Bypass sandbox in partially limited by worm virus (*vbs)

HI all

A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
Every time
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1:I ran the virus on the default settings for Comodo
2:After running the virus has spread all over the place on the external disk USB
3:The virus put shortcuts on My Apps, and is also open for any shortcut works automatically virus
One or two sentences explaining what actually happened:
One or two sentences explaining what you expected to happen:
?sandbox must protect the external drives and prevent action shortcuts for applications

If a software compatibility problem have you tried the conflict FAQ?:
Any software except CIS/OS involved? If so - name, & exact version:
Any other information, eg your guess at the cause, how U tried to fix it etc:

Video put it to the test

Exact CIS version & configuration:
?CIS 7.0.317799.4142

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
?Default configuration.
Have U made any other changes to the default config? (egs here.):
Have U updated (without uninstall) from CIS 5 or CIS6?:
if so, have U tried a a a clean reinstall - if not please do?:
Have U imported a config from a previous version of CIS:
if so, have U tried a standard config - if not please do:
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
? in real system , windows 7 x64
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=? NA b=?NA

I see from your video that many files were dropped, even after it was sandboxed. However, after restarting the computer are any of its processes automatically started? Also, after restarting are there any important system processes, or applications, which have been altered by the worm?


The system was not damaged, no shortcuts deleted after reboot and also has the worm copies itself everywhere are not deleted when reboot

In that case, under the description of Partially Limited given on this page of the Help File this does not sound like a bug. I do wish that this sort of behavior was not allowed by default, but unless something else was altered it doesn’t seem to be a bug.

What do you think, after reading the description of Partially Limited on the page I linked to?


Your words are 100% true, but it is very dangerous worm that spread all over the the computer and on the default

I agree that I do not want this to be allowed by default. However, unless it is copied into areas which are explicitly protected, this is not a bug but expected behavior under Partially Limited. This is why I absolutely support any wishes for the default configuration to be more strict as to what is allowed.

However, as this is technically not a bug I am forced to move this report to Resolved. I hope you understand.

Thank you.

In this caseexcept this is considered bugs in this option “Do heuristic command-line analysis for certain applications”

The vbs file was run under Partially Limited. Before the command-line analysis was added, as described in your screenshot, these sort of files were able to bypass monitoring, and therefore do what they liked. However, in your case it was monitored, and the Partially Limited restrictions were correctly applied. However, Partially Limited is not very strict, and thus it does allow files to be dropped.

It’s for those reasons that I still do not see this as a bug. If you feel I have misunderstood your reply please feel free to clarify.

Thank you.

I’m not talking about the Sandbox I am talking about the option “Do heuristic command-line analysis for certain applications”

Please kindly check this link

Also notes with, enabled at the default settings, and the option the mentioned by the company said that it must stop so extensions

I see that this option does not interest him just Accessories

I think that you should consult with one program developers to find out whether the spread of the worm in all corners computer is a natural

As stated in the Help File, the option to “Do heuristic command-line analysis for certain applications” just means that files such as vbs will also be restricted under the BB level. Thus, the restrictions for Partially Limited will be applied to the vbs file. If you disable that option you should find that the vbs file is allowed to do whatever it wants with no restriction.

Thus, your issue here seems to have nothing to do with the “Do heuristic command-line analysis for certain applications” option. It seems that you have an issue with how files run under Partially Limited are allowed to drop files. Am I correct in explaining this?


Since the option to read the lines of commands and the Sandbox to ban everything that is dangerous. Is the worm hide all files on external disks and action shortcuts fake it is not dangerous

Maybe no longer bugs , but this instabilmente dangerous to the user where that all files will be the work of her hide and show shortcuts are many and difficult to remove and when removed will re-appear

Why do not display issue on the developers of the program, the proposal does not it bugs

Perhaps what would be helpful would be a limit to the number of locations where a sandboxed application can drop files. That would help in this situation, although it may make more programs fail to install correctly.

If that is more along the lines of what you are looking for please do submit a Wish Request for it. However, it would not be able to be submitted as a bug. I hope you understand.

Thank you.