Still waiting on tzuk/Buster to get back to me, but it appears to be a simple malware dropper to me. I think “bequick” got confused that the malware file “deletes” itself and then drops files into the Application data folder. This is true, but it all happens inside the sandbox as far as I can tell.
tzuk confirms there is no bypass. bequick, next time, it might be worthwhile to at least query whether there is a bypass rather than blatantly state/imply that there definitely is one haha. To my knowledge, out of all third party security software out there, Sandboxie (particularly on 32-bit) has had the fewest bypasses in the last few years.
Thanks for update.
Yes, I notice bequick hasn’t commented on this. Therefore, it’s possible/likely that he was simply trolling. His PM’s about this were full of “smiley” faces too as he claimed a bypass. Well bequick, you were wrong. Sorry.
Yes, it’s possible, but it’s not true.I have this issue confirmed by other people, that’s why i do not comment here.I don’t want confrontation.As simple as that.And I will never comment SB again, here.
p.s.Sorry for my “trolling”!
In fairness we all make mistakes and I don’t believe that Bequick was trolling, just a bit (be)quick to jump to conclusions. ;D
Seems you weren’t trolling…I was merely suggesting it, since you failed to reply (after making a very bold matter-of-fact claim). As stated, I have confirmed with tzuk that Sandboxie is NOT bypassed by this malware (in fact, there’s absolutely nothing special about this piece of malware - there are thousands out there that are very similar). I can understand why “other people” think it is bypassed (and why you did/do too), because it appears that the original file disappears after it is executed sandboxed. However, the original file remains as it is, and what you see disappear is all taking place in the sandbox.
If one doesn’t have a good understanding of Sandboxie, one can make mistakes when interpreting how it performs. I suppose the hard part can be admitting that one did make a mistake.
Your comments here induce a feeling that the “issue” is still unclear. However, it is very clear. There is no bypass at all. The fact that you “will never comment SB again” is beyond my understanding. Let’s think about why I accused you of trolling with this example:
- I make the following statement on the Comodo forums: “CIS 5 RC is bypassed by this malware file
;D” - You send the malware file to egeman and he informs you that there is NO bypass whatsoever etc.
- You post a reply saying that there is no bypass.
- I fail to make any reply. Then when prompted, I write the following: “I have this issue confirmed by other people, that’s why i do not comment here.I don’t want confrontation.As simple as that.And I will never comment CIS again, here.”
As with the overwhelming majority of SBIE ‘bypasses’,this turns out to be a misunderstanding.I honestly believe that given the vast number of easier to exploit products and services,making it uneconomical to try to bypass ,running a browser in a correctly configured SBIE is as close to 100% protection as it gets.
CTM fails also TDSS 0.02 on x64.
After restoring a snapshot dated before the malware was launched the rootkit is still active.
So don’t think there’d be no rootkit danger with CTM on Windows x64…
Thanks for sharing.
Hope that after CTM gets stable and rock solid, the developers dig more with the protection against rootkits/MBR infectors.
I’m in touch with some of the lead developers via MSN and the lead co-ordinator seems to be more focussed on CIS for now. The lead programmer doesn’t sound like he’s been doing much lately haha.
On other threads, they promise that each product has its own team and one does not interfere in the other, that they could develop a lot of products at the same time… Is this a hoax? Is it a myth of Comodo development?
It does seem to have gone very quiet,particularly since one of the devs stated that it was straightforward to harden CTM against such threats.
that's why i do not comment here.I don't want confrontation.As simple as that.And I will never comment CIS again, here.I personally viewed all the posts as a "Conversation". NOT confrontation (:WAV)