Fake AV - Starts succesfully without a single pop-up


As title suggests, i ran a fake AV in Sandboxie, and it successfully started w/o a single pop-up from comodo.

my system info -
CIS v4 w/o AV
NOD32 v4.2
Win 7 64 bit


[attachment deleted by admin]

can you send me the Fake AV in a zip file through PM?


i have sent you the link via PM. Please post the findings…

And what happens if you restart the system? Last time i was testing, fake AV’s did indeed run, but after system restart, there was no trace of a fake AV left in tray. Then i just cleaned the remaining files by hand or with other scanners.

I think that is normal behavior.

If you ran the program inside sandboxie, any action by that program would be made inside sandboxie.
Since it doesn’t touch the real system, it can’t trigger any pop-up from comodo.

That’s correct.
No modifications are being made outside of Sandboxie’s own program therefore
no D+ pop-ups is quite normal.

well I just tested on my VM, first off the AV recognizes it, so I shut down the av and ran it again. The second you double click it, it automatically gets sandboxed. Then you get a D+ alert saying it is trying to access a protected COM interface, so I blocked it. Now the program is running in memory. I did a restart. Program is gone from memory. Did a quick scan using comodo AV, found nothing. Also did a scan with hitman pro, and it also found nothing. System is protected. ;D

The good thing is, is when unknown malware is sandboxed, yes they can still run in memory, and can drop files, but can not do any harm to the system in any way (they can’t modify/infect protected files/registry keys that Defense+ has protected). So even if a Rouge AV Starts, you see a pretty GUI, or you see it in memory, reboot and it’s gone from the system… Sometimes you may find dropped files. But they are harmless. This goes for all malware.

So hopefully in future CIS versions, such as 4.1, Virtualization for auto sandboxed apps is enabled so the DROPPED files are also temporary. :slight_smile:


Feel sorry for those people just running the other 29 various AV’s as their only protection. :slight_smile:

How do we know that the dropped files are harmless? Are they restricted such that nothing can run them from outside of the Sandbox? I am a confused about this part of the sandbox protection.

Can someone please explain?

let’s say it drops a exe, well even if it tires to run the exe, that file will get sandboxed again. Anything it spawns it gets sandboxed the second it tries to run it. Same thing applies to any dropped dll’s or anything along those lines, and it can’t drop them in the protected folders.

Thank you.

And if I’m not wrong if that exe tried to run itself on restart of the computer it would be sandboxed anyway, so it’s not a threat.

Still, if I’m not wrong can’t a sandboxed file modify folders or files if they are not in the areas of the computer that CIS protects. Is this a problem that I should worry about, or am I misunderstanding how this works?

no becasue when it gets sandboxed the sanbox automatically virtulizes the running files and registry, so it can’t touch the real computer, all it can do is drop files on the real computer.

Thanks again for explaining that.

The one last thing I’m concerned with is whether a file running in the Sandbox can access the internet without causing an alert? I have my configuration set to Proactive.

I don’t have CIS V4 yet, but from what I’ve read so far, I have a question:

What’s to stop a piece of malware from running in the sandbox, promptly reading a bunch of my private, personal files (which are obviously NOT in “protected” Windows system folders), sending them all out over the internet to the malware’s author, then deleting them all from my hard drive?

From all I’ve read so far, it sounds like nothing in the sandbox prevents any of that. Please correct me if I’m wrong?

If so, the first thing I’ll do when I get CIS V4 is disable the sandbox and configure CIS to run like V3.14 does, with alerts BEFORE evil things get to run, and BEFORE they get to connect to the internet. I don’t mind multiple alerts. Heck, I LOVE them if they keep evil stuff from running and gaining connectivity!

The V4 sandbox may indeed reduce alerts for newbies, but unfortunately, alerts are the price you pay for a secure Windows system in this day and age.

Comodo, at a minimum, please KEEP the ability to turn the sandbox OFF, so the savvy among us can make V4 continue to run in the superior V3.14 style of operation. Thanks.

One more thing - users might get scared, that a fake AV managed to “install” itself, even if it can’t do any damage. They might think, that CIS doesn’t protect them and uninstall it before figuring out to reboot the PC. Or they might even panic and install other AV’s and antimalware producs besides CIS and ■■■■■ up their system for good.

Just sayin’ 88)

I fully agree with puddingpants and i didn’t even have to ask myself the question:
i am stil, deliberately, running cis v3 (and was indeed being asked for a lot of things, at least the first days when i run it; one is not regularly bothered anymore with these alerts after the settings period).

I know that the fake av is a problem, so lately I have been searching for as many rogues as I can find and submitting them for the av signatures.

I am not sure that the first line of defense against rogues can ever rely on whatever AV software instead of the user’s behavior, even if protected against scripting, not clicking here and elsewhere before he actually asks himself if he should.