What actually happened or you actually saw:CIS was in game mode, but the SB was set to treat the unrecognized file as untrusted.A pop-up appeared that gom.exe(gom player) is sandboxed.When I looked into the sandboxed files, it was sandboxed as “partially limited” :o I moved it to the trusted files, then removed it to test once again.Turned off the gaming mode.A new pop-up appeared about what to do with gom.exe(screenshot).I clicked on “block”, but gom player started the movie. :o gom.exe is treated as untrusted, I blocked it and it’s still able to play the movie. :o
What you expected to happen or see:to block it
How you tried to fix it & what happened:tried to reproduce the issue several times.No success.CIS acts wrong every time.
If its an application compatibility problem have you tried the application fixes?:n/a
A) Could please just edit your p[ost to pu the follwing information in:
Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV = above
OS version, service pack, number of bits, UAC setting, & account type:Windows 7 x 64 ultimate
B) PLease could you try with MBAM completely disabled or (preferrably) uninstalled.
C) I think maybe part of what is going on here is that CIS is not funding it easy to recognise that GOM needs unlimited privs. It appears that it is unable to do so until you have made it trusted. Then it gets confused. But wierdly thereafter it does recognise this even if it is made untrusted again. I have seen similar behaviour.
To disentagle this we’ll need your logs for the period of the ciomplete sequence you describe above. Also your active processes list after you have answered ‘block’ to the second alert.
There’s no log record of GOM.exe being sandboxed as partially limited. Just wondering where you saw this. There’s another file that was at about the same time MOM.exe - could you have been confused?
The logs suggest that when you got the unlimited access alert you pressed the sandbox, not the “block” button. When sandboxed as untrusted software can still function - playing a movie would be considered safe I guess. However I accept that this is a mistake you are unlikleyto make twice! Just to check would you mind responding to this unlimited access alert again and see if the file is sandboxed instead of blocked. (I’ve always assumed blocked meant stopped from running, but will need to check this now!).
Repeat: It’s clean install of CIS, that’s why the yesterday’s log is missing.Why you people never trust to anything?
I did the test again.First-with SB enabled, then with SB disabled.Here is the new log.When I disabled the SB, D+ asked me 9 different questions.I blocked all of the requests and the movie just began…again.You can see the screenshots.
Thanks Bequick, for clarification that the period covered by the logs does not include the sandboxing as ‘partially limited’ event.
It’s not that I don’t trust you specifically - it’s just thta I don’t trust anyopne - myself included not to opccasionally confuse files with such similar names - MOM.exe and GOM.exe. Hence the need to recheck. Incoidentally the guidance for re-installation (linked to in the standard format) says ‘please take a copy of your logs first’, so you can see why I might think you had them.
What I really need you to re-try is pressing the blocked button on the unlimited access alert. Then look at the logs and APL and tell me if it is running as untrusted. Don’t think it should - I think it should refuse to start at all.
If the SB is enabled and I click on gom.exe, it gets sandboxed, but still able to play the movie.No questions.
2.If the SB is enabled and I click directly over the video file(for example abc.avi, xyz.mp4), then CIS asks me to allow, sandbox or block gom.exe.If I press “block”, the movie runs again.If I press “sandbox”-the same story.
3.If the SB is disabled, CIS asks me 9 questions(screenshots above).I block all of them, but the movie starts again.
I asked a friend of mine to test it-same situation.It’s not a single case.
You can test it yourself, it’s pretty easy.Just download gom player from the link above.
I’m guessing this is a 64 bit or Win 7 bug, as I cannot replicate here on 32 bit XP.
I get correct behaviour. File is sandboxed partially limited (thus confirming your earlier statement bequick), but I get no UA alert, therefore I cannot choose ‘block’ to test blocking. I have duplicated your settings as documented above.
My revised feelings are that there are two possible issues here:
Unecessary UA alert. Might be explicable by difference in standard permissions between XP and Win 7
When you press block on UA alert, GOM still runs and Movie still plays. Block on UA alerts typically stops the file executing, possibly because CIS blocks execution, possibly because it declines the asked for privs and file therefore won’t run. If the latter, and the privs requested were not actually required by the file, it might run any way-
So a complex issue - not clear if the UA alert is wrong or the failure to block is wrong or both. But there is something wrong IMHO and its replicated, and its a possible risk, so moving to format verified and probably tracking.
I would be interested to know if this still happens if you choose to treat unknown files as partially limited.
This may be related to the fact that gom.exe runs as a service (under svchost). I’ve seen some other evidence that all does not work as it should when the executable is a service.
PS Please note that GOM being able to play a video when running as untrusted is not necessarily a bug. Files are allowed to function when running untrusted, but there’s a fair amount they cannot do. However it does make the UA alert seem even more peculiar.
Huh, I cannot edit my posts now?Why?Somebody doesn’t like the fact that CIS has some bugs?What means “unnecessary” in the topic title?I don’t like this title and this is MY topic.What’s going on here?Censorship?