The software is able to capture keystroke and screen(in test 4) even it is sandboxed if D+ alerts is allowed.
http://www.spyshelter.com/download/AntiTest.exe
That’s why I say sandbox make user a fault feeling of safety.
It is D+ that works.
Did you allow the elevated alert prompt?
No “elevated alert prompt” pop-up but other alerts.
I’ve tested it with automatic sandbox and manually put it in sandbox program list too.
Don’t you think the elevated alert is a little too all encompassing? You have to give it almost total control to see what it does.
Shouldn’t there be an option in addition to just allow or block to allow one thing at a time like V3 activity. This way an advanced user can track the activity of an application and thus block it if something seems suspicious?
This way everyone wins.
That’s how it is currently Chiron, if u click deny on elevated privileges then u will get a lot of alerts.
clicking on allow elevated privileges basically lets the program run around do what ever, with restrictions from the sandbox. Those restrictions are not perfect, Nor do I think they will ever be… Trying to find the right balance between usability and protection is difficult…
I didn’t realize that. I thought clicking Deny would automatically assign it limited rights. I think that alert needs to be reworded.
Here’s my results from running http://www.spyshelter.com/download/AntiTest.exe
I’m running it in the sandbox. I have proactive security and “Automatically detect installers/updaters and run them outside the Sandbox” is unchecked.
I get no alerts from Defense+ except that the application has been automatically sandboxed.
-I get a Firewall alert I can block for KeyLogging.
-Test4 of Screenshot can take a screenshot of my computer. (No alerts)
-It passes all the rest except for Sound record and Webcam Capture as I cannot test these because I do not have a webcam or a microphone.
That does not mean it’s a bypass. Comodo sandbox… .Sandboxes things… The application might think it’s created a file or written to the registry… but it hasn’t written to the real registry.
That’s my point, sandbox is not protecting you in Keylogging in this case. It is D+.
I’ve tested it in sandbox of “sandboxie” too and it failed the keylogging test and all 4 screen tests.
I’m wondering if “sandbox technology” is able to protect these kinds of keylogging and screen capture threats.
I just mention it because the other 3 methods for taking a screenshot were blocked. I agree though that this activity is not dangerous as if it attempted to send it over the internet the firewall would catch it and stop it.
I would test this against default settings, but I’m not sure how to do this. I checked my possible configurations and I only have Internet Security, Proactive Security, and Firewall Security.
If someone is still running with the default settings can you run this test and see what the results are?
I thought the Sandbox was essentially just the simplified form of D+. I believe it’s actually the firewall that protects me from the true dangers of the keylogger.
When you ran this test was your configuration still default? I was protected from everything but the screenshot with proactive security and I’m sure the firewall would have protected me if this had tried to transmit the data.
That’s why I turn off automatic sandbox and
ensure that the “allow all outing” firewall rule is not presented.
The sandbox was more so put in as an usability layer mainly AFAIK. To somewhat bridge the gap between hardcore and soft core.
In a sense your right, Chiron. Key loggers are of NO threat if they cannot communicate to the outside world.
Sandboxie can somewhat handle key loggers with internet access restrictions… but those do not apply to whats outside of the sandbox!
‘I thought sandbox was a simplified version of D+’ I think the best way to describe a sandbox is… It is an isolated space within your system and\or it gives it very limited access to real resources… It does not pose a threat while in the sandbox.
Hlkjoj pls before you consider removing the sandbox understand how it works…it’s a very nice tool. Some of those tests that are failing does not mean it’s failing, the sandbox apply s virtualization…the test app think it’s written to a file or registry when really it hasn’t wirrten to the real ones.
Sandbox is unpassable if set to proactive mode, and uncheck the automatically detect installers and run them out of sandbox.
You need to understand and ask questions about the sandbox before posting statements without mentioning that your not sure.
‘automatically detect installers and run them outside the sandbox’
This only applies to installs that are on the trusted vendor\white list.
U need to uncheck so it doesnt show the elevated alert promp. Otherwise, it cannot be run in sandbox.
EDIT: Tried in my laptop and it indeed does bypasses sandbox. It was able to record sound through my microphone.
Technically, automatically sandboxed software can write to the disk but it cannot cannot a) write to (ie infect) existing protected files or registry keys b) take admin privileges c) consume too many resources d) key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory.
So “Technically” or “Theoretically”, sandbox can prevent key log or screen grab, set windows hooks, access protected COM interfaces …??
But “Practically” the sandboxed application in Comodo and Sandboxie had failed or partially failed to prevent d).
Then it may be bugs or just may be the technology implementation choices of Comodo and Sandboxie.
I suggest Comodo to emphasize that the sandbox feature is just a virtualization technology supplementing D+ that employed to reduce D+ alert. It should not be viewed as a standalone security function.
I’m thinking that this should be moved to Bug reports - what do you think Kyle?
FAQ text, which comes from the help file and Egemen is quite clear?
Sounds like Keylogging & screen capture is occuring… data captured may be virtualised (but not when auto-sandboxed)?
Or am I reading this wrong?
Mouse