Containment Escape!

V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe

Serious Issue - Containment escape!

First observation, the application (Tablet PC Input Panel) does not start in containment at all (no window shows up).
Second observation, the application (Tablet PC Input Panel) does start in containment but ESCAPES FROM RUNNING IN CONTAINMENT and runs normally.

Steps to reptoduce:

  1. Reboot the system (important).
  2. Run the application in containment. The application does not start in containment at all (no window shows up). This step can be repeated, result will be the same.
  3. Run the application normally and exit the application (Menu → Tools → Exit).
  4. Run the application in containment. This time the application starts in containment but IT RUNS OUTSIDE CONTAINMENT! This step can be repeated, result will be the same.
  5. A system reboot resets the above described behavior and steps 1 to 4 can be reproduced.

That’s happen when some users ask to “weaken” the sandbox, by adding something to be able to run :wink:

anyway check first to see if your settings in cis have something excluded into the “auto-containment” or “do not virtualize access to specific folders” !
and also do check if your program in cause is signed with a trusted valid certificate and, couse if it is it might have “special auto rules” by cis trusted programs category !

I see no users asking to weaken the sandbox, they’re asking to improve the sandbox. That’s a different point of view. :slight_smile:

All applications should be able to run in a sandbox as if they were running normally. The Sandboxed application should not know or not detect that it runs Sandboxed and of course it should not be allowed to make any permanent changes to the underlying file system or any other system resource.

That's happen when some users ask to "weaken" the sandbox, by adding something to be able to run ;)
Ding ding winner winner chicken dinner! You noticed this too huh?

But this isn’t an escape because it really isn’t running in containment, if it doesn’t have a green boarder or is not listed under active process show contained only, then it is not running within the container.

Sorry? You say this isn’t an escape ??? ? ? ?

Look again at step 2 where the application is correctly trapped in containment. Even if it doesn’t run in containment, containment blocks it from doing things. Same effect as the Solitaire issue before.
Next, look at step 4 where the application all of a sudden runs OUTSIDE containement. Why isn’t it trapped inside containment again like it did in step 2?.

This leak can easily be reversed engineered to use this method to build malware that is able to escape from running in containment.

I’m not asking to weaken containment at all, allow me to repeat myself:

Futhermore, so you consider this as not a bug then? Hence this report got removed from to Bug section and moved to here to the Help section. ???

You are asking too much !
Run a app in Comodo sandbox and from within sandbox use shutdown pc function… observe what happens next !

Use power shadow, you can run everything in the sandbox even restart your pc in sandbox and still everything is running in the sandbox !
there is no better sandbox and probably it will never be one as good as Power Shadow

CISfan please don’t scare people, Comodo Internet Security is mostly used for the SandBox and his Firewall !

Comodo should acquire Power Shadow and combine that with their excellent Firewall and HIPS feature. That would make CIS the best protection product on earth and I didn’t have to spend so much precious time in testing things in trying to make CIS a better product for which I seemingly do not get any credits, or even worse getting no answers to some questions.

And no, I’m not scaring people nor trying to do that, that’s not my nature. However, sometimes you have to waken up people so that they open their eyes for things they don’t notice, not see or not willing to see.

If you or any one else would like me or want me to cease reporting the things I discover in using CIS then let me know, I would be delighted to stop all this.

PowerShadow is the BEST available (on internet/public) virtualization.
So far there is NONE i repeat NONE available (on internet/public) that can match PowerShadow in strenght and functionality.
PowerShadow is made by RPC. COMODO will never match that since is operating differently !

Beside if COMODO will manage something at least similar, than CiS wouldn’t be free anymore, and so far CiS is in a bug hunter
zone… Probably after a while when the bugs will be less and majority fixed, CiS will cut the CiS Free edition for good !
As you should notice CiS is not offered or written somewhere as “free forever” !
That even the modders from here would’t know the COMODO true policy !

CISfan don’t take me wrong but this ain’t about credits, and usually something like that “SandBox Evasive” should be
addressed in “private with COMODO”. Who knows some might exploit it.

And again since some “USERS” keep asking to make THE SANDBOX run this and that might raise some questions !
As the SandBox itself is running normal {applications/or via scripts}, and if you have ever done some portable app via for example
thinapp or enigma you would notice that the sandbox itself will limit interaction with the real environment.
Now sandboxie for example can be bypassed, since is allowing too much, even virtualbox can be bypassed via memory, and with these days intel cpu security holes imagine how it will be to run everything in the sandbox !
COMODO SandBox isn’t buletproof and with more things that COMODO will allow, the weaker sandbox we will have !

I strongly belive that COMODO original sandbox solution was to fast intercept and isolate the 0-day unknown, and that the sandbox was not created to be able to run properly apps in it !
And that is the best thinking and the most efficient protection for all of us !

Now i can’t say the same about the sandbox from latest versions since is not anymore like the older versions and it is weakened !
I was very surprised to see that from within sandbox i can reboot, shutdown my pc and the most scary thing i did manage something else…

CISfan every opinion matters and i respect yours !
Looking forward for your report(s) CISfan !
Cheers !

note: we should hear also futuretech or eric they are very wise and knows their stuff very well, and their CiS seetings and knowledge are way above our skills since they eat COMODO on breakfast, so sometime we tend to slip some holes in ours settings and it might seem that we are right but sometime we don’t, we are wrong !
i did mistakes by myself too and i was shown here that i was not right !

And again this is not about being wright or wrong but about learning !

What i am trying to say is that COMODO SandBox it should focus on prevention and containment
like the main original idea and not to be able to run everything, as run everything will pose the greatest threat for us all !

Just as if it will run everything in the sandbox will require more function enabled and kicking
and therefor this translates into way less security and protection for you !

Besides it could happen that your ram is not CRC supporting or it might have some errors factory made assembled,
and who knows maybe the CiS itself did not load the driver (due of above or windows or something else) allright and voila…

!ot! here something about containment ;D
could cis run on a rtx 4090 and rtx 4090i ?

Testing the Nvidia RTX 4090 - YouTube

It never runs in containment to begin with, it starts then exits immediately as the tablet input service is not started or is accessible to contained applications. Once the service is started then it runs as part of that service and is started by svchost which hosts the service functionality.

When starting the application in containment and:

  1. the service is not started, then cmdvirth.exe launches/creates two child svchost.exe processes in order to hook/attach to and run the application. As we know, this attempt fails as the application cannot connect to or start the service it needs for proper operation (more or less the same kind of issue as with Solitaire before).

  2. the service is started, then cmdvirth.exe again launches/creates two child svchost.exe processes in order to hook/attach to and run the application. However, the application escapes from being hooked/attached to the two svchost.exe processes launched by cmdvirth.exe. Instead the application hooks/attaches itself to an already running svchost.exe process that runs on the real system (meaning not contained).

In my honest opinion, still an escape.

No it never really runs in containment because it doesn’t have the resources to do so, it therefore runs as part of the Windows service which is actually becomes the child process of the svchost instance that is running the respective service. Use procmon or processes explorer to confirm this, it runs with a different process ID which is different from the initial PID that you try to run manually in containment.

I would rather not like to see that an untrusted application would be able to run (three!) exe processes on the real system when CIS runs that untrusted application in containment when the serivce already had been started (running) by a whichever trusted application that was run prior which needed that same service.

Any thoughts of mods or Staff regarding severity level and a possible fix?