bypass comodo sandbox 5.8 RC2 (.cpl file)

I disabled the antivirus and the cloud scanner.

Then, I double clcked on the malware.

COMODO did not popup any alert window

I viewed the active process list.

shell32.dll is trusted by comodo

I opened the autoruns and checked the registry value

The malware created the autorun entry successfully.

system environment:
XP SP3 32bit

FVS report:
https://valkyrie.comodo.com/Result.html?sha1=82b19f60bc05cc790566efcb8b49018457f768e3&&query=1&&filename=img__27092011__141340__jpg[1].cpl

Is there a bug in the item? ???

Someone tested the malware with malware defender.

2011-10-1 18:50:31 create new process allow
process: c:\windows\explorer.exe
target: c:\windows\system32\rundll32.exe
command line: “rundll32.exe” shell32.dll,Control_RunDLL “C:\Documents and Settings\Administrator\桌面\IMG_27092011_141340_JPG\IMG_27092011_141340_JPG.cpl”,
rule: [应用程序]c:\windows\explorer.exe → [子应用程序]c:\windows\system32\rundll32.exe


COMODO recognized the process (rundll32.exe) as shell32.dll, but not IMG_27092011_141340_JPG.cpl

There might be a bug for the detection of the command line.

Thanks a lot. Can you please send me the sample?

Fixed the bug in commandline heuristics. The next build wont have this issue.

Thanks for your feedback.

So the next build will be RC or Final? Hope we get the next build in this week.

Thanxx
Naren

a256886572008, you are doing a great job, CIS is safer thanks to you. :slight_smile:
Keep it on.

Yeah…this guy is very competent…a precious resource for Comodo

Great work there a256886572008! All the work you put in is really valuable for Comodo as with all the beta testers and members sharing observations to make CIS improve more. :-TU

I hope the Final Release will take care of the bugs.

I think a256886572008 should get some kind of incentive from COMODO.
He has helped a lot with MAJOR security bugs that even COMODO developers have missed.

Way to go a256886572008!
You should create a topic dedicated to all your reports for easiest follow up.

+1

a256886572008,

謝謝您, 您做的令人十分敬佩!
Thank to a256886572008, you really do a good job!

I have had similar problems with CIS too. And it is not a question of command line execution. Simply launching new malware (CIS antivirus is not installed) that is so new most scanners don’t recognize it does not cause any action from Comodo defence+ or sandbox. And specillay this happens if my defence+ setting is something else that Partially limited. As if the other settings would not work.

Other settings are stronger than default Partially Limited.
Maybe you disabled notifications?
Check Defense+ Events (logs)…

Is this fixed with CIS 5.8 final?

yes.

Nice!
Thanks.
Kaspersky would have needed a year to fix it… >:-D

I would think so. Egemen is always very keen to get bypasses fixed.

Someone tested the malware without the auto sandbox.

disable “partially limited”

double click on the malware

comodo popups an alert window

.cpl file is trying to execute rundll32.exe

Problem:
The target is not the .cpl file.

Is this a bug for the “heuristic command-line analysis” ?

To be honest, I don’t see the problem.
If the start of rundll32.exe is denied the malware is blocked, or am I mistaken?
D+ was at proactive config?