Author Topic: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!  (Read 18102 times)

Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« on: March 04, 2010, 05:36:18 PM »
Windows 7, 32bit.
CIS Configuration: All Defaults. No other Security Software.

First of all, Cangratulations with the new CIS 4 release. The only issue I have at the moment is the Comodo Sandbox.

I have experienced 3 different rouge application, Not detected by the AV, Nor checked by Defense+ Malware Heuristic, and do not even get a "elevation alert" - COMODO sandboxes these rouge applications but they run anyway. Last night, I had a nasty rouge to the point I had to reinstall Windows - CIS 4 was CONSTANTLY Sandboxing a rouge process, over and over again... I could not get rid of it! CIS GUI didn't even start. I was forced to reinstall Windows. Off course this was for testing purposes.

I hope rouge applications are handled much better in the future, Because obviously applications/executables do need to pass security checks (Antivirus, Buffer overflow and Defense+ malware heuristic) to be sandboxed, but in this case, even if rouges are sandboxed, they run anyway.

Thanks
Tooby.

Learn from the past, live in the present, prepare for the future.

Offline disPPlay

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 843
  • WE <3 COMODO
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #1 on: March 04, 2010, 06:06:31 PM »
If  sandbox is enabled with virtualization is normal that the rogue run.

p.s: It's Rogue not Rouge

Offline brockey01

  • Comodo Loves me
  • ****
  • Posts: 184
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #2 on: March 04, 2010, 06:10:41 PM »
then how is the fact that he had to reinstall windows?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19268
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #3 on: March 04, 2010, 08:32:55 PM »
then how is the fact that he had to reinstall windows?
Then it was definitely malicious assuming he made the right decision to reinstall. But that is not usual rogue behaviour.

I would be interesting to know why System Restore and its powerful off line derivative would not be working. Reinstalling may be a lack of judgment in the mentioned light.

If it is not detected by the AV then I hope TS will submit the files to Comodo. 88) O0


Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #5 on: March 05, 2010, 01:12:11 AM »
Whether the rogues run With File System/Registry Virtualization or or not, They still run and One of the rouges force you to reinstall Windows. CIS 4 won't even open up when one of the rogues are run.

See screen shot attatched for one of the rogues. The process sandboxed here is the rogue (See sandbox Alert), but freely runs... I could not get a screen shot for the other rouge, it prevents programs running including screen capturing, etc.

Anyway, It's not to say ALL rogues bypass CIS 4. If not detected by the AV, Defense+ Heuristic will alert you, or you will get a elevation prvilege alert... But still, tricky ones like these need to be addressed, especially when it bypasses the security checks (AV, D+ Heurstic, Buffer overflow...) And sandbox can't handle them properly.

Tooby.

« Last Edit: March 05, 2010, 01:41:45 AM by Tooby »
Learn from the past, live in the present, prepare for the future.

Offline Lasse88

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 441
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #6 on: March 05, 2010, 05:55:29 AM »
Let me get this right, before an application goes into the sandbox, does it then have to go through the AV, and D+ before it's moved to the sandbox?

Or does it go in the sandbox, and is able to bypass both the AV and D+ from there?
"Wise men speak because they have something to say; Fools because they have to say something." - Plato
"It is better not to speak and be thought a fool, then to open your mouth and remove all doubt." - Mark Twain
"I Reject your reality and substitute my own" - Adam Savage (Mythbusters)

Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #7 on: March 05, 2010, 08:00:12 AM »
Let me get this right, before an application goes into the sandbox, does it then have to go through the AV, and D+ before it's moved to the sandbox?

Or does it go in the sandbox, and is able to bypass both the AV and D+ from there?

A application/executable goes through the security checks (Antivirus, Defense+ Malware Heuristic, Buffer overflow) before being auto sandboxed. If a exectuable passes these security checks, then it's sandboxed. Off course if a exectuable is on the Comodo's Safe list then auto sandboxing does not occur (or if you add it to "My Own Safe Files" or "My Trusted Software Vendors". 

In this case with these particular rogues, the rogue passed the security checks, and even if the rogue was sandboxed, it runs anyway.

Tooby.
« Last Edit: March 05, 2010, 08:05:02 AM by Tooby »
Learn from the past, live in the present, prepare for the future.

Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #8 on: March 05, 2010, 06:43:02 PM »
Okay, this time I right clicked the Rogue's and clicked "Run in COMODO Sandbox" and this prevented the Rogue's from running.

And also these Rogues I have are now detected by the AV, So I disabled the AV, and after Sandboxing the Rogues on-demand, I enabled the AV again and it was detecting a few of the Rogue's exectuables in C:\Sandbox folder, and could not remove them (AV was constantly detecting them... removed or not).

Atleast however now these are now caught by the AV. But there are MANY Rogues out there and no AV can detect them all. While in the mean time, the Comodo AV can't detect them, Sandbox then can't handle them properly when auto-sandboxed, atleast on-demand sandbox can. I hope the developers look into this. I understand Comodo are new to the Sandboxing world, Just like Avast! and Kaspersky... So I hope in a month or so, these flaws, along with many other reported flaws here in the Sandbox, will be fixed.

Tooby.
Learn from the past, live in the present, prepare for the future.

Offline metalforlife

  • Comodo's Hero
  • *****
  • Posts: 344
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #9 on: March 05, 2010, 08:26:50 PM »
The problem seems to be with automatic sandboxing. I tested 10 different rogues against the sandbox by adding all of them to "Programs in the sandbox", and none were able to do any damage.

If you set the security level to Untrusted, the rogues don't run even.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3317
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #10 on: March 05, 2010, 11:08:51 PM »
Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.

Whether the rogues run With File System/Registry Virtualization or or not, They still run and One of the rouges force you to reinstall Windows. CIS 4 won't even open up when one of the rogues are run.

See screen shot attatched for one of the rogues. The process sandboxed here is the rogue (See sandbox Alert), but freely runs... I could not get a screen shot for the other rouge, it prevents programs running including screen capturing, etc.

Anyway, It's not to say ALL rogues bypass CIS 4. If not detected by the AV, Defense+ Heuristic will alert you, or you will get a elevation prvilege alert... But still, tricky ones like these need to be addressed, especially when it bypasses the security checks (AV, D+ Heurstic, Buffer overflow...) And sandbox can't handle them properly.

Tooby.



Offline MisterMooth

  • Comodo Loves me
  • ****
  • Posts: 123
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #11 on: March 05, 2010, 11:12:34 PM »
Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.


Then how do you explain what happened to my PC?

Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #12 on: March 05, 2010, 11:15:36 PM »
Automatic sandboxing does not enable automatic virtualization.

But automatically sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So it can DROP files but can not modify or overwrite any protected files. Files can be dropped but they can not harm the system by doing any of the 3 operations mentioned above.

In your case, its files are there but thats it.


Egemen,

Thanks for your response. But please understand: I was FORCED to reinstall windows when one of the Rouges was on my machine. You mention "In your case, its files are there but thats it" - This is a Rogue that is not simply dropping files and that's it. It's not just throwing a GUI in your face. I could NOT open up CIS 4 GUI to try and terminate and block the rogue, It even ran in Safe mode... let alone normal mode on startup. Comodo Dragon Browser did not even connect to the internet properly, I was forced to use IE instead. Some antimalware scanners such as Malwarebytes Anti-Malware did not install. You mention Automatic Sandboxed apps can't modify protected keys/files and do admin stuff...

Why did I need to reinstall Windows?
Why could't I use CIS 4 GUI properly?
MisterMooth also reported same issues as I have!
Is there a misconfiguration bug somewhere? Dunno... I will let you figure that one out.

Do you call this not harming the system? This is malicious behavior where SYSTEM malfunction has occurred with the symptoms I have mentioned. This is a MASSIVE inconvenience, Obviously CIS 4 is designed for mothers, But how will mothers deal with such Rogues causing such behavior? Because in the mean time, the AV will NOT detect them, It will bypass other security checks such as Defense+ Heuristic and Buffer overflow, And Sandbox let's them run and cause the symptoms (or similar too) mentioned above...

Tooby.
« Last Edit: March 06, 2010, 08:17:59 AM by Tooby »
Learn from the past, live in the present, prepare for the future.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 13553
    • Video Blog
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #13 on: March 05, 2010, 11:17:36 PM »
Tooby

would you be kind enough to PM/email this rogue so that we can check it out also.

thanks

Melih

Offline Josh™

  • Retired Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1010
Re: Rouges can VERY easily bypass CIS 4, Even if Sandboxed!
« Reply #14 on: March 05, 2010, 11:38:31 PM »
Tooby

would you be kind enough to PM/email this rogue so that we can check it out also.

thanks

Melih

Done & let me know your findings... or you can post your findings here or whatever.

Tooby.
Learn from the past, live in the present, prepare for the future.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek