Keylogger run in FV Sandbox can log keystrokes from real computer [M361] [v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Yes, every time.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    Download SpyShelter Anti-Test from near the bottom of this page. Then, after unzipping it, right-click on AntiTest.exe and choose the option to “Run in COMODO Sandbox”.

Once it’s open click on the KeyLogging portion and click the button to “Start test”. Then, open your browser (on the real computer) and maximize the window so that it is definitely what has the attention. Then, click on the address bar and start typing something. After you have typed a few words go back to the SpyShelter leaktest and you will see that it has been logging every keystroke.

What this indicates is that it’s possible for a keylogger to be running in the FV Sandbox and yet be logging every keystroke you make while using your real computer for sensitive acts such as banking. When coupled this with the FV Sandbox vulnerability documented here, which details a method by which applications running in the FV Sandbox can bypass the Firewall and transmit information to the internet, this is a very critical vulnerability.

  • If not obvious, what U expected to happen:
    A keylogger running in the FV Sandbox should not be able to log keys from the real computer.
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Not sure.
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
    I have attached the diagnostics report and the KillSwitch process dump (both which were done while the keylogger was running in the FV Sandbox). Please let me know if it would be helpful to provide other attachments.

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
CIS version 6.1.275152.2801
Default Configuration

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Default Configuration
    However, I had to disable the AV and the Cloud lookup so it wouldn’t automatically flag the file as dangerous and remove it.
  • Have U made any other changes to the default config? (egs here.):
    Default Configuration
    However, I had to disable the AV and the Cloud lookup so it wouldn’t automatically flag the file as dangerous and remove it.
  • Have U updated (without uninstall) from a CIS 5?:
    No, this was a clean install.
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 x64 (fully updated), UAC disabled, Real System, run as administrator.
  • Other security/s’box software a) currently installed b) installed since OS: a)
    None b) none

[attachment deleted by admin]

I did some testing and yup, can confirm this. However it does fail when Zemana AntiLogger is active but this program can’t block programs within the sandbox from being logged.

Personally I’d like optional HIPS inside the Sandbox with the same kind of settings as the normal hips, so you can set it to perhaps only alert for keyboard access etc.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again


This is still not fixed with CIS version 6.1.276867.2813.

Tracker updated, thanks

This is still not fixed with CIS version 6.2.282872.2847.

I have received feedback from the devs that apparently this is by design. They say that foreground keylogging is allowed.

Thus, I will move this to Resolved.

Actually, after additional discussions, this has been re-opened. I’ll now move this back to format verified.

Thank you.

Upon further review, Comodo has classified this as a possible enhancement.

Hopefully it will eventually be improved upon, but for now I will move this to Resolved.