------------------
antivirus logs:

2010-11-13 15:49:01   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   CloudBehavior.Suspicious[at]1   Detect   Success  

2010-11-13 15:49:01   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   CloudBehavior.Suspicious[at]1   Quarantine   Success

------------------------------------
CIMA:
http://camas.comodo.com/cgi-bin/submit?file=4f63010477941a57f8e2e997b7c40136fc7a16dc2a2eafe86e99986cbb89075f

[a256886572008]

OA block this action.

[languy99]

You should have gotten a pop up from CIS regarding a com interface asking for spooler access. Can you give me the file to test.

[a256886572008]

You should have gotten a pop up from CIS regarding a com interface asking for spooler access. Can you give me the file to test.

The virus was  sandboxed automatically by COMODO.

There is no pop up from CIS.

[languy99]

I just tested stock install. Got an alert from D+ for a pseudo-com interface wanting to access windows print spooler service. Clicked block.

Then I get a AV alert from the cloud.

Lastly and alert from the firewall stating an malicious item wants to access the internet. 

[a256886572008]

I just tested stock install. Got an alert from D+ for a pseudo-com interface wanting to access windows print spooler service. Clicked block.

Then I get a AV alert from the cloud.

Lastly and alert from the firewall stating an malicious item wants to access the internet.  

Does CIS sandbox the virus with partially limited in your computer?

[a256886572008]

I test the virus again.

double click on the virus

1.Treat unrecognized files as partially limited

failed to block the action of the virus





2.Treat unrecognized files as limited

block the action of the virus successfully

[tommymacangel]

IMO maybe they must add an heuristic danger indice for unknown PE like KIS 

Exemple: indice less 15 => "autosandboxed" at "partially limited"
indice 15-35 => limited
etc
50-80=> unstrusted
80-100=> blocked

Executing all unknwon PE with the same limitations is not the best thing for me, bit it's only my opinion

[tommymacangel]

a256886572008, could you test this sample on x64? i'm curious

[a256886572008]

a256886572008, could you test this sample on x64? i'm curious

My computer is not a x64 system.

[Syl]

seems like another problem with x64  ^^;

[Luc[y]]

all can bypass comodo, it isnt a big issues 

[a256886572008]

Treat unrecognized files as partially limited

1.right click on the virus



2.choose "Run in COMODO sandbox"

3.COMODO blocks the action of the virus successfully.

defense+  logs:
2010-11-13 19:27:24   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Direct Disk Access   physicaldrive0   

firewall logs:
2010-11-13 19:27:19   C:\Documents and Settings\Roger\桌面\virus\1289589994\1289589994.exe   Asked   Out   TCP   114.44.236.161   44807   95.143.193.138   20480   

[languy99]

Does CIS sandbox the virus with partially limited in your computer?

yes it does. I don't know what you are doing but something is wrong with your install or settings. It is easily blocked in my computer with a stock install. I would check your D+ to make sure nothing is added to trusted lists and such.

Actually me and Egemen specifically worked on this issue to figure it out. What version of comodo are you running?

[Syl]

languy99, do you use a 64 bits OS ?

[Tags:]