about NTFS stream files

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

CIMA:
http://camas.comodo.com/cgi-bin/submit?file=d3d29016dda7f8ba6015cd9b0e82c60132cba069db9cec7cd9fb43767d2dadfb

comodo sandbox did not block the behavior of the malware.

NTFS stream files.

logs of the defense+

2011-06-02 06:43:11 C:\Documents and Settings\Roger\桌面\VIRUS\电视棒正版\360Safe.exe Sandboxed As Partially Limited

2011-06-02 06:43:19 C:\Documents and Settings\Roger\桌面\VIRUS\电视棒正版\360Safe.exe Access COM Interface C:\WINDOWS\system32\svchost.exe

2011-06-02 06:43:19 C:\Documents and Settings\Roger\桌面\VIRUS\电视棒正版\360Safe.exe Modify File C:\WINDOWS\system32\wbem\Logs\wbemprox.log

2011-06-02 06:43:19 C:\Documents and Settings\Roger\桌面\VIRUS\电视棒正版\360Safe.exe Modify Key HKLM\SOFTWARE\Classes\CLSID{EF7A2503-2079-B958-C328-4E4C2D96ABE5}

2011-06-02 06:43:20 C:\Documents and Settings\Roger\桌面\VIRUS\电视棒正版\360Safe.exe Scanned Online and Found Malicious

ThreatFire quarantine detai:

[attachment deleted by admin]

#2

I am not a Comodo sandbox expert. However, there are a number of postings in this forum that state that the “partially limited” sandbox setting which is the lowest setting, might leave you vulnerable to sandbox “jumping”.

You might want to bump the sandbox setting up a level at a time and see at what level it catches that malware. The Comodo sandboxing tutorial on the Gizmo freeware web site recommends restricted or untrusted. The key element would also be at what higher level would there a conflict with your other real time anti-malware scanners.

#3

First off the bat:

Why is the graphic referring to v3.x?

Secondly, I can NOT deal w/Asian chars (I can’t read it).

#4

How did you know this was Comodo ver. 3.x?

The following applies to Comodo ver. 5.x. Another question I forgot to ask is if you have virtualization turned on in the sandbox for both registry and system files? If those are turned off and you are running with Defense+ rights of partial limited, you are indeed going to possibly see modifications to both your real registry and system files when malware is running in the sandbox. With virtualization turned on, the only thing malware can modify is the virtual copies of the registry and system files.