Rouges can VERY easily bypass CIS 4, Even if Sandboxed!

[Guest]

[Josh™]

Windows 7, 32bit.
CIS Configuration: All Defaults. No other Security Software.

First of all, Cangratulations with the new CIS 4 release. The only issue I have at the moment is the Comodo Sandbox.

I have experienced 3 different rouge application, Not detected by the AV, Nor checked by Defense+ Malware Heuristic, and do not even get a "elevation alert" - COMODO sandboxes these rouge applications but they run anyway. Last night, I had a nasty rouge to the point I had to reinstall Windows - CIS 4 was CONSTANTLY Sandboxing a rouge process, over and over again... I could not get rid of it! CIS GUI didn't even start. I was forced to reinstall Windows. Off course this was for testing purposes.

I hope rouge applications are handled much better in the future, Because obviously applications/executables do need to pass security checks (Antivirus, Buffer overflow and Defense+ malware heuristic) to be sandboxed, but in this case, even if rouges are sandboxed, they run anyway.

Thanks
Tooby.

[disPPlay]

If  sandbox is enabled with virtualization is normal that the rogue run.

p.s: It's Rogue not Rouge

[brockey01]

then how is the fact that he had to reinstall windows?

[EricJH]

then how is the fact that he had to reinstall windows?

Then it was definitely malicious assuming he made the right decision to reinstall. But that is not usual rogue behaviour.

I would be interesting to know why System Restore and its powerful off line derivative would not be working. Reinstalling may be a lack of judgment in the mentioned light.

If it is not detected by the AV then I hope TS will submit the files to Comodo.

[MisterMooth]

https://forums.comodo.com/feedbackcommentsannouncementsnews-cis/cis-v4-not-bulletproof-t52435.0.html

[Josh™]

Whether the rogues run With File System/Registry Virtualization or or not, They still run and One of the rouges force you to reinstall Windows. CIS 4 won't even open up when one of the rogues are run.

See screen shot attatched for one of the rogues. The process sandboxed here is the rogue (See sandbox Alert), but freely runs... I could not get a screen shot for the other rouge, it prevents programs running including screen capturing, etc.

Anyway, It's not to say ALL rogues bypass CIS 4. If not detected by the AV, Defense+ Heuristic will alert you, or you will get a elevation prvilege alert... But still, tricky ones like these need to be addressed, especially when it bypasses the security checks (AV, D+ Heurstic, Buffer overflow...) And sandbox can't handle them properly.

Tooby.

[Lasse88]

Let me get this right, before an application goes into the sandbox, does it then have to go through the AV, and D+ before it's moved to the sandbox?

Or does it go in the sandbox, and is able to bypass both the AV and D+ from there?

[Josh™]

Let me get this right, before an application goes into the sandbox, does it then have to go through the AV, and D+ before it's moved to the sandbox?

Or does it go in the sandbox, and is able to bypass both the AV and D+ from there?

A application/executable goes through the security checks (Antivirus, Defense+ Malware Heuristic, Buffer overflow) before being auto sandboxed. If a exectuable passes these security checks, then it's sandboxed. Off course if a exectuable is on the Comodo's Safe list then auto sandboxing does not occur (or if you add it to "My Own Safe Files" or "My Trusted Software Vendors". 

In this case with these particular rogues, the rogue passed the security checks, and even if the rogue was sandboxed, it runs anyway.

Tooby.

[Josh™]

Okay, this time I right clicked the Rogue's and clicked "Run in COMODO Sandbox" and this prevented the Rogue's from running.

And also these Rogues I have are now detected by the AV, So I disabled the AV, and after Sandboxing the Rogues on-demand, I enabled the AV again and it was detecting a few of the Rogue's exectuables in C:\Sandbox folder, and could not remove them (AV was constantly detecting them... removed or not).

Atleast however now these are now caught by the AV. But there are MANY Rogues out there and no AV can detect them all. While in the mean time, the Comodo AV can't detect them, Sandbox then can't handle them properly when auto-sandboxed, atleast on-demand sandbox can. I hope the developers look into this. I understand Comodo are new to the Sandboxing world, Just like Avast! and Kaspersky... So I hope in a month or so, these flaws, along with many other reported flaws here in the Sandbox, will be fixed.

Tooby.

[metalforlife]

The problem seems to be with automatic sandboxing. I tested 10 different rogues against the sandbox by adding all of them to "Programs in the sandbox", and none were able to do any damage.

If you set the security level to Untrusted, the rogues don't run even.

[egemen]

Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.

Whether the rogues run With File System/Registry Virtualization or or not, They still run and One of the rouges force you to reinstall Windows. CIS 4 won't even open up when one of the rogues are run.

See screen shot attatched for one of the rogues. The process sandboxed here is the rogue (See sandbox Alert), but freely runs... I could not get a screen shot for the other rouge, it prevents programs running including screen capturing, etc.

Anyway, It's not to say ALL rogues bypass CIS 4. If not detected by the AV, Defense+ Heuristic will alert you, or you will get a elevation prvilege alert... But still, tricky ones like these need to be addressed, especially when it bypasses the security checks (AV, D+ Heurstic, Buffer overflow...) And sandbox can't handle them properly.

Tooby.

[MisterMooth]

Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.

Then how do you explain what happened to my PC?

[Josh™]

Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.

Egemen,

Thanks for your response. But please understand: I was FORCED to reinstall windows when one of the Rouges was on my machine. You mention "In your case, its files are there but thats it" - This is a Rogue that is not simply dropping files and that's it. It's not just throwing a GUI in your face. I could NOT open up CIS 4 GUI to try and terminate and block the rogue, It even ran in Safe mode... let alone normal mode on startup. Comodo Dragon Browser did not even connect to the internet properly, I was forced to use IE instead. Some antimalware scanners such as Malwarebytes Anti-Malware did not install. You mention Automatic Sandboxed apps can't modify protected keys/files and do admin stuff...

Why did I need to reinstall Windows?
Why could't I use CIS 4 GUI properly?
MisterMooth also reported same issues as I have!
Is there a misconfiguration bug somewhere? Dunno... I will let you figure that one out.

Do you call this not harming the system? This is malicious behavior where SYSTEM malfunction has occurred with the symptoms I have mentioned. This is a MASSIVE inconvenience, Obviously CIS 4 is designed for mothers, But how will mothers deal with such Rogues causing such behavior? Because in the mean time, the AV will NOT detect them, It will bypass other security checks such as Defense+ Heuristic and Buffer overflow, And Sandbox let's them run and cause the symptoms (or similar too) mentioned above...

Tooby.

[Melih]

Tooby

would you be kind enough to PM/email this rogue so that we can check it out also.

thanks

Melih

[Josh™]

Tooby

would you be kind enough to PM/email this rogue so that we can check it out also.

thanks

Melih

Done & let me know your findings... or you can post your findings here or whatever.

Tooby.

[Tags:]