Numerous Sandbox (Defense +) Alerts after M$ Updates for 8/09/2011

Running XP Home SP3 2GB RAM 2.8 P4, Avast 6.0.1203 Free, COMODO Internet Security 5.5195786.1383.

Luckily I imaged my system before I updated eight Microsoft vulnerabilities for August 8, 2011.

Defense + set to ‘Safe’, Firewall set to ‘Safe’.

Several trusted programs flagged by Defense + as either unknown, untrusted, running a child program under a known good executable, needing permission to run, access internet, etc.

No other changes were made to this system.

Listing of programs flagged by Defense +:

  • Avast! Home Edition Free
  • Secunia PSI 2.0.0.3003
  • Windows Defender 1.1.1593.0
  • Disk Checkup V3.0 Build 1004
  • TrendMicro RUBotted Beta
  • Firefox 5.0
  • Sandboxie v. 3.56
  • NVIDIA

This list is not complete as is, but you should get the idea.

All of the above programs were regarded as safe by COMODO just before the M$ update was made.

I understand that HIPS is essential to CIS, therefore I have not disabled Defense +.

My question is: What update from M$ could trigger this behavior?

All above programs are currently running normally after I allowed permissions and removed these programs from sandbox as partially limited.

As I said, I did image before, so I can redo and see if this happens again.

If requested, I will provide Defense+ logs or other to clarify the above issue.

Thank you for any help provided.

mchain

The problem you are describing can have two basic causes: CIS white list got corrupted or something corrupted files on your hard drive (malware or failing hd). Whether the Microsoft update cycle plays a role remains to be seen.

To be on the safe side of things I would first let CIS check its integrity by running Diagnostics then vigorously check for malware, run chkdsk on the affected partition(s) and check your HD with a test tool of its maker.

Out of technical curiosity I would be interested to see if the same thing happens when you would go back to the image you made.

EricJH,

Thank you for your kind and quick reply.

Briefly stated, I left out some relevant information.

Power surge occurred as .NET 2.0 was installing. Subsequent to that, alerts from Avast! were thrown, all having to do with the services protected file folder as more than twenty .TMP files in consecutive numerical order attempted to run. I have Avast set to alert me when a process or installer attempts to run and is regarded by Avast! as untrusted. Default is no alert is thrown, and ‘Allow’ is automatically granted. I chose ‘Allow’ in each instance.

All other seven M$ updates installed normally.

DSL modem is on protected UPS battery circuit.

File properties for above programs changed; dates were changed from install date to then current date of 8/10/2011.

As I am now running Ubuntu 10.04.4 LTS as a Live CD, I will have to boot Windows to retrieve the following files to attach to my next post:

  • COMODO Defense + for the time period relevant to the install process affected and after.
  • A copy of AutoRuns created after I successfully booted my machine into Windows.

I will use the following strategy to narrow down and hopefully find the cause of system behavior, as this could be helpful to others who may have the same problem in the future:

  • Use the most recent System Restore file created before M$ Updates was run.
  • Run ERUNT backup to a date earlier than 8/10/2011.
  • Uninstall and re-install .NET 2.0 update to see if behavior re-occurs,

I run Disk Checkup which can be found here: PassMark DiskCheckup - SMART hard drive monitoring utility No problems listed for system HDD either before or after M$ update install process.

Will post as soon as this is done.

Thank you.

mchain

(Hate it when the post you are working on vanishes into the ether, as happened just now.)

EricJH,

Attached find .JPG files (screenshots) of desktop.

Included is a file AUTORUNS from SysInternals which should have extension .arn, but was renamed .txt to be able it to be sent off.

Interestingly, no System restore files are found or available in the following programs:

  • CCLeaner
  • Auslogic Registry Cleaner

System Restore does list six available restore points, but as I took the time to uninstall KB2539631, System Restore will probably not work.

As I uninstalled via Add/Remove, Avast! once again flagged MSI as it was running.

MS updates icon is showing, so I will reboot and see what happens.

Sorry, .JPG’s are not in order, difficult to see file names when attaching. If I have double-posted, that is the reason.

COMODO is still flagging programs as I run them.

Thanks.

mchain

[attachment deleted by admin]

[attachment deleted by admin]

Unfortunately your Autoruns list cannot be viewed here. I am using version 10.07.

I see you have three on access scanners running. Please disable Defender and RUbotted from running in the background. In general it is not recommended to have more than one on access scanner running at the same time.

I don’t think having mulitple scanners will cause your problem though. Please let various scanners check if you are infected just to be on the safe side: Hitman Pro, Malwarebytes Antimalware and Super Antispyware.

EricJH,

If you mean real-time protection, then yes, RUBotted and Windows Defender fit the bill.

Does COMODO Defense + also have a real-time scanner? If so, unaware of that. I thought it was HIPS, so thought no conflict could arise. RUBotted does notify me when I hit a dodgy site, but then I always use Sandboxie 3.5.6 to protect the browser and temporary files, so no infection is ever found after I close the browser I use. Note that Defense+ never throws an alert at the same time when this happens.

Have scanned the system with Avast! (boot scan also), Windows Defender, Malwarebytes, SUPER Antispyware 5.0, Hitman Pro 3.5. System is clean. Also have M$ Standalone System Sweeper. Run that after this post. Otherwise, looks good after uninstall and re-install of KB2539631.

System almost running normally.

Do you need to activate trial period of Hitman to receive benefits of scan?

The option to stop, say, MSI installing, when file may be suspicious, can be found in Avast! under ‘Behavioral Shield’. There is a drop-down where the default can be changed to ‘Ask’. That is the reason for Avast! throwing as it was during install of KB2539631.

Some time ago, when COMODO CIS version 5 was first brought out, I set COMODO to ‘trust’ Avast! and Avast! to ‘trust’ COMODO to resolve compatibility issues between the two. Should I do the same with RUBotted and Windows Defender?

While in that section of ‘Behavioral Shield’ I saw six entries for MSI***.TMP files that were set to be ‘trusted’ in the same section I set COMODO not to be scanned by Avast!. Should I remove these entries, since I know I did not put them there? Avast! is set as password protected, so the only way I see these got there is if I allowed it at some time in the past. Other than that, I fail to see how they got there.

Re-installing the .NET 2.0 SP2 update did resolve the issue in both CCleaner and Auslogics Registry Cleaner where System Restore files were missing. Files now are showing in both.

I think the install of KB2539631 may somehow have gotten corrupted due to the power surge at the time. Lights in the house flickered rapidly for a second or so and then normal power resumed. As M$ Updates already had the original download on hand in the .TMP folder, the re-install of this update went normally the second time around, but Avast! flagged the install as before.

Again, a brief explanation of what .NET does would be appreciated.

When I get around to restoring the image made just before M$ updates, I will turn off the option in ‘Behavioral Shield’ and set it to ‘allow’, and then run M$ updates again. Or should I leave as is? It did not seem to make a difference in install, but this time no problems.

How do I get the AUTORUNS file to you so you can view it? Do I need a newer version?

Thanks for taking the time on this.

mchain

A HIPS is a real-time monitoring system. It could conflict with behavior blocker type applications. (Such as the Avast behavioral shield)

I’m assuming you have the AV disabled in CIS?

Can you please post a screenshot of your Defense+ Computer Security Policy?
It seems like everything is running sandboxed, possibly because of corruption on your Security policy.

You can also try to switch from policy to see if that helps if your running ‘Internet Security’ try ‘Proactive Security’ or the other way around.

EricJH,

Which AV?

I do not have AV installed in CIS, only Avast! real-time. No CIS AV is installed. Settings changes were made at introduction of version 5.0 CIS (see post above) allowed Avast! and CIS to run in a more compatible mode than without.

Ran M$SSS, system found clean.

Only issue left, really, is that CIS is continuing to flag known clean programs. One such example is plug-in container.exe, which runs when FF 5.0 is run, and I attempt to connect to, say, Yahoo.mail. I allow plug-in.exe to run, and also submit that file to COMODO for analysis, in this case, two separate times. Regular as clockwork, this is. While I am still on the https:// page and signing on to my account, I get another, different alert stating that plug-in exe is trying to access FF in memory, which of course I block, albeit w/o ticking off ‘Remember my answer’. I do not know why plug-in.exe is trying to run FF as a parent and control it in memory, so that makes me suspicious.

This never happened before the .NET update went through. In a way, CIS is built exceedingly well, and has options, defense, and features in it that an average user cannot conceive of.

I am beginning to think that, for lack of a more definitive answer, .NET update became corrupted on install, and somehow affected the CIS white-list, ergo, the different behavior I am seeing now from CIS.

I am not saying it is anyone’s fault, but rather, it is one of those random things. In any case, this was worth pursuing for me because my line of work is IT, and I need to gain experience in this area.

I have ruled out malware with current definitions as of today, as the cause of CIS’s behavior. System is known clean with what tools I have and can run on it.

Without CIS, I would never know, what, if anything, was remiss here.

The ultimate question is, do you agree? I am sorry that the AUTORUNS file cannot be viewed by you, as it would be helpful for you to see what has start-up privileges on my system. Do you wish to be able to view this file? If so, point the way.

Thanks.

mchain

@Ronny and EricJH,

Now running in limited user in XP ATM.

Attached find screenshot of Defense + Security Policy and a .jpg of another flag thrown by CIS Defense + when connecting to the Internet.

Not sure which of the eight tabs you are interested in. Could you let me know? Also, if you mean ‘I am running Internet Security’, I am to try to change policy to say, ‘COMODO - Proactive Security’, to see if there is a difference? I am currently running COMODO - Firewall Security if that makes a difference.

Await your answer.

Thanks.

mchain

[attachment deleted by admin]

Can you post a screenshot of the Defense+ “view active process list” fullscreen please.
It seems like even services and screensaver executables are no longer trusted and forced to sandbox.

Note to EricJH: System image restore worked w/o a hitch. I did, however, choose a different way to run M$ Update via doing a system shutdown. This caused the system to install all eight updates with the notification of ‘Do not turn off system’. Avast! Behavioral Shield did not flag any of the updates when done this way.

Ronny,

See above.

Sorry, but I no longer have the system files on this machine that were causing the problems described above. I did as you suggested, changed the CIS configuration to ‘Proactive Security’ and the system became almost unusable. I saw more alerts re sandboxing and untrusted, along with things like, MsMpEng.exe was trying to connect to the Internet, did I want to allow? and things of a similar nature with other normally trusted executables (several in this case), and CIS was literally bringing the system to a crawl while it was trying to decide what to do in each case. It would take minutes for an alert about this to be displayed, one followed another, etc.

Before the M$ Updates, I never saw anything having to do with Windows Defender after the initial validation process was completed by CIS.

I wish I could provide the page you requested, active process list, but in the end, it got too dodgy to continue.

I do, however, think you are correct or at least headed in the right direction as far as the effect and impact on the system that CIS had on it.

The system is now back to normal, and is not displaying Defense + alerts or intrusions anymore. Nada.

Best guess is that the corrupted .NET update install somehow affected the CIS whitelist by changing the hashes (???) of all known good executables. File paths were not changed as far as I know. I say this even though a program such as Avast! never complained. Maybe it was something else.

Sorry it did not work out. Thanks for the help you have given.

As I know, many users do not have access to an image backup, hence this sort of troubleshooting is needed and necessary. I just wish we could have gotten to a definitive root of the problem because of this.

Thanks.

mchain

Thanks for the feedback :-TU

Ronny and EricJH,

You are welcome. :-TU :-TU

If there is an out-of-cycle update from M$ today, as you say, I will back up my system again.

I did change Avast! Behavioral setting to default. Will see what happens.

As for best practices, I always try to make the fewest changes I can (run default settings as much as possible) in any security program, as I do not yet have enough knowledge to be able to forsee any impact of said mods on my system.

You may close this thread if you wish.

mchain

XP Home Edition SP3 2 GB RAM P4 2.8

As an addition to this I made it a habbit to document my ‘changes’ in to a file.
So if I ‘tweak’ or install/update software I make a note of the changes, also helps when rebuilding a system from scratch.