limited account should be more secure, but...

dax123 · February 15, 2010, 10:27am

I’m using XP sp3 and CIS v4.0 beta
i’m using sudo implementation 2.2, which switches user down to an limited account (like UAC for XP)

and here is the link : http://sudown.sourceforge.net/
I think limited account mode should be more secure than admimistrative mode…

but i get a strange result when i ran a comodo leaktest.
this is the result when i test it in administrative mode.

330/340, except the “coat” test.

but when i run it again with limited mode, i get a worse result:

260/340, strange, isn’t it?

does leaktest have a bug?
Can someone explain why this happens?
I attach the leaktest log file.

Thanks
-sandboxfag

[attachment deleted by admin]

dax123 · February 15, 2010, 11:01am

I got an answer, but the problem still remains.

I unchecked this part and i got an “obtaining privilege” alert and got a less poor result.
but one problem still exists - why “ExplorerAsParent” test still fails?

and at last here is the description

23. Impersonation: ExplorerAsParent
What does it do ? Tries use explorer.exe to connect to the Internet.
What is the risk ? Firewalls may miss the real applications behind the internet connection requests.

Thanks
-sandboxfag

[attachment deleted by admin]

Citizen_K · February 15, 2010, 8:13pm

Endymion post:46:

Many tests are fooled by the sandbox and reported with “vulnerable” result whereas they should have been reported as “Protected”.

[b]Leaktests fooled by File virtualization[/b]
5. Invasion: Runner Vulnerable
Tries to replace default browser executable with a different one to exploit an existing firewall policy.
Actual Result: it drops the actual/true browser executable into sandbox subfolder
8. Invasion: FileDrop Vulnerable
Tries to drop test.exe into %windir%\system and %windir%\system32.
Actual result: It drop test executables into sandbox subfolder

[b]Leaktests fooled by Registry virtualization[/b]
27. Hijacking: WinlogonNotify Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain\DllName

28. Hijacking: Userinit Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

29. Hijacking: UIHost Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

30. Hijacking: SupersedeServiceDll Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sens\parameters\servicedll

31. Hijacking: StartupPrograms Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

32. Hijacking: ChangeDebuggerPath Vulnerable
Actual result: Redirected to registry sandbox. Fail to write real HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

ssj100 · February 20, 2010, 7:31am

A bit off topic, but you should probably consider switching to SuRun. It might cause complications though, given you are already using SuDown.

Here’s some information about SuRun:

If you do go down the SuRun pathway (it works perfectly for me by the way), there is only one change I would make of how to implement it. Most web-sites and information on the web recommend to create an administrator account and then strip it down to a limited account with SuRun.

However, it’s best to create a fresh/new limited account and then use SuRun with it to elevate processes to administrator level as required.

dax123 · February 21, 2010, 1:33pm

whopps :o :o :o :o
so SuDown has some vulnerabilities.
thank you for your advice and i should switch to suRun.

actually i use tweaked SuDown (with source, i love open source 8) )

[attachment deleted by admin]

goodbrazer · February 21, 2010, 7:24pm

:-TU got interested

dax123 · February 26, 2010, 11:47pm

I switched to surun and got a 100% protected result

[attachment deleted by admin]

dax123 · February 27, 2010, 8:00am

It seems that we don’t need any UAC like software if we install CIS v4.

CIS v4 automatically reduces programs’ rights to limited mode, and asks user if the program requests privilege.

what we need to do is install CIS and logon to limited account, that’s all.

:comodo110: :comodo110: :comodo110:

(what a poor english ???)