Could someone explain to me how CCAV is supposed to work when trying to sandbox applications that run with administrator privileges?
I’m asking because I ran into the following scenario:
[ol]- I was interested if the CCAV sandbox would block anything special like screengrabing and keylogging etc so I downloaded SpyShelter test tool and ran it.
CCAV alerted about the file, the AV part that is, and I chose to ignore.
CCAV asked me what I wanted to do with the file, I answered to run it in the sandbox.
I got a UAC alert, which I said Yes to.
CCAV again asked me what I wanted to do with the file, I answered to run it in the sandbox.
The file started outside of the sandbox.[/ol]
So my questions are really:
Why wasn’t the application sandboxed?
If CCAV can’t sandbox files run as administrator, why even allow them to run in the first place if I choose to sandbox it? If it can’t sandbox it, then it should display an error message and ask me if I would like to run it outside of the sandbox or block it from running.
If it simply runs admin programs outside of the sandbox, isn’t CCAV then simply bypassed by malware simply by running itself as admin?
Edit:
I just noticed, if I simply double-click the AntiTest.exe application and answer “Run in Sandbox” → UAC Yes → “Run in Sandbox” then it runs outside of the sandbox, but if I right-click AntiTest.exe and click COMODO Cloud Antivirus > Run in COMODO Cloud Antivirus Sandbox → UAC Yes then it runs in the sandbox… What’s the reason for this difference?
Sandbox set to Always sandbox untrusted files > Sandboxes file
Sandbox set to Always ask for untrusted files > Doesn’t sandbox when answer “Run in Sandbox”
System Protection[/b] Registry acces test 1: not blocked by the protection (Safe sandboxed :-TU) Registry acces test 2: not blocked by the protection (Safe sandboxed :-TU) Writing file to startup folder test: your system did not pass this test.
File was copied successfully to C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestConApp.exe
(Note: no file was found att the stated location) (Safe sandboxed :-TU)
Service registering test: your system did not pas this test. (Error windows Make sure that the service is registerd) (Safe :-TU)
Driver registering test: (unavailable) Physical memory access test 1: (winxp32bit unavailable) Physical memory access test 2: (winxp32bit unavailable)
Webcam Capture: screen is black (I dont have a webcam) Sound Record: Dont have a mic
!ot!
AntiTest.exe Running in Comodo Internet Security v10.0.1.6209 Sandbox (Default settings for sandbox)
Keylogging: Cannot set keyboard hook (Safe :-TU)
Screenshot: Test1a → Test5a and Test1b → Test5b (Failed :-TD) Clipboard Monitoring: clipboard content was changed (Failed :-TD)
[b]
System Protection[/b] Registry acces test 1: not blocked by the protection (Safe sandboxed :-TU) Registry acces test 2: not blocked by the protection (Safe sandboxed :-TU) Writing file to startup folder test: your system did not pass this test.
File was copied successfully to C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestConApp.exe
(Note: no file was found att the stated location) (Safe sandboxed :-TU)
Service registering test: your system did not pas this test. (Error windows Make sure that the service is registerd) (Safe :-TU)
Driver registering test: (unavailable) Physical memory access test 1: (winxp32bit unavailable) Physical memory access test 2: (winxp32bit unavailable)
Webcam Capture: screen is black (I dont have a webcam) Sound Record: Dont have a mic