Comodo Sandbox vs a Worm (GRUEL) : possible bug or misconfiguration?

Hello everybody,
I was testing a version of the (in)famous worm Gruel (MD5: b0feccddd78039aed7f1d68dae4d73d3) in a virtual environment with the following setup:
Windows 7 Professional 64 bit
8 GB Ram
CIS with no antivirus enabled, HIPS disabled and Proactive Security
Software running the VM: Virtualbox 5.0.10 under a Fedora x64 23

I was testing a fully virtualized sandbox with full restriction but here some interesting screenshots


If you keep executing the worm, the worm can terminate explorer.exe but no registry key is touched. You should restart Windows for having a normal execution of the operating system.

  • Even removing the “Enable file source tracking” nothing is changing.
  • Even removing the check for installers nothing is changing
  • If I keep the standard rules enabled we have the same results

I don’t think it’s a bug, because, if I remove the restrictions the program go “fully virtualized”. Perhaps is a wrong configuration? But why Comodo keeps to put into “partially limited”? If I put the Windows calculator executable, comodo sandbox put the calc.exe into “untrusted” mode.

PS: The worm is available via PM to moderators only.
EDIT: Here the calc.exe in “untrusted” mode with the same rules in the “configuration section”:

It could be an issue with CIS being run in Virtualbox as it has been stated before that CIS does not work well with Virtualbox, however I was able to get the sample and test on a physical machine and CIS sandboxed it as untrusted using the same sandbox settings as you though I had disabled file-source tracking before downloading and extracting the sample.

It’s by design. Applications that require administrator rights run as partially limited.

Are you sure about that? I’ve run several applications that require administrator rights in FV sandbox. Are you thinking of ccav? Or do you mean that they run in FV + partiality limited?

Yes. We’re talking about virtualization, right? It ignores imposed restriction and uses partially limited.
There was a bug which was refused in the past. Unless design changed.

Sorry I misunderstood, I thought you meant that if the rule said “Virtualized & Untrusted” then programs launched with administrator rights are launched as “Non-Virtualized & Partially limited” but I think what you meant was it’s run as “Virtualized & Partially Limited” Which I can verify.

However even if run as Virtualized and Partially limited this part shouldn’t be possible “the worm can terminate explorer.exe” unless OP means it can kill an instance of explorer.exe run virtualized. Virtualized applications shouldn’t be able to terminate processes outside of the virtualized environment… Actually I tested this just now and virtualized applications can’t normally kill non-virtualized applications but they can force kill them… I don’t think that is by design, do you know if there is any bug report for it? Otherwise I’ll make one. Made a bug report, 1698.

Design has changed I can get any installer to run fully virutalized & untrusted with a sandbox rule in place.

[attachment deleted by admin]

In that case, installers might be treated in a different manner. Make sure that you see the UAC logo (see attachment).

[attachment deleted by admin]

Yes, it killed the real explorer.exe not the sandboxed one. But, I will try with a real piece of hardware and not a VM since I have an old PC that can run Win 7, a DMZ so I will not infect the LAN network.

Yup the UAC logo is shown but we are talking about a VM :slight_smile:

!ot! Anyway it’s nice that community it’s live again: some time ago it wasn’t like this IMHO !ot!

Might be related to OS. Does not replicate with Windows 8. :slight_smile:

PS: The issue was reported by Sanya. Hope it helps.

Just a little update:
I have tried on a real machine with Windows 10 x64 and the problem is still here with the same rules applied from the first post. Maybe 8 / 8.1 is different?
Anyway this time i’ve tried with the “Administrator” user so no UAC message popped out.

Made a bug report, 1698.
Since I don’t see this bug report on this forum, I think it’s in the Comodo’s internal bugtracker? Right?

Yes, although it’s specifically about the issue with sandboxed applications being able to force terminate non-sandboxed applications, the bug report in question doesn’t reference the malware since I don’t actually know if this is the technique the malware uses. In other words I’ve just made a general bug report for the force terminate issue I experienced when using KillSwitch sandboxed.

Finally: i’ve found the problem: it was the UAC from Windows 8 and 10.

I have disabled from the registry key and now comodo can put all the files into untrusted mode.

One strange thing: even if I tried with the “Administrator” user, the problem was present before I disabled the UAC at all.

Any feedback about this bug?
Is it plan to be fixed in a next CIS review (8.X or 10)?