New policy-based auto-sandbox FAQ

Few questions from me. Without answers yet, unfortunately :slight_smile:

  1. Malware block rule. It blocks malware from execution. But this is supposed to be done by AV-component of CIS, isn’t it? It’s unclear how does actually this rule cooperates with AV. I mean, what if user clicks “skip” in the AV alert. Will the executable also be skiped by Autosandbox as well? (and what if he adds it to the AV exceptions list?)
    And vice-versa. If user modifies or deletes this autosandox rule, will this affect the AV behavior?

  2. Ignore rule. Obviously, if user creates the ignore-rule for example.exe and executes it, then it will start unsandboxed (parent process is unsandboxed explorer.exe). But what if some sandboxed application will try to execute example.exe? Will it run unsandboxed as well? Does the rules order matters in that case?

  3. How does CIS trace the source of files? Does it use its own mechanism or relies on NTFS alternative data streams?


  1. I think this rule was created mainly for blocking malware detected by the cloud when the AV is not installed. The AV is what does the blocking but if its not installed there isnt a component to block the malware. This rule prevents the malware from running before giving the users a chance to quarantine the file.

If the user clicks to ignore the file they will have to add it to the trusted files and rerun the file. This is an annoyance hopefully it can be addresses in future builds.

If the user adds the file to the trusted files list it will bypass the autosandbox and the av. If the user adds the file to the av exclusions, the av will ignore the file but the file may still be autosandboxed.

  1. I havent tested this but i think it will ignore the file since it does have an ignore rule.

  2. CIS uses alternative data streams. We are still trying to fully understand this feature in CIS since we havent received any documentation on this feature

  1. Just tested, set up application “Example.exe” to be ignored, sandboxed “Explorer++.exe”, used "Explorer++.exe to launch “Example.exe” and it got sandboxed. So it seems the ignore rule is ignored if the application launching the application to be ignored is already sandboxed, which in my opinion is the right way to do things.

Thanks for testing it.
Hmm, was the Explorer++.exe sandboxed manually or by one of auto-sandbox rules? And if it was auto-sandboxed, then what rule had higher priority (ignore for “example.exe” or that autosandboxed its parent proccess)?

I used manual sandboxing, I’ll try autosandbox.

Sorry I can’t test this anymore, I’m using Windows 10 TP and CIS 8 Beta, this has lead to sandboxing not always functioning and at the moment it isn’t working again so I can’t test it.

Well, in that case the file may “loose” (locally) its malware rating and get autosandboxed as “unrecognized”, which means “run virtualized”. Or it will preserve its rating and get autosandboxed as “malware”, which means “blocked” by default rules. ???

just tested this, the file keeps the malware rating and is sandboxed as blocked

i also tested this by creating an autosandbox rule for explorer ++ to run fully virtual then i executed a portable batch file changer and the file was also sandboxed. I tested this with an ignore rule for the batch file changer. I tried the ignore rule before and after the fully virtual rule which made no difference.

Clear. Thank you for figuring it out.