Always Sandbox restriction ignored if unrecognized execution control = Blocked

[i]Originally reported in CIS Help forum at:
https://forums.comodo.com/defense-sandbox-help-cis/always-sandbox-restriction-ignored-if-unrecognized-execution-control-blocked-t79240.0.html[/i]

A. The bug/issue

Synopsis:

If the auto-sandbox (D+ tab → D+ Settings → Execution Control Settings) is set to Blocked for unrecognized files, the restriction level (privileges) configured for an Always Sandboxed program are not obeyed. The Always Sandboxed program runs at full privileges rather than those configured for it when execution control for unrecognized programs is set to Blocked.

1. What you did:

  • Fresh install of Comodo Firewall under Windows XP running inside a virtual machine. Enabled sandbox (default is disabled).
  • Added Internet Explorer (iexplore.exe) to Always Sandbox list with Limited security level.
  • SysInternals Process Explorer shows iexplore.exe loads with LUA (limited user account) privileges as expected.
  • Enabled the execution control option for unrecognized files, set to Partially Limited, Limited, Restricted, or Untrusted.
  • iexplore.exe still loads with expected reduction in privileges (since it is sandboxed).
  • Change execution control for unrecognized files to Blocked.
  • iexplore.exe now loads with full privileges. Setting in Always Sandbox is not obeyed.

2. What actually happened or you actually saw:
With execution control for unrecognized files enabled and set to anything OTHER than Blocked, the security level (privileges) configured for an Always Sandbox’ed program is obeyed.
When execution control for unrecognized files enabled and set to Blocked, the security level (privileges) configured for an Always Sandbox’ed program are not honored. Instead the Always Sandbox’ed program runs with full privileges.
3. What you expected to happen or see:
The restriction/security level configured for the Always Sandbox’ed item should be honored regardless at what level of execution control is used for unrecognized programs.
IE8 is not listed as an unrecognized program by Comodo Firewall.
4. How you tried to fix it & what happened:
Cannot use Blocked for execution control on unrecognized programs.
5. If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
Not applicable.
6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
Internet Explorer 8 (without Bing/MSN toolbar)
http://www.microsoft.com/ie (download IE8 as IE9 cannot be installed on Windows XP)
This is an example program. Any program added to the Always Sandbox list will run at full privileges regarding of the restriction setting for that item when execution control for unrecognized files is enabled and set to Blocked.
7. Whether you can make the problem happen again, and if so exact steps to make it happen:
The bug is reproducible using the steps outlined above for test cases.
8. Any other information (eg your guess regarding the cause, with reasons):
Unknown by user.

B. Files appended. (Please zip unless screenshots).

1. Screenshots of the Defense plus Active Processes List (Required for all issues):
See attached screenshots for D+ general settings (D_general.jpg), D+ execution control with unrecognized files ran Limited (D_execCtrl_Limited.jpg) and when later ran Blocked (D_execCtrl_blocked.jpg), D+ sandbox (D_sandbox.jpg), and D+ Computer Security settings for the Always Sandboxed item (D_sandboxprog_restrictedtab.jpg, D_sandboxprog_advtab.jpg).
UPDATE - Forgot the Active Processes list. Because this list exceeds 1 window in length, it had to be screen captured for the top and bottom half of the list.
For Always Sandboxed = Limited & unrecognized execution control = Limited:
proclist_limitedlimited_tophalf.jpg = Top half of process list.
proclist_limitedlimited_bottomhalf.jpg = Bottom half of process list
For Always Sandboxed = Limited & unrecognized execution control = Blocked:
proclist_limitedblocked_tophalf.jpg = Top half of process list
proclist_limitedblocked_bottomhalf.jpg = Bottom half of process list
Note: Since first submitting this trouble report, Comodo Programs Manager (CPM) has been installed in this virtual machine. It was not there before for the test to show this bug. MS Paint is shown as a process only to convert the PrtSc screen captures into files to attach to this trouble report. Process Explorer, if shown, was to look at the iexplore.exe process to determine how it was really running regarding privileges.
Despite iexplore.exe showing as Limited in Comodo’s D+ Active Process list in both test cases (Always Sandboxed = Limited & unrecognized execution control = Limited, and Always Sandboxed = Limited & unrecognized execution control = Blocked), Process Explorer showed otherwise. In the 1st case, only 1 privilege was listed for iexplore.exe showing it was indeed running under limited privileges. In the 2nd case, Process Explorer showed all the privileges for iexplore.exe as if it were running unlimited (i.e., with no restrictions).
2. Screenshots illustrating the bug:
See attached SysInternals Process Explorer showing security tab properties of sandboxed IE8 when execution control for unrecognized files is set to Limited, NOT to Blocked (sandboxed_limitedprivs_notblocked.jpg). Sandboxed program is running with reduced privileges as expected. Notice the short list of privileges for IE8 when sandboxed as Limited (and with unrecognized execution control NOT set to Blocked).
See attached Sysinternals Process Explorer showing security tab properties of sandboxed item when execution control for unrecognized files is set to Blocked (sandboxed_fullprivs_blocked.jpg). Sandboxed program is running with full privileges despite configuring it for Limited privileges in Always Sandbox list. Notice the long list of privileges for IE8 when sandboxed supposedly as Limited (and with unrecognized execution control set to Blocked). IE8, although supposed to be limited while sandboxed, is instead running with full privileges.
3. Screenshots of related CIS event logs:
No events (errors).
4. A CIS config report or file.
Comodo Firewall was using the default pre-defined “Comodo - Firewall Security” configuration and was active when options were changed. This was exported to the following file (your forum won’t accept .cfgx files so it was put inside a .zip file):
“Comodo - Firewall Security configuration.zip”
5. Crash or freeze dump file:
Not applicable. No crashes or freezes.
6. Screenshot of More~About page. Can be used instead of typed product and AV database version.
See attached file (about.jpg).

C. Your set-up

1. CIS version, AV database version & configuration used:
Comodo Firewall 5.8.213334.2131
AV database: (not applicable to bug, AV component not in Comodo Firewall product)
Configuration: All defaults except:

  • Added iexplore.exe to Always Sandboxed list with restriction level set to Limited and memory/file virtualization disabled.
  • Execution control for unrecognized files was enabled. Set to Limited, Partially Limited, Restricted, and Untrusted there is no problem. When set to Blocked, the restriction level configured for the Always Sandboxed item is not honored and the program instead runs with full privileges.

2. a) Have you updated (without uninstall) from from a previous version of CIS:
Not an update install. Virtual machine reset to clean state and then performed a fresh install of Comodo Firewall.
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
3. a) Have you imported a config from a previous version of CIS:
No. Problem tested under a fresh install of Comodo Firewall.
b) if so, have U tried a standard config (without losing settings - if not please do)?:
4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
Only those already mentioned in above item C.1.
5. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
All at install-time defaults except:

  • Comodo secure DNS servers and GeekBuddy not selected during custom install.
  • Sandbox is disabled by default so had to enable it to use it.
  • No AV component in Comodo Firewall product.

6. OS version, service pack, number of bits, UAC setting, & account type:
Windows XP Pro SP-3 32-bit (running under a virtual machine: MS VirtualPC 2007)
All Windows Updates applied
Account type: my account (added to Administrators group).
7. Other security and utility software currently installed:
This is a clean install of Windows XP in a virtual machine with only Comodo Firewall installed.
(Microsoft) SysInternals Process Explorer used to monitor security properties (privileges) of process for Always Sandboxed program to determine if restriction level set for program in Always Sandbox list was honored at various settings for execution control of unrecognized programs.
(Process Explorer - Sysinternals | Microsoft Learn)
8. Other security software previously installed at any time since Windows was last installed:
Not applicable. This is a fresh install of Windows XP Pro SP-3, IE8, with all updates.
9. Virtual machine used (Please do NOT use Virtual box):
Microsoft VirtualPC 2007

[attachment deleted by admin]

Thank you very much for your bug report in standard format.

Unfortunately the following item of required information is missing from your post

    1. Screenshots of the Defense plus Active Processes List (Required for all issues):

We would be grateful if you would add these items of information so we can forward this post to the format verified board. You can find assistance using red links in the format and here - if you need further help please ask a mod. If you do not add the information after a week we will forward this post to non-format. If this happens we will tell you how to rectify this if you wish to. Developers may look at the issue in the non-format board, and may fix it.

But it is much more likely to be fixed if you edit your first post to create an issue report which meets all criteria in the bug forum Checklist and Format. (You can copy and paste the format from this topic). The general reasons why are summarized in that post, the reasons we ask for information you may think unecessary are given in this detailed post.

In the current process we will normally leave it up to you whether you want to make a report which meets all the criteria or not. We may remind you if we think a bug of particular importance.

I updated the original post to include the D+ Active Process list. While doing that I noticed Process Explorer was showing more privileges in the 2nd case (Always Sandboxed = Limited + unrecognized execution control = Blocked). I’m used to seeing privileges get removed when ran under a LUA (limited user account) token. I use SRPs (software restriction policies) already provided in Windows to force a program to run under a Basic account which reduces privileges to those for a limited account. This lets me log under an admin-level account but reduce privileges on web-facing applications. My eyes are used to see just 1 privilege remaining (enabled) for a process running under a LUA token. This is the same seen in Process Explorer in the 1st case (Always Sandboxed = Limited + unrecognized execution control = Limited). That’s what I expected to see and that’s what was there. In the 2nd case (Always Sandboxed = Limited + unrecognized execution control = Blocked), I instead saw all the privileges still listed in Process Explorer – except I noticed while updating the original post that many of those listed privileges were disabled.

Something is goofy regarding privileges on a process with D+. The 1st and 2nd cases should show the same set of privileges (remaining on a process). Instead the 1st case shows just the 1 enabled privilege and the 2nd case shows all the privileges but with most disabled. Yet there are more enabled privileges in the 2nd case than for the 1st case.

When a LUA token is used to limit the process, the only shown privilege (which is Enabled) is:
SeChangeNotifyPrivilege
When using D+ to limit the app (1st case where unrecognized execution control = Limited), the only shown privilege (which is Enabled) is:
SeChangeNotifyPrivilege
When using D+ to limit the app (2nd case where unrecognized execution control = Blocked), all the privileges are listed but most are disabled with the following left Enabled:
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeLoadDriverPrivilege (really, that’s left enabled?)
SeUndockPrivilege
In the 1st case, D+ is removing the privileges and why they don’t appear in Process Explorer. In the 2nd case, D+ is disabling (but not removing) the privileges yet it leaves more enabled than when using a LUA token to load the process or for the 1st case.

NOTE: Perhaps Restricted mode in D+ might remove/disable more privileges except Internet Explorer will crash. This is because Windows attempts to inject the CTF hook for its text services. This means I can get IE more restricted on privileges using a LUA token than using D+ Limited mode (because I cannot use D+ Restricted mode).

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Moved to Verified.

Many thanks again

Dennis