a bug for the heuristic command-line analysis

I removed the symbol, “|”, in the rule.

I double clicked on the malware.

I viewed the defense+ event

2011-10-27 13:57:19 C:\Documents and Settings\Roger\桌面\virus\tl\tl.exe Sandboxed As Partially Limited

2011-10-27 13:57:42 C:\WINDOWS\system32\rundll32.exe Modify Key HKLM\SOFTWARE\Classes\CLSID{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}

Problem:
It is a bug for the heuristic command-line analysis.

The process is “C:\WINDOWS\system32\rundll32.exe”, but not “C:\WINDOWS\java\classes\c6a9f62f.z”

I checked the command line with malware defender

2011/10/27 13:57:35 c:\documents and settings\roger\local settings\temp\28f.tmp Create new process c:\windows\system32\rundll32.exe Permitted [App]* Cmd line: rundll32 shell32,Control_RunDLL "C:\WINDOWS\java\classes\c6a9f62f.z"

FVS report:
https://valkyrie.comodo.com/Result.html?sha1=21c663dde8af099c7ac356fc041d37a65604389a&&query=1&&filename=tl.exe

I’m not sure I’m getting it.
Why did your remove the | ? it will cause sandboxed processes to have write access to %windir%

And it’s still rundll32 that starts the malware, are you saying you prefer to see that CIS logged this as


2011-10-27 13:57:42   C:\WINDOWS\system32\rundll32.exe;C:\WINDOWS\java\classes\c6a9f62f.z  Modify Key   HKLM\SOFTWARE\Classes\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}

If the user removes that one, the malware can create new files to the folder, but it can not
modify or delete original files in that folder.

like this one

2011-10-27 13:57:42 C:\WINDOWS\java\classes\c6a9f62f.z Modify Key HKLM\SOFTWARE\Classes\CLSID{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}

Yup sandboxed apps cannot modify an existing protected file.

Normally heuristics should sandbox the interpreter, container or equivalent, as I understand it. That’s what does the work. Though the alert refers to the code file to prevent user confusion.

Not sure why adding | causes the modify restriction, it was supposed just to add deposit protection.

Maybe it adds deposit restrictions and modify restrictions, but we just don’t see that unless the normal modify restriction fails.

Interesting and subtle one - can anyone replicate? You really do see a lot that other’s don’t - how did you manage to work out that might be a vulnerability? Need some of what you are on :slight_smile:

Best wishes

Mouse

Maybe Im not getting it, but I for one would definitely like to see it this way. If malware changes an unprotected file/folder then I would like to know so I can go back and undo it. But maybe I am just confused on this whole topic.