a bug for the sandbox level, "untrusted"

I viewed the discription about the sandbox level, “untrusted”

I double clicked on a malware.

I viewed the defense+ events.

2011-10-27 23:14:15 C:\Documents and Settings\Roger\桌面\virus\574-01\574-01.exe Sandboxed As Untrusted

2011-10-27 23:14:36 C:\Documents and Settings\All Users\Application Data\DIUULhYTmDbYe.exe Sandboxed As Untrusted

2011-10-27 23:14:40 C:\Documents and Settings\Roger\桌面\virus\574-01\574-01.exe Access Memory C:\Program Files\Opera\opera.exe

2011-10-27 23:14:40 C:\Documents and Settings\Roger\桌面\virus\574-01\574-01.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr

2011-10-27 23:14:40 C:\Documents and Settings\Roger\桌面\virus\574-01\574-01.exe Modify File C:\Documents and Settings\All Users\Application Data\DIUULhYTmDbYe.exe

…, etc

Problem:

The malware ran another process, but CIS auto sandbox did not block.

:embarassed:

XP SP3 32bit

Can you test it w/ sandbox disabled?

Just run it to see if D+ gives any alert about “C:\Documents and Settings\Roger\桌面\virus\574-01\574-01.exe” trying to run an executable “C:\Documents and Settings\All Users\Application Data\DIUULhYTmDbYe.exe”?

If so, then this is a serious bug. Hope DEV can fix it asap.

I disabled the auto sandbox, and then double clicked on the malware.

Thanks for your test. :slight_smile: