[i]Originally reported in CIS Help forum at:
https://forums.comodo.com/defense-sandbox-help-cis/always-sandbox-restriction-ignored-if-unrecognized-execution-control-blocked-t79240.0.html[/i]
A. The bug/issue
Synopsis:
If the auto-sandbox (D+ tab → D+ Settings → Execution Control Settings) is set to Blocked for unrecognized files, the restriction level (privileges) configured for an Always Sandboxed program are not obeyed. The Always Sandboxed program runs at full privileges rather than those configured for it when execution control for unrecognized programs is set to Blocked.
1. What you did:
- Fresh install of Comodo Firewall under Windows XP running inside a virtual machine. Enabled sandbox (default is disabled).
- Added Internet Explorer (iexplore.exe) to Always Sandbox list with Limited security level.
- SysInternals Process Explorer shows iexplore.exe loads with LUA (limited user account) privileges as expected.
- Enabled the execution control option for unrecognized files, set to Partially Limited, Limited, Restricted, or Untrusted.
- iexplore.exe still loads with expected reduction in privileges (since it is sandboxed).
- Change execution control for unrecognized files to Blocked.
- iexplore.exe now loads with full privileges. Setting in Always Sandbox is not obeyed.
2. What actually happened or you actually saw:
With execution control for unrecognized files enabled and set to anything OTHER than Blocked, the security level (privileges) configured for an Always Sandbox’ed program is obeyed.
When execution control for unrecognized files enabled and set to Blocked, the security level (privileges) configured for an Always Sandbox’ed program are not honored. Instead the Always Sandbox’ed program runs with full privileges.
3. What you expected to happen or see:
The restriction/security level configured for the Always Sandbox’ed item should be honored regardless at what level of execution control is used for unrecognized programs.
IE8 is not listed as an unrecognized program by Comodo Firewall.
4. How you tried to fix it & what happened:
Cannot use Blocked for execution control on unrecognized programs.
5. If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
Not applicable.
6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
Internet Explorer 8 (without Bing/MSN toolbar)
http://www.microsoft.com/ie (download IE8 as IE9 cannot be installed on Windows XP)
This is an example program. Any program added to the Always Sandbox list will run at full privileges regarding of the restriction setting for that item when execution control for unrecognized files is enabled and set to Blocked.
7. Whether you can make the problem happen again, and if so exact steps to make it happen:
The bug is reproducible using the steps outlined above for test cases.
8. Any other information (eg your guess regarding the cause, with reasons):
Unknown by user.
B. Files appended. (Please zip unless screenshots).
1. Screenshots of the Defense plus Active Processes List (Required for all issues):
See attached screenshots for D+ general settings (D_general.jpg), D+ execution control with unrecognized files ran Limited (D_execCtrl_Limited.jpg) and when later ran Blocked (D_execCtrl_blocked.jpg), D+ sandbox (D_sandbox.jpg), and D+ Computer Security settings for the Always Sandboxed item (D_sandboxprog_restrictedtab.jpg, D_sandboxprog_advtab.jpg).
UPDATE - Forgot the Active Processes list. Because this list exceeds 1 window in length, it had to be screen captured for the top and bottom half of the list.
For Always Sandboxed = Limited & unrecognized execution control = Limited:
proclist_limitedlimited_tophalf.jpg = Top half of process list.
proclist_limitedlimited_bottomhalf.jpg = Bottom half of process list
For Always Sandboxed = Limited & unrecognized execution control = Blocked:
proclist_limitedblocked_tophalf.jpg = Top half of process list
proclist_limitedblocked_bottomhalf.jpg = Bottom half of process list
Note: Since first submitting this trouble report, Comodo Programs Manager (CPM) has been installed in this virtual machine. It was not there before for the test to show this bug. MS Paint is shown as a process only to convert the PrtSc screen captures into files to attach to this trouble report. Process Explorer, if shown, was to look at the iexplore.exe process to determine how it was really running regarding privileges.
Despite iexplore.exe showing as Limited in Comodo’s D+ Active Process list in both test cases (Always Sandboxed = Limited & unrecognized execution control = Limited, and Always Sandboxed = Limited & unrecognized execution control = Blocked), Process Explorer showed otherwise. In the 1st case, only 1 privilege was listed for iexplore.exe showing it was indeed running under limited privileges. In the 2nd case, Process Explorer showed all the privileges for iexplore.exe as if it were running unlimited (i.e., with no restrictions).
2. Screenshots illustrating the bug:
See attached SysInternals Process Explorer showing security tab properties of sandboxed IE8 when execution control for unrecognized files is set to Limited, NOT to Blocked (sandboxed_limitedprivs_notblocked.jpg). Sandboxed program is running with reduced privileges as expected. Notice the short list of privileges for IE8 when sandboxed as Limited (and with unrecognized execution control NOT set to Blocked).
See attached Sysinternals Process Explorer showing security tab properties of sandboxed item when execution control for unrecognized files is set to Blocked (sandboxed_fullprivs_blocked.jpg). Sandboxed program is running with full privileges despite configuring it for Limited privileges in Always Sandbox list. Notice the long list of privileges for IE8 when sandboxed supposedly as Limited (and with unrecognized execution control set to Blocked). IE8, although supposed to be limited while sandboxed, is instead running with full privileges.
3. Screenshots of related CIS event logs:
No events (errors).
4. A CIS config report or file.
Comodo Firewall was using the default pre-defined “Comodo - Firewall Security” configuration and was active when options were changed. This was exported to the following file (your forum won’t accept .cfgx files so it was put inside a .zip file):
“Comodo - Firewall Security configuration.zip”
5. Crash or freeze dump file:
Not applicable. No crashes or freezes.
6. Screenshot of More~About page. Can be used instead of typed product and AV database version.
See attached file (about.jpg).
C. Your set-up
1. CIS version, AV database version & configuration used:
Comodo Firewall 5.8.213334.2131
AV database: (not applicable to bug, AV component not in Comodo Firewall product)
Configuration: All defaults except:
- Added iexplore.exe to Always Sandboxed list with restriction level set to Limited and memory/file virtualization disabled.
- Execution control for unrecognized files was enabled. Set to Limited, Partially Limited, Restricted, and Untrusted there is no problem. When set to Blocked, the restriction level configured for the Always Sandboxed item is not honored and the program instead runs with full privileges.
2. a) Have you updated (without uninstall) from from a previous version of CIS:
Not an update install. Virtual machine reset to clean state and then performed a fresh install of Comodo Firewall.
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
3. a) Have you imported a config from a previous version of CIS:
No. Problem tested under a fresh install of Comodo Firewall.
b) if so, have U tried a standard config (without losing settings - if not please do)?:
4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
Only those already mentioned in above item C.1.
5. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
All at install-time defaults except:
- Comodo secure DNS servers and GeekBuddy not selected during custom install.
- Sandbox is disabled by default so had to enable it to use it.
- No AV component in Comodo Firewall product.
6. OS version, service pack, number of bits, UAC setting, & account type:
Windows XP Pro SP-3 32-bit (running under a virtual machine: MS VirtualPC 2007)
All Windows Updates applied
Account type: my account (added to Administrators group).
7. Other security and utility software currently installed:
This is a clean install of Windows XP in a virtual machine with only Comodo Firewall installed.
(Microsoft) SysInternals Process Explorer used to monitor security properties (privileges) of process for Always Sandboxed program to determine if restriction level set for program in Always Sandbox list was honored at various settings for execution control of unrecognized programs.
(Process Explorer - Sysinternals | Microsoft Learn)
8. Other security software previously installed at any time since Windows was last installed:
Not applicable. This is a fresh install of Windows XP Pro SP-3, IE8, with all updates.
9. Virtual machine used (Please do NOT use Virtual box):
Microsoft VirtualPC 2007
[attachment deleted by admin]