bypass CIS v6.2 fully virtualized

  1. I ran the malware.

  1. It was sandboxed as fully-virtualized.

  2. I reset the sandbox.

  3. I checked the autorun entry.

Please view the attached image.

  1. The malware successfully create autorun entries outside the sandbox.

Win XP Pro SP3 32bit

[attachment deleted by admin]

Hi, thanks for the report. Does this happen too with Win 7, have you tried? Same for

That issue is for 32bit system only.

could send me sample?
would like to test on windows 7 because use and wanted to see how the CIS 6.2 behaves.

the issue of screenlogger reported by jaspion also not fixed.

This case and a few other cases reported before rely on the same technique. We fixed it but haven’t issued the update yet.

And when would that be? Soon or later on?

When can we expect said update to go live? You don’t have to be super specific but maybe say days, weeks, months?

Edit: ■■■■ it, too late, I really must re-enable that warning about new posts 88)

The fix is very specific and hence we need to get it tested more. We should be able to include it with the next release.

Weeks is what we are talking about.

Alright, looking forward to the update.

In the mean time, you can simply add LocalSecurityAuthority.Debug to your protected COM interfaces to address this issue.

Thank you for the tip! =) I wonder, is there any similar malware/technique that you know of that can bypass CIS’ full virtualization on 64-bit systems?

@a256886572008, is this fixed with CIS version 6.2.285401.2860?

They have not released the fixes yet. Egemen said in few weeks on another topic, days ago.