Author Topic: Auto sandbox bat file of cis  (Read 3146 times)

Offline Liron

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 372
Auto sandbox bat file of cis
« on: January 25, 2017, 02:07:12 PM »
Hello,

I always get messages about auto isolation of bat files. (see screenshot).

It appears they belong to CIS but are not recognized. Is it normal?

I have default settings.

Thanks ahead.
Win 10 Pro 64 bit

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?

Offline Liron

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 372
Win 10 Pro 64 bit

Offline Liron

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 372
Re: Auto sandbox bat file of cis
« Reply #3 on: January 25, 2017, 02:58:03 PM »
It happens every time I open Chrome browser.

Does it say that my browser is infected??
Win 10 Pro 64 bit

Offline hkjoj

  • Comodo's Hero
  • *****
  • Posts: 492
Re: Auto sandbox bat file of cis
« Reply #4 on: January 26, 2017, 07:36:04 AM »
Hi,
It is an intended behavior.

See this: https://forums.comodo.com/news-announcements-feedback-cis/why-are-all-these-comodocreated-batch-files-getting-sandboxed-t117693.0.html

I don't think sandboxing CIS's own scripts is an intended behavior.  It just like saying that sandboxing CIS's own executable files is an intended behavior(if it happen).
CIS should be smart enough to put its own scripts in trusted file list instead.

Offline Jon79

  • Comodo's Hero
  • *****
  • Posts: 1084
Re: Auto sandbox bat file of cis
« Reply #5 on: January 26, 2017, 10:47:41 AM »
Check here, reply #171 from egemen:

https://forums.comodo.com/news-announcements-feedback-cis/brand-new-comodo-internet-security-10-with-secure-shopping-is-released-t117514.0.html;msg847406#msg847406

This is a new feature we have introduced to catch fileless malware. Fileless malware uses script interpreters such as powershell.exe to execute code through commandline. There are various ways. What CIS 10 does is it catches embedded commandlines and sandboxed them.
But while sandboxing them, we create a file out of them i.e. convert file-less scripts into files in C:\ProgramData\Comodo\Cis\tempscrpt. If is the command-line interpreter


CIS is not sandboxing itself, CIS converts a file-less script into a file, then sandbox that file (created by CIS, but which belongs to another app, the app that generated the file-less script)

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4289
Re: Auto sandbox bat file of cis
« Reply #6 on: January 26, 2017, 02:00:58 PM »
To see embedded code detection in action open up a command prompt and run this
Code: [Select]
cmd /C echo hello
or from a command prompt run
Code: [Select]
powershell -Command Get-DateYou could then go to the tempscript directory to view the scripts and see that they contain the above commands echo hello and Get-Date

Offline Liron

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 372
Re: Auto sandbox bat file of cis
« Reply #7 on: January 27, 2017, 07:58:37 AM »
To see embedded code detection in action open up a command prompt and run this
Code: [Select]
cmd /C echo hello
or from a command prompt run
Code: [Select]
powershell -Command Get-DateYou could then go to the tempscript directory to view the scripts and see that they contain the above commands echo hello and Get-Date

Yeah.. its just the adobe acrobat reader plugin..

Thanks.
Win 10 Pro 64 bit

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Auto sandbox bat file of cis
« Reply #8 on: January 30, 2017, 08:51:05 AM »
To see embedded code detection in action open up a command prompt and run this
Code: [Select]
cmd /C echo hello
or from a command prompt run
Code: [Select]
powershell -Command Get-DateYou could then go to the tempscript directory to view the scripts and see that they contain the above commands echo hello and Get-Date
this is a very impressive feature. I like it.

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Auto sandbox bat file of cis
« Reply #9 on: January 31, 2017, 10:34:12 AM »
does anyone know how code detection is triggered?
It doesn't happen every time you run a script.
For instance, if I open the command prompt and run "tasklist /SVC", or I open powershell and run "date", there is no code detection

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #10 on: February 02, 2017, 02:21:16 PM »
TaskList is not an internal command. It's an external command supplied by external executable.

Offline Karniaris

  • Comodo Family Member
  • ***
  • Posts: 98
Re: Auto sandbox bat file of cis
« Reply #11 on: February 05, 2017, 09:39:58 AM »
Hi,
it is very annoying that comodo isolates "c_cmd.exe" and a pop up window appeares.

Is it possible to stop it??? 

How can I stop that the window shows that c_cmd is isolated?

Thank you for helping me.


Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #12 on: February 05, 2017, 06:00:00 PM »

Normally, you check the unrecognized files (in File List). To be more exact, the ones located under %ProgramData%\COMODO\Cis\tempscrpt. If appropriate, you change its rating to Trusted. Optionally, you can submit it for whitelisting like any other file.
If you do experience problems and you are unable to solve these with previous method then you can disable Detect embedded code detection option in HIPS.

Offline MatrixShield

  • Newbie
  • *
  • Posts: 20
Re: Auto sandbox bat file of cis
« Reply #13 on: March 01, 2017, 01:19:20 PM »
I've just encountered an annoying problem with this after installing CIS v10.

I was using the previous version but decided to upgrade to the latest and greatest by uninstalling the old version of CIS and installing this new version.

But now, every time that I start any Chrome-Based browser that I have installed the StickyPassword plugin to I get a notification about a batch file being sandboxed and I can't use the plugin.

It doesn't matter how many times I close and re-open the browser after setting the batch file to trusted.  Every new execution of the browser ends up with a new unique batch file.

I have looked into the Detect Embedded Code Injection but I don't even have HIPS enabled.  Tried disabling it anyway but it made no difference.


The plugin is trusted by Comodo, just as the whole of StickyPassword is.  But this is stopping the plugin from being able to "Talk" with the main program so the plugin doesn't work.

A little help to stop this would be great as I have lost all functionality and access to my database due to this behaviour.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4289
Re: Auto sandbox bat file of cis
« Reply #14 on: March 02, 2017, 10:31:17 AM »
I've just encountered an annoying problem with this after installing CIS v10.

I was using the previous version but decided to upgrade to the latest and greatest by uninstalling the old version of CIS and installing this new version.

But now, every time that I start any Chrome-Based browser that I have installed the StickyPassword plugin to I get a notification about a batch file being sandboxed and I can't use the plugin.

It doesn't matter how many times I close and re-open the browser after setting the batch file to trusted.  Every new execution of the browser ends up with a new unique batch file.

I have looked into the Detect Embedded Code Injection but I don't even have HIPS enabled.  Tried disabling it anyway but it made no difference.


The plugin is trusted by Comodo, just as the whole of StickyPassword is.  But this is stopping the plugin from being able to "Talk" with the main program so the plugin doesn't work.

A little help to stop this would be great as I have lost all functionality and access to my database due to this behaviour.

Your best bet would be to create an ignore auto-sandbox rule. You can do this by typing in the file location box under criteria: C:\ProgramData\Comodo\Cis\tempscrpt\*.bat

This rule will prevent the auto-sandbox from sandboxing bat files created by the chrome extension.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek