BSOD encountered when resetting sandbox after running malware 2 [M576]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

• Can U reproduce the problem & if so how reliably?:
  Yes, every time.
• If U can, exact steps to reproduce. If not, exactly what U did & what happened:
  I downloaded a piece of malware, which devs will find attached to this post. (The malware name is Poli 12). Then, after unzipping it, right-click on the executable and select the option to “Run in COMODO Sandbox”. Then, wait until there is a firewall alert. Block this (but do not kill the process) and then reset the sandbox. There will be a BSOD.
• If not obvious, what U expected to happen:
  The FV Sandbox should always be able to Reset successfully, regardless of what is running inside.
• If a software compatibility problem have U tried the conflict FAQ?:
  NA
• Any software except CIS/OS involved? If so - name, & exact version:
  NA
• Any other information, eg your guess at the cause, how U tried to fix it etc:
  I’m not sure. Perhaps it’s an incompatibility between the FV Sandbox and a driver on my computer.
• Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
  I have attached the diagnostics file (run while the malware was still running in the FV sandbox) and the KillSwitch process dump (run while the malware was still running in the FV sandbox). I have uploaded the Complete Dump file to this page.
  [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS version 6.2.285401.2860
Default Configuration

• Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
  Default Configuration
  However, I had to disable the AV and the Cloud lookup so it wouldn’t automatically flag the file as dangerous and remove it.
• Have U made any other changes to the default config? (egs here.):
  Default Configuration
  However, I had to disable the AV and the Cloud lookup so it wouldn’t automatically flag the file as dangerous and remove it.
• Have U updated (without uninstall) from a CIS 5?:
  No, this was a clean install.
  [li]if so, have U tried a a clean reinstall - if not please do?:
  NA
  [/li]- Have U imported a config from a previous version of CIS:
  No
  [li]if so, have U tried a standard config - if not please do:
  NA
  [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
  Windows 7 x64 (fully updated), UAC disabled, Real System, run as administrator.
• Other security/s’box software a) currently installed b) installed since OS:
  a) None b) None
  [/ol]

[attachment deleted by admin]

Hi Chiron,
I reproduced this problem, and you can simply add ‘LocalSecurityAuthority.Debug’ to the protected COM interfaces to avoid it.

Best Regards.

Thank you. I’m actually just looking for this type of malware in order to help Comodo to improve CIS. I know what to do with a BSOD, but I know that if an ordinary user encountered this it could greatly harm their trust in CIS.

Will ‘LocalSecurityAuthority.Debug’ be added to the next version of CIS, or is this just a workaround for those who are messing around with malware which may cause a BSOD?

Thank you.

I am still not sure whether to add it in next version, we need a more comprehensive analysis.

Best Regards

Chiron could you test if this resolves all the related issues? If so please mark them as duplicates of the Confirmed bug in bugzilla, but leave that bug at confirmed.

Many thanks in anticipation

Mike

This is not fixed for CIS version 6.3.294583.2937.

I have updated the tracker.

This is not fixed for CIS version 7.0.313494.4115. I have updated the tracker.

This is not fixed for CIS version 7.0.317799.4142. I have updated the tracker and added a download link for the Complete Dump to the first post.

This is fixed on my computer with CIS version 8.0.0.4337. I will therefore move this to Resolved.