Malware Bypasses Auto-Sandbox Rules if Not Downloaded from Internet

1. The full product and its version:
COMODO Internet Security Premium BETA v(8.0.332922.4281)

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
Windows 7 Professional Service Pack 1 (x64) 6.1.7601
Virtual Machine = Yes, VMware Workstation 10.0.3 build-1895310

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
No COMODO Dragon, No Geek Buddy, Didn’t use Secure DNS, Didn’t change homepage. All other settings were left at their default state.

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
No

5. Other Security, Sandboxing or Utility Software Installed:
VMware Tools v9.6.2, Build-1688356 (No Print Driver)

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: Disable AV if installed (This is an auto-sandboxing issue NOT an AV issue)
2: Run malware sample by double clicking.
3: You will notice the malware is not virtualized or restricted at all.

7. What actually happened when you carried out these steps:
The malware was not automatically sandboxed as it should be and infected the VM with no restriction at all.

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
The malware should have been sandbox and ran virtually instead of having unlimited system access.

9. Any other information:
I have figured out the issue, it is a simple rule issue. Where the threat originates from is the main issue here. In the Auto-Sandbox settings the first Run Virtually rule in the edit window under the “Origin” category is currently set to “Internet” this allows any malware from let’s say a zipped folder or flash drive execute with no restrictions. In my opinion this should be set to “Any”. Please watch the video for more details. If you want the malware sample I’m using I can upload an encrypted password protected copy.

[attachment deleted by admin]

There is already a bug report created here for the problem related to zip files.

Please specify how that particular file got on your computer in the first place so I can best figure out how to categorize this.

Thanks.

PM reminder sent.

I looked over the bug report you linked to your response and that seems to be the same issue I was having. To answer your question the malware was transferred from my host machine and unzipped on the VM. Essentially like plugging a flash drive with malware on it and executing that malware. Basically, if the threat doesn’t come from the Internet, it will not be sandboxed.

I believe that files coming directly from a removable media should also be sandboxed (assuming they are not in a zip file). Are you saying that if you have an executable on a flash drive, and you plug it into your computer, that if you try to start the executable after transferring it to the computer it is not restricted?

Thanks.

It depends on the format. As for example, if it’s FAT32 then alternate data streams are “stripped”.
Streams are specific to NTFS only from my understanding.

PS : Another example of Bug 1209.

CIS-1, please provide more details about what you are seeing about the flash drive, and details of the flash drive, so that we can properly characterize this issue.

Thank you.

PM reminder sent.

As there has been no reply I will move this bug report to Resolved. CIS-1, if in the future you want to submit a bug report for the issue you noticed with the flash drive please reply to this topic. I can then move this back to the bug reporting board and continue processing it.

Thank you.