I found an malware (fake antivirus), which could able to modify the hosts file successfully despite the following entry in “my protected files/folders list” -
%windir%*|
Please find the attached screenshots.
Comodo successfully blocked the malware in writing the entries to hosts file only after adding hosts file to my protected list explicitly. Isn’t it should prevent by default?
One more thing, when i ran the malware for the second time, it did not modify hosts file as expected, but it did created some ini files in my app data folder, look at the attached 3rd screenshot.
Test Environment -
Comodo Firewall v5.8 (Proactive Profile, Sandbox set to untrusted)
So you'd possibly need to protect %Sandboxpath%\%windir%\*|
Thanks for the above suggestion.
I have removed hosts file explicit entry and added above virtual path to my protected files/folder list. But malware sample still able to modify the hosts file entry. Ofcourse virtual path only as its run inside the sandboxie.
Whether this is a security risk maybe depends on what copy of the hosts file the OS uses, original or modified virtual.
It did not bypass sandboxie, the hosts on physical path remains intact.
Interesting. I wonder if the | applies only to the current directory, not its subdirectories. The * should make the protection apply to subdirectories, but maybe not the |. (The consequence of an alteration of a physical file is the deposit of a virtual file of course, so the virtual path would need the | I guess).
Also possible that Eset is involved.
What happens if you protect the physical and virtual path at once I wonder?
I tried with *. But it does not work. I even tried protecting only physical path and both virtual and physical path together but of no use.
And also i think, D+ does not have any problem in seeing virtual path. Because, as i earlier said, it blocks succesfully if i add the host file complete path explicitly.
Hmm, so you are suggesting its the use off the environment variable, maybe inconbination with the sandbox? Well I wonder what %windir% expands to on your machine?
Type set at a command window, what’s the exact sequence of characters?
Thanks. Please note you have to close and open cfp.exe for a new environment variable to take effect.
OK what I think is happening here is:
The asterisk means that the hosts file on the physical path is protected from modification
But you are using a sandbox, so the first attempt to modify the physical file turns into a create of a virtual file on a different physical path
This is not impeded, for a number of possible reasons
maybe CIS works at the physical level, and needs the restriction to be on the physical path of the virtual file. Maybe you did not restart cfp before testing this
maybe the * does not extend the scope of the | to subdirectories. If this is the case CIS would not impede itthe fisrt time, but would the second and subsequent times, as the virtualfile creation (no inhibited) would be followed by virtual file modifications (inhibited)
else possible sandboxie is really getting in the way of CIS!
If you want to know maybe test the above - testing scenarios will need to be very careful and carefully documented to find out what is happening
Subtle stuff, but not an immediate security risk I think?
Best wishes & good luck
Mouse
Either the asterisk does not extend the scope of the | to sub-directories of the
Ok yesterday when i created the env. variable, i did not restarted cfp.exe. But today when i tested again, malware could successfully adds entries to hosts file and creates an exe to syswow64 folder.
I would be rather happy to give the sample if you have some time to test it in your VM. (as i don’t have a VM to test it and probably i’m doing sth wrong here).
Attaching the screenshots for protected list and sandboxie window…
Note: I did remove the “important files/folder” group in order to test “*” entry for windir…
OK then, subject to confirmation by careful testing scenarios, then it’s either a specific Sandboxie interaction or the environment variables are not being correctly interpreted. The latter work OK on XP, as I tested them recently.
However I don’t think there’s really a security risk here, unless you know differently. Indeed you could say CIS is co-operating with Sandboxie as if it was CIS’s internal sandbox. So it could be by design.
Further investigation would take some time - sorry but, although interested, I don’t have the time to do this - we mods are volunteers :). Please do post the results if you decide to do it yourself.
i’ve been busy over the week. So, could not test at the time.
Today, i’ve tested in two scenarios and found comodo blocks it successfully by blocking any attempt to modify/create files into my sandbox folder by the mawlare
Scenario 1
Created following entries to my protected files/folders group…