I read the thread @ sandboxie forum - this is really interesting.
The theory is that Comodo’s Defense+ is actually giving debug features to google.exe, even though it doesn’t have any? It must think that google.exe has these privileges but instead of enabeling privileges it is giving it privileges?
btw, what are the “debug privileges”? is it the same thing as “device driver installation” in the Defense+ “process access rights”? Doesn’t CIS and CPF use the same terminology?
I can confirm this behavior. I have a slightly off-stock config of Comodo Firewall: I have added “LocalSecurityAuthority.Debug” under “Pseudo-COM interfaces - Privileges” in “My Protected COM Interfaces”. The given malware sample, when running in Sandbox, triggers, among others, a Comodo Defense+ Prompt: “This program is attempting to gain debug privilege”. If debug privilege is allowed, malware file is written outside of sandbox. If it is denied, sandbox functions properly. If Comodo is uninstalled, the sandbox functions properly.
I switched from Zone Alarm (yearly paid) firewall back at Comodo 2.8* (free). I didn’t know a software firewall could be so feature packed.
EDIT: The debug privilege is essentially a privilege that allows a given process to execute a .dll in another process’s address space, or to attach one process to another.
Smart app… umm, I mean: “gee, what an evil program.”
Because I remember having seen CPF asking me if I’d like to allow a program obtaining such privileges waaaaaay back, sort of. But I can’t recall it ever happend under CIS. So I’m still wondering, when you allow debug superpowers, what features (process access rights) in defense+ do you really allow?
It sounds like it’s more to it than just letting blahablaha.exe inject some code into giberish.exe
Hmm, that came out wrong. What I mean is… The “Interprocess Memory Access” setting can be allowed (or blocked), for a given program, to access a whole group of applications - yes. But I thought it was something the user had to define (example: C:\windows\system32*) either through “predefined access rules” window, or by defining them right in “Process Access Control”.
But when an application is asking“please, can I inject some code into that specific application’s memory, because It’s been so long since I ever injected anyone with anything, please… pleasepleaseplease…”, it doesn’t sound like “debug privileges” to me; (because it can only concern one application at a time). It would seem like one applications isn’t going to be enough to debug anything.
I don’t know anything about programming, even though I pretend (haxxors 1337 i pwn j00r n00b) but I imagine bugs often are results of several applications inability to get along (be compatible). On the other hand, maybe it has something to do with a main application not being able to get what it expected out of another application? So it injects “hallelujah” into “whatnot?” and it can go about it’s business? Just like people do sometimes? (no! I am NOT refering to sex)
no? - yes? nevermind - it isn’t that important actually, it’s just that… I’ll die outta curiousity if nobody ever tells me what I wanna know.
Thanks for all the testing. I hope it wasn’t too much trouble. I uninstalled CPF v3.5 in preparation for installing v3.8. The darn thing escaped SBIE with no Comodo products installed, so apparently it has nothing to do with Comodo.
The only way it won’t escape SBIE on my system it is to run it from a LUA. I guess the mods can mark this one SOLVED. v3.8 runs great - kudos to the Comodo team!