CIS 4.1 SB doesn't work as expected

Yesterday, a friend of mine has reported a huge bug to the comodo live support.The problem still exists and nobody says when it will be solved.So, straight to the problem.I have tested CIS 4.1 vs rogue MSE antivirus.My AV was disabled, because i wanted to see what the SB gonna do.Now, the interesting part…
1.Starting the rogue installer>>>SB asks>>>
http://img820.imageshack.us/img820/2271/15485230.th.png

My answer is: Yes , ofcourse keep it in the SB.
Huh, that’s fine, but it doesn’t go to the sandbox, but here>>>
http://img810.imageshack.us/img810/7619/37006218.th.png


http://img820.imageshack.us/img820/1251/69985406.th.png

Now, the good thing is that this fake av, for some reason stays inactive, but the bad thing is that CIS promised me that it goes to the sandbox, but that wasn’t true, it lives in my real file system.

I can send the malware to anyone who wants to test the case.

credits to URIEL. :))

bequick.

Automatic virtualization is still not enabled by default. So meaning sandboxed exectuables can still drop files. However, they can not modify (infect) registry keys or files and this is where Defense+ restricts those sandboxed applications.

So in your case, the rogue only dropped files AFAIK.

But if you think it did something malicious such as system malfunction and caused infection… can you pls send me the rogue.

Thanks
Josh

No, it didn’t do anything, but it’s there.Imagine that tomorrow i decide to remove CIS.What’s gonna happen with this malware?Probably will stay on my system, right?

…Sending you the file over PM.:slight_smile:

The Rogue is there right… But it’s NOT active in any way.

Anyway it’s not a bug. Because how CIS Sandbox always works is that… files can be dropped, but they can’t cause damage to your PC. If you removed CIS after then well who knows what will happen? Thats a users choice and not a CIS fault or bug. :slight_smile:

If automatic virtualization was enabled… it would obviously be a different story. Because files dropped would also be gone. But due to incompatibility concerns this is not possible yet with auto sandboxing, however… no sandboxed app can cause infection/modify protected keys and files.

Josh

There’s no way for me to agree with that so easy.:)) The main function of CIS is to keep the PC clean.That’s not happening.If i decide to remove CIS for any reason(maybe just reinstall or something trivial)
i must be sure that my system is clean, but it is NOT.

Then turn on antivirus and do a full system scan and you’ll be clean.

Whats there not too agree with? This is how it works because automatic virtualization is not enabled by default.

New files are allowed to be CREATED but can NOT modify an existing files. CIS is keeping your PC clean. For unknown applications (sandboxed) - Defense+ automatically blocks file system and registry access to critical keys/files.

So, sandboxed applications:

1 - Can not modify any protected registry key
2 - Can not modify any protected file i.e. infect files
3 - Can not do any operations that require administrative privileges

So files in your case are there and created, but that’s it. The rogue can NOT do any of the above 3 actions to the locations it has access rights. You are protected. And you can then always manually deleted the inactive files or use a junk cleaner to clean up the rest of the stuff left over (or as mentioned, using another AV or antimalware scanner that detects this app to clean up the harmless files).

OK, i understand that’s how it works, but that is a great reason not to use the sandbox anymore.I asked ‘‘what if’’, but nobody answers to my question.So, what if again?:))
Now, you cannot say that my PC is clean, if it obviously not clean.Do i have malware on my system? Yes.
This is not clean machine.Melih says :

Running Antivirus thinking you will be safe…Madness!!!

I do not feel safe with comodo’s ‘‘sandbox’’ either.That’s it.
Why is needed to delete these files manually?OK, if i know they are bad, i can remove them, but if i do not know are they bad and where they are(cause they go in the roaming folder), what am i supposed to do?

It’s not SB’s job to delete anything, it’s the AV’s part, SB and D+ are there to prevent and they did their job as intended.

How they did the job exactly?With saying that the program is in the SB, but it isn’t?Wow, what a great job.They didn’t prevent the malware to drop it’s malicious files into my system.They just stopped it to do things.For now…

Actually, It’s a great reason to continue to use sandbox. Because there are WAY too many people out there, running Antivirus thinking they are protected. If unknown files comes in… and it’s malware, it’s all over because the AV did not detect it. Atleast in CIS, unknown files are handled properly and can not infect files or modify keys - unknown files Sent to Comodo labs, if safe, let it out of sandbox, if malware, delete it from sandbox. :slight_smile:

The point is… You will ALWAYS be protected from unknown files unlike those using blacklisting (Antivirus, behavior blocker, heuristic) hence the ever growing malware problem. :frowning: Yes files can be dropped, but that’s it. Better then using Blacklisting technology and blacklisting letting unknown files through and risking serious infection!

Anyway this is how it works… Not much more to say. :slight_smile:

Better, but my wish is CIS to be perfect, not just better.:))
p.s. OK, let’s stop talking for now and see how will it go.:wink:

Sure. :slight_smile:

I think CIS should keep track of the files that are dopped so that the user can clean it within the GUI and also it should ask to clean these files before CIS undergo uninstallation from the system!

That should be in My Pending Files and you can remove them by selecting them and pressing Delete File.

Just removed that… It was a little out dated. :slight_smile:

ok, thanks Josh :-TU

so CIS sandbox prevent from writing only at places defended by d+?
EDIT: never mind I just read above article by 3xist etc.
if so, what if I add extra places in D+, sandbox will protect these also?

Yeah, unless you give some malicious file elevated privileges…
But, I personally think that adding anything more than default factory setting would downgrade usability.
You could, I don’t know, add My documents to protect them if you have something important or some other folder… Your call…

everybody should, try to run e.g. ransomware gpcode, it will encrypt whole bunch of docs. and especially in my doc. folder