about the .msi file

Because CIS sandbox can not monitor the behavior of the .msi file,
the “sandbox button” can be removed from the alert window.

:stuck_out_tongue:

The HIPS of Kaspersky IS can control the activity of MSIs: The setup.msi gets rated as an unknown application and the started msiexec.exe instance inherits the unknown state of the setup.msi.
Comodo should integrate such a feature in future versions. :slight_smile:

What do you mean with “Because CIS sandbox can not monitor the behavior of the .msi file,”? Can you explain in more detail?

I think that if you would sandbox the installer you would also sandbox msiexec.exe. Unless you can show otherwise.

If you press the sandbox button in that alert window, then the installer stops automatically.

So, the sandbox button = the block button


I add the msiexec.exe to the list of “always sandbox”

I double click on the .msi file

I select the “allow button”

The installer stops automatically

language translation:
The windows installer service could not be accessed. This can occur if the windows installer is not correctly installed. Contact your support personnel for assistance.

The situation is the same as the “sandbox button” and the “block button”

defense+ events:

2011-10-08 10:23:12 C:\WINDOWS\explorer.exe Create Process, Block File C:\Documents and Settings\Roger\桌面\virus\izle_0\setup.msi

2011-10-08 10:23:20 C:\WINDOWS\system32\msiexec.exe Sandboxed As Partially Limited

2011-10-08 10:23:25 C:\Documents and Settings\Roger\桌面\virus\izle_0\setup.msi Modify File C:\WINDOWS\AppPatch\AppLoc.tmp

2011-10-08 10:23:25 C:\WINDOWS\system32\msiexec.exe Modify File C:\WINDOWS\AppPatch\AppLoc.tmp

2011-10-08 10:23:25 C:\Documents and Settings\Roger\桌面\virus\izle_0\setup.msi Access COM Interface C:\WINDOWS\system32\msiexec.exe

FVS report of the .msi malware:
https://valkyrie.comodo.com/Result.html?sha1=47ebbe2151b969e3b2629654e9a36372b7076303&&query=1&&filename=setup.msi

virus total report of the .msi malware:
http://www.virustotal.com/file-scan/report.html?id=4838a7d91946d0cb625b7a3dcfcd6003ebaa37941cae1a36d1586df7338c226b-1318047706

The .msi installer can be run in sandboxie.

online armor

OA warns independently from the program that does the action about the new autorun because the new autorun program is unknown. It can’t monitor behavior for MSIs.
KIS can do this.

Someone tested the malware with KIS, the situation is the same as CIS.

KIS can not monitor the behavior of .msi files, too.

The malware created the browser helper object successfully.

Could you please send me the sample? :slight_smile:

Thanks for the sample, a256886572008. :slight_smile:
Here is the result of KIS:

http://www.ld-host.de/uploads/thumbnails/94a7cb29817d41691affdf22ac6a30f6.png

http://www.ld-host.de/uploads/thumbnails/b0f8633921f7d8fdd3a445c5e99df43c.png

http://www.ld-host.de/uploads/thumbnails/9c83b2c6fb75f2b6781b5cc9b39bc491.png

So, contrary to D+ it can control MSI activity.
Could we please get this with version 6, egemen? :slight_smile:

You should allow these actions.

Block the BHO creation only.


The .msi malware can install files into sandboxie, but it can not install files into comodo sandbox.

You are right, KIS fails too.
Seems like my memory betrayed me…

This may be cause of the way how the Comodo sandbox works (using Windows restrictions). Windows Installer service has to be run as administrator.
Sandboxie is a great tool.

Yes. If you select the Drop Rights feature in Sandboxie, most installers also fail.

Will the .msi malware instal files into comodo sandbox
if CIS adds a sandbox level without windows restriction?

I would assume so.

I hope we will see this in future, it’s simply technically better.

.MSI files can be extracted. :wink:

Ummhh, this an older topic that has run its course…