Invalid Security Zone

Seems every time I test CIS with numerous malware links, it always does very well, except for one thing. It seems every time it has an issue with the registry. I was pretty sure the registry was always part of the sandbox was it not? Does CIS not create a virtual registry?

How is it then when all malware is either stopped or sandboxed, that every single time it seems that there is an invalid security zone found when scanning with Hitman Pro or Malwarebytes?

CIS does amazing except for this…I don’t get it. It would be perfect otherwise. Is the registry not virtual when items are sandboxed?

http://i52.tinypic.com/23vhmjq.png

http://i52.tinypic.com/8yb5p4.png

Hmmm…No one? ???

I’m not really an expert on the sandbox (I don’t use it) but it could be that the sandbox lets programs write to some parts of the registry (e.g. the parts not listed in the protected registry keys list).

I’m just saying this to give you an idea, and maybe to attract more knowledgeable users here too.

Thanks for your response. Would be cool if someone in the know would post their knowledge in here as well. Seems to me that with the testing I do, CIS does great except for this. If I could figure out why this sort of thing gets through, CIS would be 100% in most of my tests.

LaserWraith is spot on :-TU

The default sandbox behavior is to restrict access to certain file/folder locations and registry keys.
they are not virtualized but just denied access.

what you can do is add the registry key (or part of it ending with *) to protected registry keys and then the malware should not be able to change the security zone’s.

Devs should add these keys in xent relase by deafult.

what you can do is add the registry key (or part of it ending with *) to protected registry keys and then the malware should not be able to change the security zone's.

:o

Um, why should that be up to the user? As mentioned in the post above me, these should be added by default and the reason why I was reporting this.

I suggest CIS to normal, every day users. They have no idea how to do this sort of thing, nor should they have to. Maybe the developers can take a look at this and ensure important registry keys are protected as they should be if something is running in the sandbox. After all, isn’t that what the sandbox is for and what we’ve been told should happen all along?

Oh don’t get me wrong, I agree completely that malware should not be able to change IE Zone settings.

Well, let’s hope the developers see this and perhaps add this because it would make, as I’ve mentioned, CIS 100% strong in tests against malware…at least the ones I’ve done with zero day malware.

Can you do me a favor and post the exact key’s where talking about?

I did not make a note of the exact key, but next round of testing I do, I will ensure that if this key gets changed, I will try to get the exact key. I’m not sure if MBAM or HMP actually provide the exact key though. I will check and if I have more info, I will post here. I just figured if it was a “security zone” key, then you guys would know which key or keys may be effected and which ones need to be protected.

That would become *\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones*

I wish I could, I’m just a volunteer not Comodo Staff.
But I’ll try to see if they can enhance in this area :wink:

Excellent. Thanks for your help Ronny.

I wish I had a particular zone for you, but the last round of tests, well, CIS was perfect. Quite amazing actually.

Nice video :-TU

Thanks Ronny… :wink: