Author Topic: Auto sandbox bat file of cis  (Read 3232 times)

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #15 on: March 02, 2017, 12:40:31 PM »
I suspect it's a different issue/question (not related to current discussion) if disabling embedded code detection has no effect.

Offline MatrixShield

  • Newbie
  • *
  • Posts: 20
Re: Auto sandbox bat file of cis
« Reply #16 on: March 02, 2017, 07:11:39 PM »
Your best bet would be to create an ignore auto-sandbox rule. You can do this by typing in the file location box under criteria: C:\ProgramData\Comodo\Cis\tempscrpt\*.bat

This rule will prevent the auto-sandbox from sandboxing bat files created by the chrome extension.

Just tried doing as you suggested and it still occurs.

I even went so far as setting it to not virtualize access to the entire folder and its contents, but it still produces the popup stating that it has been sandboxed and prevents the extension from being able to talk with the main program.

I suspect it's a different issue/question (not related to current discussion) if disabling embedded code detection has no effect.

Starting to feel this way myself.
I'm going to look at getting a bug submitted for this and see what they say.

Thanks for your feedback, guys.

----------EDIT----------

I've just done some further testing and managed to stop this from happening.


I don't know if I have altered a setting, but this is dependent on the Enable Embedded Code Detetion under HIPS, correct?

HIPS is disabled but Enable Embedded Code Detection was enabled (even though I had felt for sure that I had disabled it previously to test - possible that I may have clicked the cancel button by mistake).

I have disabled Embedded Code Detection again after removing the exclusion of the tempscrpt folder from virtualization and I no longer get this issue.

Note: This is with HIPS being disabled.  I can enable Embedded Code Detection to have this occur, and disable it to prevent it.

I am not sure if this is intended behaviour.  I assumed that disabling HIPS also disables all child features of HIPS.  But this now makes me a little wary of any risk of exposure to malicious scripts that Embedded Code Detection was designed to detect, especially as I never had a problem with this enabled in the previous version of CIS and that it seems to work independently of HIPS.

Any further information would be greatly appreciated.

Thanks in advance.
« Last Edit: March 02, 2017, 07:42:26 PM by MatrixShield »

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #17 on: March 02, 2017, 11:53:03 PM »
[...]
I am not sure if this is intended behaviour.  I assumed that disabling HIPS also disables all child features of HIPS.
[...]

It is intended behavior.


Hope it helps.

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #18 on: March 03, 2017, 12:01:50 AM »
(as untested alternative) You could try excluding "StickyPassword" from "Detect shellcode injections" option under HIPS. Could you kindly confirm if it works?

Offline MatrixShield

  • Newbie
  • *
  • Posts: 20
Re: Auto sandbox bat file of cis
« Reply #19 on: March 03, 2017, 08:51:59 AM »
It is intended behavior.


Hope it helps.

Thanks for clearing that up.  I assumed but assumed wrong :)  I'll have to bear this in mind if I run into any other oddities regarding other settings.  Thanks again.

(as untested alternative) You could try excluding "StickyPassword" from "Detect shellcode injections" option under HIPS. Could you kindly confirm if it works?

Just tested that right now.

I enabled "Embedded Code Detection" again and included the whole StickyPassword folder as an exclusion in "Detect Shellcode Injections".
Executed the browser and it still intercepted the script and sandboxed the batch file.  Extension not functional.

Closed the browser and executed it again after enabling HIPS itself.  I got a prompt asking me what I wanted to do with the batch file that was created so I allowed it.  The execution of the batch file continued but was sanboxed, as before.

I disabled HIPS again after closing the browser, executed the browser once more as a final test but same result.


It looks as if the only way to stop the StickyPassword extension from being blocked in a Chromium based browser is to disable "Embedded code Detection".  The StickyPassword extension doesn't encounter this issue in Firefox.

The batch file in "C:\ProgramData\Comodo\Cis\tempscrpt\" is "C_cmd.exe_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.bat" with the "x" being a random series of alphanumeric characters - a new file is created with every execution of the browser.

The script is as follows:
C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://kaafoaobjaplofpihlhbcbcjhmgnjplf/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.xxxxxxxxxxxxxxxx > \\.\pipe\chrome.nativeMessaging.out.xxxxxxxxxxxxxxxx

The "x" here are alphanumeric characters that change for each new batch file created.


Solving this one could be a headache for the developers, but I'm sure they could crack it.  For now though, it looks like I just have to keep the "Embedded Code Detection" checkbox unticked for now.

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 907
  • 'Your best teacher, is your last mistake'
    • Security & Privacy
Re: Auto sandbox bat file of cis
« Reply #20 on: March 03, 2017, 09:11:32 AM »
Your best bet would be to create an ignore auto-sandbox rule. You can do this by typing in the file location box under criteria: C:\ProgramData\Comodo\Cis\tempscrpt\*.bat

This rule will prevent the auto-sandbox from sandboxing bat files created by the chrome extension.

This one worked for me
Ploget
 
Win10x64 Pro 1903 (18362.356) x 2
Win7x64 Pro x 1 - Home Premium x 1
CIS v.12.0.0.6882 (Pro) & CCAV v.2.0.470195.867
COS for Mozilla
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
'If you think you are too small to make a difference; try sleeping with a Mosquito

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Auto sandbox bat file of cis
« Reply #21 on: March 08, 2017, 09:46:52 AM »
This one worked for me
Yes, it works, but a little too well. It defeats the entire command line protection.

Offline kronos

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 265
Re: Auto sandbox bat file of cis
« Reply #22 on: March 22, 2017, 04:20:21 AM »
If the parent process is trusted and/or allowed, why its scripts are detected as unrecognized?

For example, with CIS 10 in Safe Mode I see the file C_powershell.exe_RANDOM_NUM.ps1:
Code: [Select]
"& """C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Debugger.JustInTime,version=15.0.26208.0\RegisterJustInTimeDebugger.ps1""" -Operation Uninstall -Inst

But Visual Studio is from Microsoft Corporation, that is a Trusted Vendor.
I'm seeing similar behaviours with git .exes, google drive nativeproxy.exe...
« Last Edit: March 22, 2017, 04:23:05 AM by kronos »

Offline qmarius

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3843
  • making simple things complicated
Re: Auto sandbox bat file of cis
« Reply #23 on: March 22, 2017, 08:07:50 AM »
That's because it does not identify parent process.

[at]futuretech provided a nice explanation/scenario in a similar topic.
Embedded code detection is supposed to protect you when a trusted application is exploited to run another trusted application with command line arguments. Take for example Poweliks that executes the following:


Code: [Select]
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell)).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")

take note that rundll32.exe is a safe and trusted application that is being run to execute javascript code. Without embedded code detection, this will go unnoticed and poweliks is able to maintain a persistent infection. To see this feature in action open a command prompt and paste the above code, and notice it will get sandboxed and/or HIPS alert.

Offline kronos

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 265
Re: Auto sandbox bat file of cis
« Reply #24 on: March 22, 2017, 08:29:02 AM »
Thanks for the explanation.
I understand that it is difficult to automate anti-exploit features, but this way everything is limited (whether an app is exploited or not) until the user unblocks manually. This is not an anti-exploit.

The need is clear, but the realization shows great design flaws.
« Last Edit: March 22, 2017, 08:31:30 AM by kronos »

Offline DLW

  • Comodo Family Member
  • ***
  • Posts: 86
Re: Auto sandbox bat file of cis
« Reply #25 on: April 05, 2017, 10:35:27 PM »
Whilst I can see the merit of trapping unwanted and non-understood pieces of code I don't think that creating a bat file within a folder structure which makes it clear to novices that it needs to be investigated is really that helpful.  First of all it is in a CIS\tempscrpt folder, which on the face of it suggests it might be something that CIS needs on a temporary  basis.  Add to that the only option you have is to Unblock doesn't help the case much.  Even for somebody who might have some idea of what they are doing, the necessity to use a explorer to access the files is still fraught as they could be kicked off by double clicking them.

If these files really are unsafe then put them in a folder which suggest just that and don't give them the ability to be run unless some specific and deliberate action is taken.

Offline shmu26

  • Comodo's Hero
  • *****
  • Posts: 235
Re: Auto sandbox bat file of cis
« Reply #26 on: April 12, 2017, 05:31:11 AM »
By default, the new version of Comodo turns off embedded code detection for cmd.exe.
This was causing most of the problems. So new users should be okay, until they get experienced enough to mess with the advanced protection settings.

Offline Varan-de-C0m0d0

  • Newbie
  • *
  • Posts: 11
Re: Auto sandbox bat file of cis
« Reply #27 on: April 10, 2019, 06:15:18 AM »
Hello!
Comodo CIS should be able to analyze its own .bat files that it creates to be able to put them on the white site so as not to generate an alert.
In addition, it should not take too much time to make a trusted whitelist based on the lines created and sorted by type and publisher.

Offline MatrixShield

  • Newbie
  • *
  • Posts: 20
Re: Auto sandbox bat file of cis
« Reply #28 on: July 11, 2019, 04:29:22 PM »
I seem to be getting this same problem again with "Application Contained: CMD has been blocked" but I can't find the setting for this in CIS v12.

Can somebody direct me to where this setting is now?
It was originally "Embedded Code Injection" but it no longer seems to exist, even though I have the same hiccup with it.

Offline Varan-de-C0m0d0

  • Newbie
  • *
  • Posts: 11
Re: Auto sandbox bat file of cis
« Reply #29 on: July 12, 2019, 07:02:58 AM »
Hello MatrixShield,

In the general window of CIS 12, there is "Applications blocked" ...

You click on it and you have the list of what CIS has blocked.

The problem is that if you allow for the future, it does not matter...

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek