Portable applications can bypass all CIS protection layers

A. THE BUG/ISSUE (Varies from issue to issue)
Some portable applications can run outside of the Sandbox and with no HIPS nor Firewall alerts, because those applications use a type of execution that is not monitored by CIS Auto-Sandbox and other modules.
Can U reproduce the problem & if so how reliably?:
Can reproduce reliabily every time.
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1:Download CPUID HWMonitor here or in the attached file list.
2:Extract the file.
3:Double click on HWMonitor_x32.exe or HWMonitor_x64.exe. Both files will run without restrictions and no alerts.
One or two sentences explaining what actually happened:
Both files can run with no actions or alerts from CIS, even when the whitelisting is completely disabled. Even if it was a unknown file, I believe that the result would be the same.
One or two sentences explaining what you expected to happen:
I expected CIS to Auto-sandbox the portable applications, and the Firewall to alert about the attempts of the applications to connect to the internet, and the HIPS to alert about the actions.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
NO
Any software except CIS/OS involved? If so - name, & exact version:
CPUID HWMonitor 1.25 Portable edition. But the same problem also apply to other portable (and Malicious) applications that use the same type of execution.
Any other information, eg your guess at the cause, how U tried to fix it etc:
I believe that the cause is that some portable applications (even Malicious ones) use a “type of execution” that is not monitored by CIS Auto-Sandbox, and can run without being Sandboxed. The problem needs to be fixed not only for CPUID HWMonitor, but for all applications that use the same “type of execution”.
B. YOUR SETUP
Exact CIS version & configuration:
COMODO Internet Security Premium 7.0.317799.4142 - Proactive Security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV= Stateful / HIPS = Safe Mode / Auto-sandbox - Untrusted / Firewall = Safe Mode / File Rating completely disabled
Have U made any other changes to the default config? (egs here.):
All File Rating options are unchecked, to disable whitelisting.
Have U updated (without uninstall) from CIS 5 or CIS6?:
NO
if so, have U tried a a a clean reinstall - if not please do?:
This is already a CLEAN installation.
Have U imported a config from a previous version of CIS:
NO
if so, have U tried a standard config - if not please do:
NO
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 Professional x64 - UAC disabled - Admin account - Real System (NO Virtual Machine)
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=NO b=NO

[attachment deleted by admin]

Thank you for reporting this. However, I believe that unless you are running in Paranoid Mode, with all cloud-based protection disabled, there will always be some whitelisting. There is a local whitelist, and a cloud whitelist. I’m not sure what is stored in each, but I do know that there is still a local, even if all access to the cloud is disabled.

Please check this in Paranoid Mode, with all cloud access disabled, and let me know what you find.

Thanks.

Hi Chiron. I tried in Paranoid mode and in Custom Ruleset mode, and both HIPS and the Firewall alert, telling that the portable applications in question are safe applications. I believe that they are in some CIS internal whitelist.

I only reported this because i remembered that some user of the forum said some time ago that some portable applications (even Unknown ones) can run outside of CIS Auto-Sandbox.

I don’t really have much knowledge regarding this matter because i had never meet such kind of bypass. I will try to bring this topic to the attention of the user in question and tell him to share his knowledge about this in this topic.

CPUID is a Trusted Vendor. Did you remove CPUID from the Trusted Vendor list?

devilbat66, please respond to EricJH’s question. I also believe that this is likely intended behavior. However, I would like to be sure.

Thanks.

Sorry to intrude!

I is wrong but, most portable applications use or require direct access to other files. There are cases of some of the portable CPUID and Resourse Hacker (when uncompressed) and run the same happens no sign of the sandbox. I decided to test and verify both programs and both use the same “type of execution” and perhaps this is the reason for the sandbox fails.
The sandbox does not seem to be able to identify actions other than the attempt to access, modifications or direct the use of other applications, in the specific case of some portable or even other types of applications. Tested the processhacker that works only with your main executable, which unlike the other two, does a “scan” of memory, in addition to trying to read the files (CIS auto-protecting) and will alert you if applications try to direct access to other files.

Yes they are on the list of safe applications, delete the references of the programs in the list of trusted applications, trusted applications according to check in cloud and finally deconectei the internet. Still the sandbox will fail.

[attachment deleted by admin]

I have not tried to remove the vendor CPUID from Trusted Vendors List because I tought that just disabling all File Rating settings would be enough. I did it now while also disabling all File Rating options and the result was the same.

Liosant, do you think that the portable version of CPUID HWMonitor is a valid example of the problem described by you?

We need to make sure what is this “type of execution” and if a Unknown/Malware file could use this type of execution to bypass CIS, and then proceed with this bug report. But first we need to make sure that we have a valid example of this problem in the Bug Report.

Yes. Malware use valid signatures and pass without action sandbox. (see attached)
The user SD Ahmad, have reported the same problem at some time.

[attachment deleted by admin]

Thank you liosant for clarify this. I have modified the first post to include information about the “type of execution”.

Chiron, do you think that this Bug Report can be forwarded to the developers?

I also think that modifying the title of the Bug Report to something like “Some portable applications use a type of execution that is not monitored by Auto-Sandbox” would be better.

When it is mentioned that malware use a valid digital signature, do you mean that they are signed with a signature which is in the TVL? If so, then this sort of issue should only apply to the rare whitelisted malware, which is allowed regardless.

Therefore, I believe I am misunderstanding what you mean by malware which uses a valid digital signature. Can you please extrapolate on what you mean by this?

Also, liosant, can you please link to the report made by SD Ahmad which you reference?

Thanks.

The whitelisted malware problem is not a bug in itself. I believe that what we are seeing here is another issue. We need to know if this portable version of CPUID HWMonitor is in some CIS internal whitelist or if it use some kind of type of execution that is not monitored/intercepted by CIS Auto-Sandbox, if so then this is a bug.

I did not find the said post but there is one more example of yigido showing in the previous version SpyShelter antitest baypass the sandbox.

COMODO Internet Security BETA 8.0.332922.4281

https://forums.comodo.com/format-verified-issue-reports-beta-corner-cis/the-spyshelter-test-tool-is-not-virtualized-when-run-on-computer-m1251-t107043.0.html

Sorry!

If it is the same underlying issue as that reported here then it has already been reported, and forwarded to the devs. Do you believe this is the same issue?

Thanks.

At this time I will assume that it is the same issue, and will therefore move this bug report to Resolved. If you believe it is a different issue please respond to this topic and we can discuss how best to continue processing this.

Thank you.

I believe that this may not be the same issue, because the mentioned repord is from CIS V8 beta, which have a completely new policy based auto-sandboxing. Like i said before (and probably was not even read by anyone), i believe that this problem can either be caused by the fact that the portable version of CPUID HWMonitor is in some CIS internal whitelist or it use some kind of type of execution that is not intercepted/caught by CIS.

I believe that the best way to solve this would be to asking a developer to do a look up into this case and tell us what is happening under the hood in this situation. There is a 50% chance that this can either be in some CIS internal whitelist or that it use a type of execution that is not intercepted by CIS.

Hi Devilbat. I have been asked to take a look at this.

Could you please post your active process list with HWmonitor running. The KS list you posted does not have HWmonitor listed, unless I have missed something.

Do you know what sort of ‘mode of execution’ it is using?

Hi mouse1. I will do as you asked and include it in the first post. When i do this, i will edit this post telling that it is done.

Unfortunately I do not have the tecnical knowledge to know what kind of “mode of execution” this file is using. It is just a educated guess. I believe also this application can be in some CIS internal whitelist, but the best way to know this would be with a developer looking up into this issue to see what is happening under the hood with CIS and the system.

Thank you.

Hi mouse1. I created the KillSwitch process list with HWMonitor running in the memory, but seems that I am unable to modify my first post, and also unable to include the KillSwitch process list in this post. Can some moderator help? Thanks.

Thanks. You should be able to append a zip file to a new post now…

I attached the new Killswitch Process List to the first post. Thank you.