Should be fixed.
I will move this one to “Resolved” section.
Thank you.
This bug was resolved, but now I have checked it again with the latest release 8.2.0.4978 and the bug is still there… actually, it’s even worse, since all the screenshot tests fail with sandbox in “run limited → untrusted”
https://forums.comodo.com/format-verified-issue-reports-cis/limited-and-restricted-block-screen-capture-but-untrusted-does-not-m399-t95001.30.html
EDIT: also “clipboard monitoring test” fails…
Maybe I found the problem.
As you can see in the attached screenshots, I set a sandbox rule to run unknown apps as virtualized and untrusted, but once CIS sandbox spyshelter app, it’s written it’s sandboxed as partially limited.
If the same happens for run restricted, it means that the app runs as partially limited even if I set the rule to untrusted
[attachment deleted by admin]
Hi Jon79,
- What operating system are you using?
- Please try the following: add a rule (explicitly) for the mentioned application in Auto-Sandbox with desired restriction level.
Thanks.
Hi qmarius,
I’m using Windows 10 Core (10.0.10586.164).
I’ll try your suggestion once I arrive home.
Thanks
Hi qmarius,
I have tried to set a rule as you suggested, but the result is the same.
No matter which restriction level I set, the app runs into the sandbox as “partially limited”. That’s why every screenshot test fails.
I don’t know if this is a bug for the latest release only, but for sure it is a bug that has to be fixed as soon as possible.
[attachment deleted by admin]
From my understanding, it is specific to Windows 10 & Windows 8.1. {awaiting confirmation}
What’s not intended : creating a rule and being ignored.
What’s intended (by design, currently): applications that require UAC will get “Partially Limited” restriction, regardless of imposed restriction.
I don’t know, anyway, I have disabled the UAC alerts, so I never get one
Windows 7, explicit restriction : limited. (see attachment; not affected)
[attachment deleted by admin]
I have found this topic https://forums.comodo.com/install-setup-configuration-help-cis/comodo-8204792-sandbox-vs-a-worm-gruel-possible-bug-or-misconfiguration-t113915.0.html;msg825051#msg825051
The problem is that, on Windows 10, if you disable the UAC from registry, all the metro app won’t work (including Microsoft Store, calculator and such)… it seems even Start button can’t work… :o
https://www.reddit.com/r/windows/comments/3asino/win_10_disabling_uac_through_the_registry_removes/
Yes in Windows 10 UAC doesn’t fully get disabled like it did in Windows 7 when UAC is set to “never notify” and the “EnableLUA” is still set to 1 which means, even as an administrator type account, you do not have full administrative rights. And yes setting enablelua to 0 will break Windows 10 functionality such as edge, windows store apps like application will not launch. So the issue here is that for some reason if an application that requires elevated permission does not get elevated, the sandbox will run limit the application to partially-limited despite whatever sandbox rule is in place. Therefore you have two options, leave UAC prompts to never notify and use the context menu to run as an administrator, or enable UAC prompts and allow elevation, to make sure the sandbox rule that you set does take affect.
It is my understanding that if you (though I haven’t fully tested this yet or I did but don’t remember) were to answer the UAC prompt to allow then CIS will sandbox based on the rule, if you deny then CIS will override any rule and sandbox the application as partially-limited. This happens when UAC is enabled on Windows 7, but because no prompt appears while still having UAC enabled on Windows 10 when UAC is set to never notify, the application will run as if you had deny elevation so CIS will sandbox it as partially-limited.
I have just tried to re-enable UAC alerts, but nothing changes, CIS always sandbox the app as fully virtually → partially limited even if the restriction level in the sandbox rule is limited (or else)…
I have also tried to set cmdvirth.exe to run as administrator, but it’s the same…
The problem is not so big if you keep the rule to run sandboxed app as fully virtually, because the virtual environment is isolated from the real computer… but if you make a rule to run an app as restricted, the correct restriction level is a must to have a good protection (this issue happens not only with run virtually, but also with run restricted).
My advice (at least, this is what I’m doing now) is to keep the default sandbox rules (run virtually, no restriction level), disable “Show privilege elevation alerts for unknown programs” under “sandbox settings” and keep HIPS enabled.
Like this, when you firstly run the app, it will be automatically sandboxed as fully virtually and you can see what happens.
Then, if you have any doubts, you can check “Don’t sandbox again” on sandbox popup. Like this ,when you run the app again, the HIPS will popup, telling you what the app is trying to do to the real system.
Then, if you choose to block the action, HIPS will protect the real system (if you enable “Show privilege elevation alerts for unknown programs” and then on the sandbox popup you select “Run unlimited”, the HIPS will be bypassed).
Anyway, I hope CIS developers can find a way to implement the correct restriction level on Windows 10 too.
Do you think the issue can be solved by changing the SmartScreen option to warn about unrecognized app, but don’t ask for admin approval? (see attached picture)
[attachment deleted by admin]
Maybe, it is worth trying to see if that makes a difference.
Just tried twice, once with smartscreen set to warn, then with smartscreen off, but nothing changes
Nevermind, I’ve completely changed my security settings so that I no longer need to rely on comodo virtualization (which on Windows 10 doesn’t work as expected).
First, since I don’t like to download hundreds of Mb of signature database update every day, I’ve installed a third party cloud AV, quite lightweight, but very effective and with some nice extra-features, such as a sandbox with the option to disallow internet access for sandboxed apps and automatically purge the sandbox upon reboot.
Then, I’m using CFW with HIPS, auto-sandbox and viruscope enable (the latter for every app, not only for sandboxed ones).
In the auto-sandbox, I have modified the default “virtualize” rules to “block” all the unknown application (this is the safest rule in case of auto-running malware) and with both “Detect programs which require elevated privileges” and “Show privilege elevation alerts for unknown programs” unchecked.
If I have any doubts, I can run the unknown app in the third party AV sandbox without internet access.
If I know that an app is safe, once the auto-sandbox blocks it and shows the pop-up, I’ll check “don’t sandbox again” and re-launch the app, so that it will be the HIPS to tell me what the app is trying to do (second layer of protection) and I can choose whether to allow or deny it.
I’m using it for a while and I’m quite happy, the PC is very responsive and I feel quite safe :-TU
Can anyone please confirm if this bug has been fixed with the new release 8.4.0.5068 ? Or at least if it’s planned to be fixed in CIS 10 ?
Thanks
They have decided not to fix it. It is considered not worth the costs as it would deliver small amount of value to users.
Hope it helps.
So, basically, there is an incompatibility with Windows 10 (which in the next few years will probably be the most used OS) and a bug that can strongly affect protection “It is considered not worth the costs as it would deliver small amount of value to users” ? ???
Well, at least add a remark in the online help guide https://help.comodo.com/topic-72-1-623-7763-Configuring-Rules-for-Auto-Sandbox.html (Step 5 – Select the Options → Set Restriction Level), something like this:
Important Note: Windows 10 users should be aware that every app will be sandboxed as “Partially limited” even if the user sets a different restriction level
EDIT: this is a good reason to keep the sandbox rule to “block” any unknown file rather than “run virtually”. And Comodo containment, good bye and R.I.P.
- This is actually caused by UAC.
- Most likely, applications that require administrator privileges will not work with “Untrusted” restriction level for example.