1. The full product and its version:
COMODO Internet Security 8.0.332922.4281 BETA 2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
virtual machine : virtualbox 4.3.6 r91406
windows7 x32 3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Default configuration 4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Clean install 5. Other Security, Sandboxing or Utility Software Installed:
No 6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step: 1: I started the virtual desktop, then I ran a tool which tries to kill processes. 2: There are two options in the tool to use. The first is the user mode and the second Kernel mode. 3: The kernel mode approach is not able to kill any of the processes. However, the user mode approach is able to kill any Fully Virtualized process, although it fails to kill any running on the real system. 4: Even Virtkiosk.exe is able to be killed by this method, instantly shutting down the Virtual Desktop. 7. What actually happened when you carried out these steps:
An application run inside the Virtual Desktop is able to kill other fully virtualized processes, and even kill Virtkiosk.exe, therefore shutting down the Virtual Desktop. 8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Unknown applications run in the Virtual Desktop should not be able to kill other fully virtualized processes, especially including Virtkiosk.exe. 9. Any other information:
The tool used for testing can be downloaded from here (Note that it is not harmful by itself, but represents a vulnerability): http://dc259.gulfup.com/AOgjv9.rar?gu=lnmOmAocCTmmVGGm7-xKRQ&e=1412621060&n=66696c656e616d652a3d5554462d3827272544392538322544382541372544382541412544392538342532302544382541372544392538342544382542392544392538352544392538342544392538412544382541372544382541412e726172
A video showing this behavior is attached to this post.
Thank you. I see that this tool, if run inside the Virtual Desktop, is able to kill the virtkiosk.exe process which is running on the real computer, thus closing the Virtual Desktop. However, using the kernel mode fails to work while using the user mode succeeds.
I have two questions.
Is this app able to kill other processes as well when run inside the Virtual Kiosk?
Does this same behavior happen if this is run on a real system as well, instead of in VirtualBox?
That is very interesting. So the only process which can be killed, which is running on the real computer, is VirtualKiosk.exe.
Could you please post a screenshot of what KillSwitch shows of the processes, including virtualkiosk.exe, both before and after the app is run? I want to see how the virtualization is handled of the multiple processes.
Thank you. So Virtkiosk.exe and the malicious app are both correctly run as Fully Virtualized. I wonder whether it’s only able to kill it because it’s running as Fully Virtualized as well.
To test if this is part of a larger issue please try this. Run another app as Fully Virtualized, such as a browser, or etc… Then try to kill it using this app. Let me know if it is able to kill that other app which is also running as Fully Virtualized.
Thank you for checking this. In that case the bug seems to be that malware operating in the Virtual Desktop is able to kill processes also running as Fully Virtualized. However, only the user-mode approach used by that program is able to work.
Please modify your first post so that it is now focused on this underlying issue.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.