Comodo Sandbox modifies and permanently cripples LastPass "Installation".

Please explain what is meant by “Modify File” in the Comodo Logs.
I know that it SILENTLY cripples software installation without any indication of a problem and no way to fix the problem.

Two months ago I had a new installation of Windows 7 Ultimate 64 bit.
Comodo 5.9.??? was a fresh install which by default had the Sandbox active.

To my secondary drive I extracted a Portable-Palemoon (source code similar to Firefox)
Palemoon is NOT recognised but it still browses the Internet O.K.
Many Firefox Add-ons were added to Palemoon with no problem

The Sandbox modfied and permanently crippled Lastpass and FoxMarks.
Crippling was permanent in that with the Sandbox disabled I could still not install either.
Additionally the crippled remnant could not be removed because the Addon required a Browser Restart to complete “installation” before the “Remove” button was active.
I had to trawl through the browser profile and hack away removing files and folders that COULD have been the crippled remnants before I could complete a fresh install.

Portable Palemoon is contained within one parent folder and makes no use of the registry.
Had I used a conventional installation of Firefox then what the Sandbox crippled would have been scattered throughout Windows and the Registry,
and I would have needed to use my Boot Rescue CD to restore partition C:\ from an image backup.

If sandbox trashes any future applications as they are installed and incorporated into the operating system the only recovery option for me is the Boot Rescue CD,
AND this implies that I have created an image backup immediately before attempting to install.
That is NOT AN OPTION,
I am much happier dealing with Defense+ alerts as required without the Sandbox silently letting me fail due to unknown Partial Limitation.

I have no doubt that when I extracted Palemoon there might have been a solitary once only pop-up which said it was Partially Limited.
There MAY have been a pop-up when I installed the first Addon.
I do not think there were any pop-ups for the next dozen Addons.
All the above Addons installed successfully.
I do not think LastPass or Foxmarks caused any pop-ups,
and they certainly did not pop-up when I made many repeated attempts after the first failure.

I could be wrong but to me the fact that the logs do not show “Sandboxed As Partially Limited” against Lastpass or Foxmarks is evidence that no pop-up occurred.

LastPass items in “COMODO Internet Security Premium - Log Viewer Logs”

2012-03-12 10:50:32  	E:\Portable\x64\Bin\Palemoon\Palemoon.exe  	Sandboxed As  	Partially Limited 
2012-03-12 10:50:36  	E:\Portable\x64\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x64\User\Palemoon\Profiles\Default\extensions\staged\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll 
.... other events
2012-03-12 10:59:17  	E:\Portable\x64\Bin\Palemoon\Palemoon.exe  	Sandboxed As  	Partially Limited 
2012-03-12 10:59:17  	E:\Portable\x64\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x64\User\Palemoon\Profiles\Default\extensions\support@lastpass.com 
.... other events
2012-03-12 10:59:39  	E:\Portable\x64\Bin\Palemoon\palemoon.exe  	Access COM Interface  	C:\Windows\System32\svchost.exe 
2012-03-12 10:59:39  	E:\Portable\x64\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x64\User\Palemoon\Profiles\Default\extensions\trash\support@lastpass.com 

Foxmarks items in “COMODO Internet Security Premium - Log Viewer Logs”

2012-03-12 17:25:30  	E:\Portable\x32\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x32\User\Palemoon\Profiles\Default\extensions\staged\foxmarks@kei.com 
2012-03-12 17:25:30  	E:\Portable\x32\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x32\User\Palemoon\Profiles\Default\extensions\foxmarks@kei.com 
.... other events
2012-03-12 17:25:44  	E:\Portable\x32\Bin\Palemoon\palemoon.exe  	Access COM Interface  	C:\Windows\System32\svchost.exe 
2012-03-12 17:25:52  	E:\Portable\x32\Bin\Palemoon\palemoon.exe  	Modify File  	E:\Portable\x32\User\Palemoon\Profiles\Default\extensions\foxmarks@kei.com 

Regards
Alan

Defense + logs only will tell if a program was looked up, sandboxed and that it blocked modifications that were not allowed.

Is Palemoon manually sandboxed by you or is it automatically sandboxed?

You are worried that what happened with the installation of Extensions will extend to similar errors with the Windows system. That will not happen as Windows files are whitelisted because they are signed and the Microsoft signatures are in the Trusted Software Vendor list. Therefor they will not get sandboxed and crippling will not happen.

I just tired PM portable x64 on my system. While the extractor was sandboxed, the actual program was not. He must be manually sandboxing it, and as we all know the comodo sandbox does not really like browsers at this moment.

I took no Manual Sandbox actions upon ANYTHING, including Pale Moon.
I do not even know how to do so even after 2 minutes with Google.

I have right clicked an executable and the context menu includes SCAN with Comodo AntiVirus.
I do not see any Sandbox option in the context menu.
Does Manual Sandbox only appear after I right click the Notification tray Comodo icon and select “Sandbox Security Level” and switch that from Disabled to Enabled - and possible reboot the PC for full effect ?

Two months ago I always used the initial installation default which enabled the Sandbox at all times.

Please note that I launched Pale Moon by either a single click on the Quick Launch bar, or a double click on a desk top short-cut.
Regardless of what and how I clicked, the launch target was
E:\Portable\x64\Palemoon-Portable.exe
and this in turn configured and launched
E:\Portable\x64\Bin\Palemoon\Palemoon.exe

The event logs show that both Palemoon-Portable.exe and Palemoon.exe were sand-boxed.
[at] languy99
I was using Comodo 5.9.??? and perhaps you are now using 5.10 ???
More significantly Palemoon has now advanced from version 9.??? to 12.0,
Another possibility is that Palemoon has now been white-listed.

P.S…
Two months ago I complained to LastPass that their Addons were defective and unable to be added like all the other addons I was using.
They never responded to me.
BUT LastPass has since been updated and just possibly they included this issue in their update.

I understood that Microsoft signatures resulted in white listing.
Do all the Patch Tuesday and out-of-band emergency Updates also have trusted signatures ?

Regards
Alan

The updated system files of Microsoft are also signed.

I extracted the x64 archive and both Palemoon.exe and Palemoon-Portable.exe are both safe files. I downloaded the latest version; v12. Both of them are unsigned.

Thanks Eric.

I assume that by “safe files” you mean that Comodo A.V. scanned and was content.

You say that neither *.exe is signed.
I understood the result would be no white-listing and they would therefore be sandboxed.
Languy reports the program was NOT sandboxed.

Is my understanding defective ?

Regards
Alan

I did a cloud look up with D+ and it returned that both files are safe. They are on the whitelist.

You say that neither *.exe is signed.

The .exe files are unsigned. That means that they are not whitelisted because the vendor is on the Trusted Software Vendors list; only the individual executables are in that case whitelisted.

I understood the result would be no white-listing and they would therefore be sandboxed. Languy reports the program was NOT sandboxed.

Is my understanding defective ?

Regards
Alan

You stated you are using v9. I downloaded the latest version, v12, and I assume Languy downloaded that version too. That means that the version you use is not whitelisted and therefor sandboxed. See if updating to v12 gives the same problem or if that solves it.

Thanks

I am glad that PaleMoon and LastPass etc are now acceptable to the Comodo Sandbox.

I am still puzzled by what the intended consequences are of “modify file”.

In view of what has gone wrong for me with Palemoon I anticipate future sandbox problems when using other portable non-white-listed applications,
so I will not be using the Sandbox again until it is greatly changed.

C.I.S. A.V. + FireWall + Defense+ has kept me safe for years without using Sandbox,
so I will stick with the protection I can depend upon and understand.

Regards
Alan

To interpret Comodo D+ logs you need to understand that most entries are notifications of a block or ask action. So ‘Modify file’ means that a program has been prevented from modifying a file. Now Palemoon has been removed from the sandbox, it will no longer be prevented from modifying files.

IMHO it would be clearer if there were a CIS action column, as there is in AV events, that contained the word ‘block’ or ‘ask’ or ‘FYI’

Best wishes

Mouse

This is what I saw in the log (replacing long path names with “…” to avoid twisting my neck) :-

2012-03-12 10:59:17  	E:\...\Palemoon.exe  	Modify File  	E:\...\support[at]lastpass.com 

My interpretation was that Comodo had modified a COM executable which a sandboxed Palemoon was about to use, and this modification prevented the computer from being damaged,
and I viewed this as meaning irreversible damage to the lastpass executable hence the need to purge it and download a new functional undamaged COM executable.
Upon inspection this *.COM is a folder which holds files such as

E:\Portable\x64\User\Palemoon\Profiles\Default\extensions\support@lastpass.com\chrome\lastpass.jar

Palemoon was NOT trying to modify any file, it was try to launch an installation which involves Java and other stuff.
On other occasions perhaps an Add-on will be packed in an *.XPI file

Thanks for the explanation. I assume that extracting code from an XPI or a JAR is classified as MODIFY

I can now understand that Comodo did no harm.
I agree that BLOCK would be a much better word.
I suggest replacing “Modify File” with “Block Execution” or “Block Installation”

If I had spent a lot of money and time to download a big application,
I would recognize “Block Installation” as meaning I could try again after cancelling the Sandbox,
but being told that Comodo has Modified my precious and expensive download is a whole new world of pain.

Regards
Alan

Thanks yes something like this needs to be done. Glad all is clear now.

Best wishes

Mouse