Comodo Sandbox behaving differently towards malware at different instances...

Hi,

I’m testing the Comodo Sandbox functionality in Sandboxie. And i guess i found a bug.

  1. Open the Web Browser thru sandboxie
  2. download some undetected malware sample by your AV
    Scenario 1:
    i) Open load.exe from Download Option, i get an Red Alert as shown in the below figure

Scenario 2:
i) Open load.exe from Sandboxie Control, i get an alert saying sandboxed as shown in the below figure.

Why is Comodo behaving differently even though load.exe opened from Sandboxie at both the instances

Thanks,
Harsha

[attachment deleted by admin]

[attachment deleted by admin]

One more question…
Pls. find the attached screenshot…i see an entry as Listening:xxxx. Is it because of malware testing as shown in the above post.

[attachment deleted by admin]

just bumping…so that comodo dev’s don’t miss to see this thread.

mods, please take a look at this. Try to pass on this to devlopers if this a bug. (post #1)

pretty simple, first alert is that Firefox was trying to run the program, which heuristics determined to be bad. Second alert is different because the exe was already on your computer and you are trying to run it from there. (the alerts depend on what is trying to run the program) The listening port is open becasue even though the app is sandboxed all software on the computer can get out ( firewall setting). Try this test again with the configuration in proactive and you will see that it cannot communicate anymore without getting a warning from the firewall.

Hi Languy,

Thanks for answering, but i have few clarifications

first alert is that Firefox was trying to run the program, which heuristics determined to be bad. Second alert is different because the exe was already on your computer and you are trying to run it from there.
- Even though firefox is trying to run the malware sample, it was dwd'ed onto my hdd.

My Security Congig - at the time of testing
Configuration - Proactive Internet Security
D+ - Safe Mode
Firewall - Safe mode
Firewall Behavior Settings → Advanced → Selected all options
Image Execution Control Settings → imported executables group

reg. load.exe test -
– So, by above setting, i shouldn’t be getting any listening port as per you. Shall i try it one more time to see if it is behaving in the same way?
– i see those listening ports for 2 days continously even after deleting everything from the sandbox. So, wondering what might have happened? Today, i don’t see any open ports.

My System Info -
Win 7 Premium 64 bit
NOD 32 AV

Thanks,
Harsha.

The alerts depend on what is trying to run the file. In the first instance Firefox was trying to run the file, in the second it was explorer. Because Firefox was trying to run it, the file got analyzed more thoroughly, and D+ popped up. ( At least I think this is what happened). To make sure you are not getting a listening port you have to go to Firewall, advanced, network security settings, application rules and remove the rule that says allow all out.

thank you very much for explaining it clearly.
but not sure about the application rules…is it with marked with “outgoing only” for Comodo Internet Security as show in attached pic?
Any other settings to tweak the firewall? Any choice for blocking ads?

[attachment deleted by admin]

no yours is different then mine, remember in the firewall picture, it was ran by firefox so it actually used firefox to piggy back on and get out that way, so that is why you didn’t get a firewall warning. I assume that when you got the first warning about the executable with high heuristics trying to run you let it right? No other settings that need tweaking.

no i did not allowed it to run when d+ alert prompted. i hit block option. (i guess i remembered correctly).

Any chance on how to block all outgoing requests…which u were talking in earlier post…

you are already doing that, if you were not it would look like the picture.

[attachment deleted by admin]

one othedr thing you could try is this, if you have a listening port again, go to GRC | ShieldsUP! — Internet Vulnerability Profiling   hit proceed, and pick Look Up Specific Port Information and put in the port you want to scan there. Then click probe this port.

excellent…thanks for explaining it clearly…:slight_smile:
bye bye…

hiii languy. I did port scan at grc and got following result

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since “Ping” is among the oldest and most common methods used to locate systems prior to further exploitation.

pls. let me know how to stop to responding ICMP echo requests…

i have looked over the net and probably its happening because as i’m behind a router (which is responding to icmp ping requests).

will there be any kind of problem if my router responds to ping requests…?

pls. find the below screenshot taken from the logs…is it normal?

Thanks,
venkat N.

[attachment deleted by admin]

no you should be fine, but if you could, I would turn on the firewall in the router if you have it, that will make it invisible to the net. The log looks ok, it’s just communicating with the router ( 198…) and the localhost (127…)

thanks languy!