Exe not being sandboxed [~] [v6]

Hi

I upgraded to Comodo 6.0.264710.2708 and using Windows XP SP3. I found something that may be a security flaw.

Some unknown exes (or at least I think so) have run without being sandboxed.

I have installed MASM32 (assembler) on my computer and tried to run an example (C:\masm32\examples\exampl03\animate).
The exe is already compiled. To my surprise, it was not sandboxed. Nor does it appears in the trusted files or unknown files.

Maybe it was scanned with cloud service or it’s signature is present : but in this case, it should appear in trusted files right?

Now the scary thing : if I right click on it and run in the sandbox, Generic Host Processes for Win32 crashes… Why? Is this a serious bug?

Because if this unknown exe can bypass the sandbox, so does a malware!

Several other examples in MASM do the same thing. OK, they may be not harmful because they do nothing… But no : the QikEdit sample is
a text editor and can replace files without being a trusted file.

Another thing, I found mistakes in french translation file, in the unknown files there are both “Supprimer” (delete) but one does really
delete the file and this entry is confusing. Maybe I could help you with corrections.

Very sorry you are having this problem.

There are potentially two issues here, the crash and the non-sandboxing. The non-sandboxing need further examination before determining it as a bug, the crash is pretty much certainly a bug if it only happens when run sandboxed.

So would you be kind enough to create a separate topic for the crash, with a bug report in Standard Format as the first post?

We will discuss the other issue in this thread, if that’s, maybe by moving to a help Board first to check it out. There is some help for users of development tools, albeit mostly for version 5 (but anyone who can use a development tool should be able to adapt it :slight_smile: ) here.

Many thanks in anticipation

Mouse

Hi,

I posted a formated post, this happened also with MediaPlayer Classic, not only development examples from MASM.

Yes there is a lot of development tools on this machine, when I know what I’m doing, I simply turn off behavior blocker. So maybe, it’s a bug, it could also be that this computer has a lot of software that may potentially be incompatible with Comodo. Anyway, this system is fully patched and all software is updated to latest version everytime.

What do you mean by unknown exes?

If I am not wrong, there is an internal whitelist that is not visible to users & programs whitelisted in internal whitelist doesn’t appear in trusted lists.

That’s a good bug report :slight_smile:

Forwarded

Now to the other issue

Could you please post screen shots of your Killswitch processes list when example.exe is running undanboxed, showing example.exe if possible w/o crashing.

Best to show all your processes and all columns as the problem is not necessarily proximal.

Also your D+ logs from the point of last reboot to and inc the point of running the file. Please specific times for each. (Easiest to reboot for this purpose then run file when system has stabilized and CIS is open after boot.

Just to clarify, this file is not running on boot?

Best wishes

some files especially those not digitally signed, is recognized as safe in the cloud will not be placed in secure or unknown files, it only allowed the application access reliable as it has been recognized as such in check in clouds.
could do a test with these settings unchecked?

PM sent

Sorry for late reply, I was a little busy these days.

So, I tried to uncheck all the options in File Rating Settings, and it seems that the “unknown” exe is being sandboxed automatically, but still does the crash if I run it manually.

The example exe is not running on boot.

Tomorrow I will post a complete test with logs from boot to a crash.

Thanks for support.

No problems, thanks for the other excellent bug report

Thanks very much for your issue report, which is much appreciated.

We have moved it to the non-format bugs board for the moment, because it is not in the standard format or too much of the information we normally need to replicate a problem and fix it is still missing.

We realize some people may not have the time to do an issue report in standard format, and therefore offer the option of a non-format report instead. But the problem is much more likely to be fixed promptly if you edit your first post to create an issue report which reflects the guidance in the Standard Format topic. (You can copy and paste the format from this topic). The reasons we ask for the information we do are given in this post.

You can get your report moved to the format verified issues board simply by ensuring that it reflects the guidance in the standard format topic, and PM’ing a mod who is active on the bug board.

Best wishes

Mouse

Can you please check and see if this is fixed with the newest version (version 6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments, so I can forward this to the devs and get this problem fixed.

Thank you. PM sent.

Actually, upon further thought, this may have been allowed because the program which created the file was trusted. Thus, I’m not entirely convinced that this is a bug.

I will move this to the HELP section of the forum for further discussion.

Your topic got recently transferred to the Help board.

First question is whether the problem reproduces in v6.2?

To add to that please make sure there are no leftovers of security programs you had installed in the past. A possible left over can cause all sort of “strange effects”. Please run clean up tools for all security programs you had in the past. A list can be found here at the Eset website: ESET Knowledgebase .

Looks like Windows XP has it’s issues. I always see some vulnerability with CIS on this OS.