hello everyone,
i was testing CIS v5 (proactive profile, sandbox - untrusted). And came across a sample (exe.exe), when executed it opens a svchost.exe and winword.exe but both are not sandboxed.
The bug/issue
1. What you did: Ran a malware sample (exe.exe) in Sandboxie (W7 64 bit)
2. What actually happened or you actually saw:
It opened below trusted processes un-sandboxed
a) svchost.exe - it downloaded some temp files (.tmp) and tried to execute it
b) winword.exe - it is active for 2-3 seconds and got terminated
Then exe.exe got automatically terminated. ([font=Verdana]zero sandboxed processes at this moment, even though svchost.exe is running[/font])
3. What you expected to happen or see:
When malware tries to open svchost.exe (a trusted file), it should be sandboxed. Instead it is running un-sandboxed.
4. How you tried to fix it & what happened: N/A
5. Details (exact version) of any software involved with download link: Not sure if a malware link can be posted.
6. Any other information you think may help us: NA
Files appended
- Screenshots illustrating the bug: Word doc attached.
- Screenshots of related event logs or the active processes list: Word doc attached
- A CIS configuration report: None.
- Crash or freeze dump file: None.
My set-up
- CIS version & configuration used: 5.0.162636.1135, Proactive config
- Whether you imported a configuration, if so from what version: No
- Defense+ and Sandbox OR Firewall security level: Defenseplus=Safe, Sandbox=enabled (level:untrusted)
all firewall options selected (firewall behavior settings - advanced)
Sandbox settings - Filesystem and registry virtualization disabled - OS version, service pack, bits, UAC setting, & account type: Windows 7, 64 bit, Enabled, Admin account.
- Other security and utility software running: NOD32 AV, Prevx SOL, Sandboxie
- CIS AV database version: Not applicable
Note: Found Another bug (might be). Now as exe.exe is getting detected by cloud, when i allowed it to run, exe.exe itself is not getting sandboxed. Please see the attached file.
Thanks,
Harsha
[attachment deleted by admin]