Malware Can Hide Entire Desktop Even When Sandboxed Through BB [M1040]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Every time
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1:Run Malware Under BB Restrictions.
    2:If run under Windows 7 x32 the desktop and CIS GUI were hidden only if sandboxed with BB set to Partially Limited
    3:If run under Windows 7 x64 the desktop and CIS GUI were hidden if sandboxed with BB set to Partially Limited, Limited, Restricted, or Untrusted
  • If not obvious, what U expected to happen:
    Prohibition of processes that are based on hide GUI Comodo and the entire desktop.
  • If a software compatibility problem have U tried the conflict FAQ?:
    NA
  • Any software except CIS/OS involved? If so - name, & exact version:
    None
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Videos which show the behavior on Windows 7 x32 and Windows 7 x64 are attached to this post.
    [/ol]

B. YOUR SETUP
[ol]- Exact CIS version & configuration:
CIS 7.0.317799.4142

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Default configuration. Other than that I am testing with the sandbox in partially limited, limited, Restricted, and Untrusted
  • Have U made any other changes to the default config? (egs here.):
    No
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    no
    [li]if so, have U tried a a clean reinstall - if not please do?:
    no
    [/li]- Have U imported a config from a previous version of CIS:
    no
    [li]if so, have U tried a standard config - if not please do:
    No
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 7 x32, service pack 1 on real system , UAC default
    Windows 7 x64, service pack 1 on real system , UAC default
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
    a=none b=none
    [/ol]

[attachment deleted by admin]

Are you saying that in default mode it is possible for a malware to hide the CIS GUI so that it cannot be accessed?
If so, what about the other levels of the BB?

Thanks.

yes , and in sandbox (partially,limited,Restricted and Untrusted) .

malware hide the CIS and desktop

I’m going to do the video to clear it

Thank you for the clarification. I do not believe I have heard of a malware which can hide the GUI when sandboxed as Untrusted. Thus, please do make a video showing this under Untrusted.

Thanks.

i tested in windows 7 x32

But the results Changed between x32 , x64

I hope to have time to pm l me to give it a sample link

The sample is harmless and there is no an impact on the computer system and the sample was made to test only protection

[attachment deleted by admin]

Thank you. Please specify what happened on the 32 bit system. Then specify what happened on the 64 bit system.

That information will be very helpful.

Thanks.

in windows 7 x32 bypass in sandbox partially only
in windows 7 x64 bypass in sandbox (partially,limited,Restricted and Untrusted)

Those are very strange results. I have updated the first post. Please let me know if everything in it is correct.

Also, as soon as you provide the videos showing what happens for Windows 7 x64 under Untrusted I will forward this to the devs. I’m just waiting for that as I believe it may be very helpful for them in understanding what happens.

Thanks.

test in win x64

[attachment deleted by admin]

Thank you. I have attached that video to the first post. Please send me a PM with a link to the sample in question and I can forward this to the devs.

Thanks.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

nice catch sd ahmad

waiting for a fix from comodo team

Applications sandboxed as “Partially Limited” can also move CIS GUI.
As for example, outside the screen - that should be annoying if used improperly. :wink:

I’ve attached a test sample that will move your CIS GUI outside the screen with [+200]x[+200].

  1. Start GUI (screenshot).
  2. Run test file under “Partially Limited”.

[attachment deleted by admin]

Actually, please submit this as a separate bug. Because of the way issues are tracked, I think it would be more effective that way. The pathway by which it happens may be quite different.

Thanks.

The issue is not resolved

What is the most recent version with which you have seen that this bug still exists?

beta 8

Thank you for testing this. I have updated the tracker.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.