Hi,
I use setting by Chron. Sandbox is fully virtualized. Just for a curiosity, I downloaded a infected file today. Everytime when I run this file, CIS asks if I want to run it in sandbox or allow it.
Now it did not ask and fake AV was installed into my PC.
Why CIS is not working? I have Pro version of CIS.
thank you for your advices.
Do you have an example of the file that you can send me (us) through PM?
Or you can uploaded somewhere and post the link here. Please remember not to attach the malware in your post, just the URL where it can be downloaded (no live malware in the forum’s policy).
Doing this will allow us to test the file with the settings you mention and check if it was a bypass or it was a human error.
Yes, no problem. I am sending it in PM. I hope it is the file, I do not want to try it again. I am just cleaning my PC. I downloaded few of them today but I think this is the one. CIS did not even react to the others ones but some from them cought AV. Not this one.
Thank you. I have received the link for download.
Could you please provide me with your environment versions so I can reproduce them in a similar one here?
OS version, 32/64 bit, CIS PRO version, Firewall (Safe Mode, etc), HIPS enabled/disabled, etc.
I have windows 8.1 64bit, CIS is latest version 6.3.297838.2953, virus database is 17166, firewall - custom rules, HIPS - OFF, Sandbox - fully virtualized, AV - stateful. But I switch off AV when I run it but I noticed then that AV does not react for it. When I tried before similar files, I also had AV switched off but CIS asked me how I want to run such files. Now nothing asked me. I run about 6 files today.
I was suprised I could run this file without CIS would notice it. For sure I did not allowed cmd run, happyly it probably did not write anything to windows registry.
Can you please send me a PM with a link to the malware in question?
Thanks.
I sent it to you.
radek178, can you please check your logs and see if the file was actually sandboxed, or scanned and found safe, etc…
Please post a screenshot of the Defense+ logs relevant to this. These will likely shine light on what has happened.
Thanks.
I am going to have look for you. I thought sandbox will ask, it always asked about the unknown files when running them and no warning window.
I looked at the log. First run of the file was run as fully virtualized. Inspite of that no warning window popped up. Then I see in log it had access to the memory.
I do not remember exactly how many times I run this file. I have HIPS OFF.
Sending you the log to PM.
I ran this on my own system, which is Windows 7 x64. I right-clicked on it and selected to run it in the FV sandbox.
I let the Fake AV complete its scan. Then I restarted the computer and reset the sandbox. Upon checking, I found no evidence of infection on my computer.
I then checked my logs and compared them to yours. I see no significant differences. Mine also showed access to System and that it was sandboxed as FV. Thus, I’m not sure what has happened. This is either an issue specific to Windows 8.1, or perhaps the infection was not caused by the infection you sent me.
I describe you what I exactly did.
When I want to run a file in sandbox, I run it as you by the right click but I did not run this one like that because I wanted to try because it was a new file if the sandbox react but CIS did not react, no pop up.
I tried to run the same file in Vmware in Vista 64b (here I have only Comodo Firewall). I run it same as on win 8 by the left click. I have the same Comodo settings and a window popped up that it is sandboxed.
Probably it means that something is wrong on win 8 64b or something is strange with my CIS installation. But I think it should not be because now I have few days old installation.
What should I do next?
I will send you the infected files. I copied them.
This is a strange situation. I have now passed on all of the information you have provided me, including samples, to the Mods. Let’s see if they can contribute any ideas.
Thanks.
Ok, if you want I can make you a video to see it is really like that. Now I again tried to run another, probably infected files and CIS doesn´t show any pop up that it is sandboxed.
I downloaded a browser web-based Firefox, it is called Palemoon portable. I run it and immediately I get window from CIS popped up that file was sandboxed. Files that I sent you last already detect some AV as viruses. It is strange that at some files the windows pops up and not at the infected ones.
Here are links,
Mod edit: Replaced shortened links, please note the use of ‘Shortened or Obfuscated links’ is against the Forum Policy Sect 8.10, thank you from Captainsticks.
I am updating my Win8 to 8.1. So after that, I will play with the file you sent me and report back.
If there are more files you think might be bypassing CIS, please keep sending them to me in PM.
I would like to test them all once my Windows update is done, and report back on each file.
I sent you PM. Thank you.
It is interesting. I had problem only with upeksvr.exe When I run this file CIS do not show any pop up. I make a short video. I have firewall - CUSTOM RULESET.
Ok, what I can do? My CIS is fresh installation and probably does not work properly.
When you run upeksvr.exe, do you have some file in c:/programdata ?
Ok, here is the environment I setup and I am running:
Win 8.1 64 bit, CIS 6.3.294583.2937, Database Version 17172, AV OFF, Firewall - Safe Mode, Auto-Sandbox - Fully Virtualized. I double clicked the fake AV file and CIS notified me of the file running in sandbox.
Results are showing that even with AV off, Auto-Sandbox alerts that unrecognized files are running in sandbox (e3943d7369aa.exe and smp.exe where isolated manually through CIS popup).
CIS did was it was supposed to do and my PC remains clean.
I did the test again with Firewall - Custom Ruleset and I have the same result, app is auto-sandboxed.
Mine is a fresh installation too. After the tests, I can only conclude one thing:
Human error. Something you allowed the file to be executed in the real system, probably the file was accidentally trusted or something similar. Again, thats only my personal conclusion after running the files provided by you within a similar environment as the one you have
Everything keeps the same way and no new file are added to c:/programdata.
I recommend you go through your config settings and double check if everything is ok. Include in your review if any of the malware samples you provided are listed in your trusted files.
I will check it and I will be back soon.