Can anyone help with this mysterious “|” Symbol?
Based on the information I gathered from the following posts, I’m trying to run some test to determine how the “|” symbol is used.
CIS Wildcard Help
File specification inc. using wildcards in CIS
Sandboxed malware (Veximm.exe) deposits shortcuts on desktop
The goal of the test was to Prevent write access to files in the “Protected Files” section, against sandboxed application.
I Configured CIS as follows;
• Used a fresh “COMODO - Internet Security” configuration.
• Added my folder to the “Protected Files” section.
• Disabled Auto-Containment for all unrecognised file rules. (Becaused LibreOffice was installed within 3 days).
• Added Auto-Containment for anything in the Libreoffice folder located in C:\Program Files\LibreOffice. With Action “Run Virtually” and set Restriction level to “Partially Limited”.
• Opened file test.txt with libreoffice writer, which is located in my protected folder.
• COMODO contained/sandboxed the libreoffice application and opened the file with write access.
• I altered the contents in the file and saved it. Change took place in the sandbox and not to the original file outside of sandbox.
Conclusion: No “|” symbol was used for the first round of tests and results were implemented as expected. I tried the test again with Restriction level set to “Limited”, “Restricted” and “Untrusted”. The “Limited” restrictions level had the same result as the “Partially Limited”. Whilst “Restricted” prevented write access altogether, even in the sandbox and “Untrusted” prevented the file opening all together.
I performed the same test with the “|” symbol but no difference was noticed. I assumed the “|” symbol would prevent write access even when restriction level is set to “Partially Limited” or “Limited”. That was not the case.
Conducted the above tests again but with HIPS enabled in “Safe Mode”. It produced the same inconclusive results. Another test was performed with My “Protected Files” folder added to the “Do not virtualize access to the specified files/folders”. It granted the sandboxed application write access to the original file outside the sandbox and as a result the original protected file was altered by the contained application.
What am I doing wrong? Please can someone give me the correct configuration for testing the “|” symbol.