Attempting to learn how CIS Sandbox works

So, out of curiosity I have started to look and try to learn how the CIS Sandbox actually provides virtualisation.

I don’t know much about Reverse Engineering or Process Analysis but would like to learn a little bit more. :slight_smile:

What it doesn’t appear to do.

  • No additional windows security flags are placed on the contained process when creating it

What it does do

  • Manually containing a file via context menu:

→ Starts cmdvirth.exe
→ virtkiosk.exe starts
→ virtkiosk.exe starts ContainedApp.exe as a child process
→ virtkiosk.exe terminates

Question

I would have assumed that in order to provide the restrictions for ContainedApp.exe, virtkiosk.exe would have created a pipe between itself and ContainedApp.exe then redirected I/O accordingly.

However, to my surprise, virtkiosk.exe terminates once ContainedApp.exe is running visualised.

Therefore I am confused as to what is forcing the redirected I/O of ContainedApp.exe.

Could it be that virtkiosk.exe simply sets Security Descriptors as per CIS settings upon launching of ContainedApp.exe that I am not seeing, then terminates as no further restrictions are needed? I would therefore assume CIS Auto-Containment settings do not take effect when changed on already contained applications until that application is terminated and re-contained.

I am currently also confused as to what the purpose of cmdvirth.exe is in all of this.

Could someone point me in the right direction where I can look to further understand what is happening?

I would prefer someone not give me the answer so I can try and figure it out myself. :slight_smile:

Hint: minifilter driver, and more specifically cmdguard.sys “COMODO Internet Security Sandbox Driver” :wink: