Beta 9 Sandbox Bug

1. The full product and its version:

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:

5. Other Security, Sandboxing or Utility Software Installed:

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: ?
2: ?
3: ?

7. What actually happened when you carried out these steps:

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):

9. Any other information:

I have come across a malicious file that when run in the sandbox the results are not optimal. This refers to the beta 8 build of Comodo, HIPS on or off, Sandbox enabled. The OS is Windows 7.

In short, when this file is executed:

  1. there is an immediate Sandbox alert that the file requests unlimited access to the computer. I clicked the Default action of run isolated.
    2). An install routine file, au_.exe is spawned and also automatically sandboxed into the VTroot drive (users\name\app data\local\temp).
    3). An installation box appears (green border, so in sandbox) which then takes a list of the files contained in the directory where the parent malware resides, then runs a script that deletes all of the files found.

Please note that when running this file in a system protected by Comodo version 7 with the sandbox settings at Full V the malware is incapable of deleting anything.

If any Mods or Comodo personnel wish to acquire the sample for verification please PM.

Please edit your post and make it like bug report as required :-TU Thanks :slight_smile:

You’re not serious…

Are you sure about #2 ?

Could you maybe run the file again with different restriction (e.g. “Untrusted”)?
If the issue does not persist then you would know it’s a restriction bypass.(note: restriction, not virtualization)

However, I’m asumming that the dropped file will have no streams. Thus, it’s related to a known bug (1209, 1210).


Comodo version 7 at Untrusted does indeed prevent deletions, but this issue is for Comodo version 8 beta (build 4281) where an Untrusted setting does not exist.

I have inserted the required format into your first post, and moved this to the bug reporting board. Please replace the question marks with your responses. Doing so will allow us to much better evaluate this issue. There are many issues which have already been reported for this Beta, and making sure that this is in the format will allow us to better evaluate whether this already fits one of the reported bugs.

I’m not trying to make this more difficult, and the format for reporting Beta bugs is actually quite straightforward. Please let me know if there is anything I can do to help.


PM reminder sent.

I’m sorry, but as there has been no response I will now move this to Resolved. cruelsister, if you are able to edit the first post please do so and then respond to this post letting me know. I can then move this back to the main Beta bug reporting board and continue processing this.

Thank you.