Blocking GOM.exe on (unnecessary?) UA alert does not stop it playing video

The bug/issue

  1. What you did: Started mp4 file(movie file)

  2. What actually happened or you actually saw:CIS was in game mode, but the SB was set to treat the unrecognized file as untrusted.A pop-up appeared that gom.exe(gom player) is sandboxed.When I looked into the sandboxed files, it was sandboxed as “partially limited” :o I moved it to the trusted files, then removed it to test once again.Turned off the gaming mode.A new pop-up appeared about what to do with gom.exe(screenshot).I clicked on “block”, but gom player started the movie. :o gom.exe is treated as untrusted, I blocked it and it’s still able to play the movie. :o

  3. What you expected to happen or see:to block it

  4. How you tried to fix it & what happened:tried to reproduce the issue several times.No success.CIS acts wrong every time.

  5. If its an application compatibility problem have you tried the application fixes?:n/a

  6. Details (exact version) of any application involved with download link: [b]GOM Lab official site - Make, Play, Share

  7. Whether you can make the problem happen again, and if so exact steps to make it happen:see above

  8. Any other information (eg your guess regarding the cause, with reasons):n/a

  9. CIS version, AV database version & configuration used:CIS 5, DB 6947, config:proactive, SB enabled, “automatically trust files from trusted installers” unchecked.

  10. a) Have you updated (without uninstall) from CIS 3 or 4: NO
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:Yes

  11. a) Have you imported a config from a previous version of CIS:NO
    b) if so, have U tried a standard config (without losing settings - if not please do)?:n/a

  12. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. ) above

  13. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV = D+[safe mode];Sandbox[enabled/disabled-same];Firewall[safe mode];AV[Stateful, heur=high,cloud scan enabled]

  14. OS version, service pack, number of bits, UAC setting, & account type:Windows 7 x 64 ultimate, UAC=disabled

  15. Other security and utility software installed:MBAM on demand

  16. Virtual machine used (Please do NOT use Virtual box):no

[attachment deleted by admin]

I did a clean install of CIS(with testing purposes) with the same settings.The result was also the same.What’s going on?

UPDATE : Disabled the sandbox.D+ asked me twice.Two times “block” and the movie starts again. :o

[attachment deleted by admin]

Hi Bequick. THanks for a ckear bug report.

A) Could please just edit your p[ost to pu the follwing information in:

  1. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV = above
  2. OS version, service pack, number of bits, UAC setting, & account type:Windows 7 x 64 ultimate

B) PLease could you try with MBAM completely disabled or (preferrably) uninstalled.

C) I think maybe part of what is going on here is that CIS is not funding it easy to recognise that GOM needs unlimited privs. It appears that it is unable to do so until you have made it trusted. Then it gets confused. But wierdly thereafter it does recognise this even if it is made untrusted again. I have seen similar behaviour.

To disentagle this we’ll need your logs for the period of the ciomplete sequence you describe above. Also your active processes list after you have answered ‘block’ to the second alert.

A complex one…

Best wishes

Mouse

A) - Done
B) MBAM uninstalled->no change of the situation.
C)I already said, that I did the same test with a clean install of CIS=>no confusion involved.

One more thing.I use winrar 4.0 beta.CIS does not recognize it, so winrar.exe is sandboxed as untrusted, but I’m still able to open the files inside the archive and extract them successfully.

Logs attached.Active process list during the playback(screenshot)
There is a Poc, detected by the AV, you will see it in the AV log, but it’s in archive, not tested yet.Just to clarify.:slight_smile:

[attachment deleted by admin]

Thanks you are quick! Re [C] I was not suggesting that the config you gave CIS made it confused, but that it became confused itself.

Will look at logs now ta again

Mouse

OK on the GOM issue:

  1. There’s no log record of GOM.exe being sandboxed as partially limited. Just wondering where you saw this. There’s another file that was at about the same time MOM.exe - could you have been confused?

  2. The logs suggest that when you got the unlimited access alert you pressed the sandbox, not the “block” button. When sandboxed as untrusted software can still function - playing a movie would be considered safe I guess. However I accept that this is a mistake you are unlikleyto make twice! Just to check would you mind responding to this unlimited access alert again and see if the file is sandboxed instead of blocked. (I’ve always assumed blocked meant stopped from running, but will need to check this now!).

Best wishes

Mouse

Repeat: It’s clean install of CIS, that’s why the yesterday’s log is missing.Why you people never trust to anything?
I did the test again.First-with SB enabled, then with SB disabled.Here is the new log.When I disabled the SB, D+ asked me 9 different questions.I blocked all of the requests and the movie just began…again.You can see the screenshots.

[attachment deleted by admin]

Thanks Bequick, for clarification that the period covered by the logs does not include the sandboxing as ‘partially limited’ event.

It’s not that I don’t trust you specifically - it’s just thta I don’t trust anyopne - myself included not to opccasionally confuse files with such similar names - MOM.exe and GOM.exe. Hence the need to recheck. Incoidentally the guidance for re-installation (linked to in the standard format) says ‘please take a copy of your logs first’, so you can see why I might think you had them.

What I really need you to re-try is pressing the blocked button on the unlimited access alert. Then look at the logs and APL and tell me if it is running as untrusted. Don’t think it should - I think it should refuse to start at all.

Best wishes

Mouse

Sorry, but I didn’t understand what you mean with this.Can you explain step by step, please!:slight_smile:

edit:And I think the topic title is incorrect.CIS fails to block it as untrusted and with SB disabled too.Please, change it.

I can change it too, but don’t want to mess with the mods again.

edit2: [at]mouse1 , there is another log in my previous post, which is downloaded 0 times. :smiley:

Untrusted?I’m trying to tell you something>>>The movie is playing even with sandbox DISABLED and totally “blocked” as you can see on my screenshots.

  1. Please check GOM.exe is not already running in the Active Processes List (APL)
  2. Please run GOM.exe
  3. As I understand it you now get an unlimited access alert
  4. On that alert there are three buttons: allow, sandbox, and block
  5. Please make absolutely sure you press the block button
  6. GOM.exe should not now run. Presuming that it is not already running if you look in the APL it should not be running, not even running as untrusted.
  7. If it is running then there is a problem. If it’s not there may not be a problem in this particular area though you point about running as [edit] partially limited may still be valid.

So, here is my answer.

  1. If the SB is enabled and I click on gom.exe, it gets sandboxed, but still able to play the movie.No questions.
    2.If the SB is enabled and I click directly over the video file(for example abc.avi, xyz.mp4), then CIS asks me to allow, sandbox or block gom.exe.If I press “block”, the movie runs again.If I press “sandbox”-the same story.
    3.If the SB is disabled, CIS asks me 9 questions(screenshots above).I block all of them, but the movie starts again.
    I asked a friend of mine to test it-same situation.It’s not a single case.
    You can test it yourself, it’s pretty easy.Just download gom player from the link above.

I confirm this bug ! I tested yestarday and CIS 5 do not block this player even you press block again and again …
Please do something about this …

Best wishes,
slayer76

Anybody?

I’m guessing this is a 64 bit or Win 7 bug, as I cannot replicate here on 32 bit XP.

I get correct behaviour. File is sandboxed partially limited (thus confirming your earlier statement bequick), but I get no UA alert, therefore I cannot choose ‘block’ to test blocking. I have duplicated your settings as documented above.

My revised feelings are that there are two possible issues here:

  • Unecessary UA alert. Might be explicable by difference in standard permissions between XP and Win 7
  • When you press block on UA alert, GOM still runs and Movie still plays. Block on UA alerts typically stops the file executing, possibly because CIS blocks execution, possibly because it declines the asked for privs and file therefore won’t run. If the latter, and the privs requested were not actually required by the file, it might run any way-

So a complex issue - not clear if the UA alert is wrong or the failure to block is wrong or both. But there is something wrong IMHO and its replicated, and its a possible risk, so moving to format verified and probably tracking.

I would be interested to know if this still happens if you choose to treat unknown files as partially limited.

This may be related to the fact that gom.exe runs as a service (under svchost). I’ve seen some other evidence that all does not work as it should when the executable is a service.

Best wishes

Mouse

PS Please note that GOM being able to play a video when running as untrusted is not necessarily a bug. Files are allowed to function when running untrusted, but there’s a fair amount they cannot do. However it does make the UA alert seem even more peculiar.

It doesn’t really matter, because:

, but yes this still happens in all modes.

but I get no UA alert, therefore I cannot choose 'block' to test blocking
How is that possible, when gom.exe is unrecognized by CIS?I'm talking about the newest version.

Is it more clearly now>>>

Huh, I cannot edit my posts now?Why?Somebody doesn’t like the fact that CIS has some bugs?What means “unnecessary” in the topic title?I don’t like this title and this is MY topic.What’s going on here?Censorship?

Under XP it appears that GOM does not ask for any privs not normally granted by the OS in user mode. So I get a sandbox alert, not a UA alert.

Did you try to play a video file, NOT to start directly gom player?

Yes! Tried an AVI file.