Malware sample causes svchost to run files non-sandboxed [276 - Resolved]

hello everyone,

i was testing CIS v5 (proactive profile, sandbox - untrusted). And came across a sample (exe.exe), when executed it opens a svchost.exe and winword.exe but both are not sandboxed.

The bug/issue
1. What you did: Ran a malware sample (exe.exe) in Sandboxie (W7 64 bit)
2. What actually happened or you actually saw:
It opened below trusted processes un-sandboxed
a) svchost.exe - it downloaded some temp files (.tmp) and tried to execute it
b) winword.exe - it is active for 2-3 seconds and got terminated
Then exe.exe got automatically terminated. ([font=Verdana]zero sandboxed processes at this moment, even though svchost.exe is running[/font])
3. What you expected to happen or see:
When malware tries to open svchost.exe (a trusted file), it should be sandboxed. Instead it is running un-sandboxed.
4. How you tried to fix it & what happened: N/A
5. Details (exact version) of any software involved with download link: Not sure if a malware link can be posted.
6. Any other information you think may help us: NA

Files appended

  1. Screenshots illustrating the bug: Word doc attached.
  2. Screenshots of related event logs or the active processes list: Word doc attached
  3. A CIS configuration report: None.
  4. Crash or freeze dump file: None.

My set-up

  1. CIS version & configuration used: 5.0.162636.1135, Proactive config
  2. Whether you imported a configuration, if so from what version: No
  3. Defense+ and Sandbox OR Firewall security level: Defenseplus=Safe, Sandbox=enabled (level:untrusted)
    all firewall options selected (firewall behavior settings - advanced)
    Sandbox settings - Filesystem and registry virtualization disabled
  4. OS version, service pack, bits, UAC setting, & account type: Windows 7, 64 bit, Enabled, Admin account.
  5. Other security and utility software running: NOD32 AV, Prevx SOL, Sandboxie
  6. CIS AV database version: Not applicable

Note: Found Another bug (might be). Now as exe.exe is getting detected by cloud, when i allowed it to run, exe.exe itself is not getting sandboxed. Please see the attached file.

Thanks,
Harsha

[attachment deleted by admin]

Thanks its worth considering this further,so I would very much appreciate it if you would edit you first post and its title to put you bug report in the standard format. See here. Please see below for why.

When you have done that I will try to clarify you problem with you and then if appropriate forward it to the verified issues Board.

Many thanks in anticipation for your co-operation

Mouse

WHY YOU SHOULD FOLLOW THE FORMAT AND GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if not well described. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Formatted as per the bug report standard.

Thanks,
Harsha.

Thanks for a very well documented issue. The APL makes things pretty clear.

This is a complex issue, particularly bearing in mind the involvment of sandboxie (See APL) and I’m not sure what the design goals of CIS are in this context.

However I can see your point - if malware can cause another program to be invoked, and potentially can make use of it, arguably it the invoked program should be sandboxed - even if it is not in the direct callin tree.

Against this CIS is giving you quite a lot of warnings.

I’ll forward it to verfied, as I think only the devs can judge this one

Best wishes

Mike

Hello. Can you please send me your “exe.exe” file for investigation.

ALisnic, sent PM with the link to download the malware sample.
password is infected

Thanks,
Harsha.

If file is sandboxed as Untrusted in Comodo Sandbox it can’t execute any other process. And if it has been sandboxed as Limitied or as Restricted it executes other process in the same sandbox level. I tried to reproduce your issue using your configuration and exe.exe file, but all work fine for me.