A vulnerability for comodo sandbox

1.A user runs an installer of the browser.

2.The user ticks this option and presses the finish button.

3.The user open the malicious url in the browser.

814×734 78.5 KB

4.The result is that “the malwares are not sandboxed by CIS”

5.process tree:
DragonSetup.exe (Trusted/Installer, not sandboxed) → dragon.exe (trusted, not sandboxed) → java.exe (trusted, not sandboxed) → javaw.exe (trusted, not sandboxed) → virus (unknown, not sandboxed)

6.Conclusion:
This option is very dangerous for the users using comodo sandbox.

I am by no means an expert - but as far as I can understand nothing will be sandboxed as you have disabled the Sandbox according to your picture nr 2.

It’s not as much a problem of Sandbox as it is of the detection mechanism for installers which keeps on thinking that program is still isntalling and blindly trusts everything you download inside the browser.

Browsers should be “always sandboxed”

;D

Say first of all you check digital signature. Second of all you scan it. And upload to virustotal. You protected!?

The drive-by download malwares do not wait for the user doing those things.

Misunderstood the topic. My bad.

I thought the built-in sandbox in Comodo Dragon should already stop nearly all drive-by downloads. Thus theoretically they shouldn’t even reach CIS.

Isn’t this the way it works?

I just tried running Dragon from the installer after I set Dragon to be always sandboxed as partially limited (I disabled file and registry virtualisuation) but it got started as partially limited.

I am on Win 7 SP1 x86.

In general when starting an application from its installer parent it will inherit the installer’s rights. However with CIS this does not happen.

You can try opera or other browsers.

I tried the same routine with Opera 12.01 and it starts sandboxed when being started from the installer.