Malware can create file on real filesystem when run in virtual environment M1421

morituruz · January 24, 2015, 5:18pm

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
I don’t tried to reproduce it.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Opened Google Chrome in SandBox from widget.
2:Opened in Chrome this link (VIRUS)

www.electro-lagune.de/images/product_images/popup_images/278_0.jpg

3:Comodo shows me a popup about launch new untrusted application tbmessaginghost.exe. I can’t remember what module of CIS showed that warning.
4:I was able to find this application files in my real file system and check it hash on a virustotal. Then i deleted all files in malware directory and perform system scan by third party anti-virus tool.
One or two sentences explaining what actually happened:
Application bypassed virtual mode.
One or two sentences explaining what you expected to happen:
Application should stay running in Sandbox.
Any software except CIS/OS involved? If so - name, & exact version:
I guess that link used an exploit for Google Chrome to download and run tbmessaginghost.exe
Any other information, eg your guess at the cause, how you tried to fix it etc:
VirusTotal results:

All this happened yesterday.
I’m newbie in CIS.
I’m sorry for my English (I’m Russian).

B. YOUR SETUP
Exact CIS version & configuration:
8.0.0.4344; Internet Security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Antivirus: cumulative scanning
Auto-Sandbox: on
HIPS: safe mode
Firewall: safe mode
Have you made any other changes to the default config? (egs here.):
Yes, but I don’t remember all.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No
Have you imported a config from a previous version of CIS:
No
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Microsoft Windows 7 Ultimate x64 SP1, UAC disabled, Administrator, No.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=no b=Agnitum Outpost Firewall.

I cannot make diagnostic file. Diagnostic window freezes at 100%, when I closed it, I cannot open it again.

[attachment deleted by admin]

wasgij6 · January 26, 2015, 5:03am

Where was the file located on the real system

morituruz · January 26, 2015, 7:01am

C:\User%username%\AppData\Local\NativeMessaging\CT3306926\1_0_0_6\TBMessagingHost.exe
I’m not shure about last two folders. I cleaned comodo journals.

wasgij6 · January 26, 2015, 7:30am

Thanks for the info. Can you just let me know which configuration you are using (proactive, internet security, firewall) then i will forward this to the devs.

morituruz · January 26, 2015, 7:37am

Internet Security

wasgij6 · January 26, 2015, 7:40am

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

qmarius · February 27, 2015, 2:11pm

morituruz, devs would like you to provide more data on this issue. Please attach a video.

Thanks.

qmarius · March 4, 2015, 7:10pm

In the meantime, I will move this one to “Incomplete Issue Reports” section.

Thanks.