Always Sandbox restriction ignored if unrecognized execution control = Blocked

Might’ve reported this under one of the Bug forums except their description says “bugs will be moved here”. Doesn’t say moved from WHERE, so I don’t know where to report a bug that then gets moved to a Bug forum. Guess they go here.

Windows XP Pro SP-3
Internet Explorer 8
Comodo Internet Security (free) 5.8.213334.2131

If the auto-sandbox (D+ tab → D+ Settings → Execution Control Settings) is set to Blocked for unrecognized files, the restriction level (privileges) configured for an Always Sandboxed program are not obeyed. The Always Sandboxed program runs at full privileges rather than those configured for it when execution control for unrecognized programs is set to Blocked.

I added the web browser under the “Always Sandbox” list but without any virtualization. I wanted to test using it under different privilege levels (Partially Limited, Limited, Restricted, Untrusted). By the way: Turns out IE8 won’t run Restricted because of a CTF (text services) hook in Windows. The entry in “Always Sandbox” was:

Restriction Settings:
Program path: C:\Program Files\Internet Explorer\iexplore.exe
Restriction Level: Limited
Advanced Settings:
Disabled: Limit maximu memory consumption
Disabled: Limit program execution time
Disabled: Enable file system virtualization
Disabled: Enable registry virtualization

I was testing only the changes in privileges on the iexplore.exe process, not how virtualization might work (which has some quirks that I don’t like, anyway, like leaving downloaded files somewhere buried under C:\VritualRoot instead of where the user specifies but tracked to ensure it runs under the same environ, much like how GeSWall and BufferZone work).

I used Process Explorer to look at the security properties of IE8 when loaded. I first tested with execution control on unrecognized files disabled. IE8 ran under the limited privileges it was configured to use under Always Sandbox. I tested with execution control on unrecognized files enabled and set to Partially Limited, Limited, Restricted, and Untrusted. In each of those cases, IE8 ran under the limited privileges configured under Always Sandbox. When I set execution control on unrecognized files to Blocked, IE8 ran will full privileges.

IE8 is obviously not an unrecognized file. Settings used to sandbox it under Always Sandbox should be honored no matter what level of execution restriction is configured for unrecognized files. Yet setting execution control on unrecognized files to Blocked results in ignoring the execution control level configured in Always Sandbox for a program.

IE8: Always Sandboxed, restriction level = Limited
Execution control for unrecognized files:
Off: IE8 runs at limited restriction level.
On, Partially Limited: IE8 runs at limited restriction level.
On, Limited: IE8 runs at limited restriction level.
On, Restricted: IE8 runs at limited restriction level.
On, Untrusted: IE8 runs at limited restriction level.
On, Blocked: IE8 runs at full privileges (no restriction).

The sub-forums you mention are where moderators move bug reports that have been posted in the Bug Reports - CIS forum. They will be moved depending on the criteria met by the bug report.

There are stickied topics that tell you how to make a bug report in the bug reporting forum. (Linked above)

This is the bug reporting checklist: CHECKLIST - PLEASE READ BEFORE POSTING

And this is the proper format: (Also linked in the checklist) FORMAT - PLEASE USE IT!

Okay, thanks. I must’ve been one too low or one too high in the forum list hierarchy to see that forum. I’ll read the checklist post to see how to report on a bug.

Actually I didn’t scroll down the page when on the Bugs forums to see the posts there and to where I should post. Uffda, what a lot of stuff to collect. Took a couple hours to re-setup the VM with all updates, including IE7 to IE8 and more updates, and installing Comodo Firewall and then going through the shebang to reproduce the problem while recording within screenshots. Hope they really need all that info and screenshots.