Resetting Sandbox does Not Kill Processes Running in the Sandbox [M1362]

A. THE BUG/ISSUE (Varies from issue to issue)
Resetting the sandbox does not kill process(es) running in the sandbox.
Experienced this issue twice on my system: (1X) running CIS 8 Beta and (1X) running CIS 7

*** NOTE: The issue is NOT specific to certain processes nor is it dependent upon how the process came to run in the sandbox (i.e. auto-sandboxed or manually sandboxed with or without the Virtual Kiosk).

For CIS 8 Beta Bug Report select this link:
https://forums.comodo.com/bug-reports-beta-corner-cis/resetting-sandbox-did-not-erase-processes-running-in-sandbox-report-attached-t107793.0.html

PRE- SANDBOX RESET KillSwitch Full Dump Files here:

http://www.myupload.dk/showfile/c4bnkt.7z

POST- SANDBOX RESET KillSwitch Full Dump files here:

http://www.myupload.dk/showfile/c4ih0p.7z

Can U reproduce the problem & if so how reliably?:
Occasionally. I cannot reproduce this at will.

If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1: Allow Behavior Blocker to auto-sandbox application
2: Select “Reset Sandbox” under Sandbox Tasks
3: Sandbox is not reset; sandboxed process continues to run

One or two sentences explaining what actually happened:
1: Due to unrelated (non-Comodo IS) issue reverted system to restore point. This restore point included CIS 7.0.317799.4142
without the Widget set to autorun and without an updated Rating Scan (to account for a Trusted software install).
2: Installed start-up registry hack for CIS 7 Widget to autorun as provided by
3: Before I could update Trusted Files via a Rating Scan, Behavior Blocker alerted that an Unrecognized application was attempting to
run. I allowed the alert to resolve itself and Behavior Blocker to auto-sandbox the Unrecognized executable - in this case - AMD’s
Catalyst Control Center (ccc.exe).
4: I then went to Sandbox Tasks → Reset the Sandbox
5: This action did not Reset the Sandbox and the process continued to run in the sandbox

One or two sentences explaining what you expected to happen:
Resetting the sandbox would reliably kill process running in the sandbox

If a software compatibility problem have you tried the advice to make programs work with CIS?:
Not Applicable

Any software except CIS/OS involved? If so - name, & exact version:
No

Any other information, eg your guess at the cause, how U tried to fix it etc:
This issue occurred multiple times with multiple applications run in the sandbox. Once I ran FireFox as virtual. AMD Catalyst Control Center, HydraVision, HydraDesk Manager and HydraGrid were Unrecognized by CIS and auto-sandboxed by the Behavior Blocker.

In one instance, HydraDesk Manager continued to run for about 10 minutes in the sandbox after resetting the sandbox. In other cases, the various AMD software ran indefinitely in the sandbox after resetting.

I do not think the issue is limited specific ally to Firefox and AMD Catalyst Control Center and its various components; this reported issue may, or may not, occur with other applications. However, I have not attempted to replicate the issue with any other applications and/or sandbox scenarios.

B. YOUR SETUP
Exact CIS version & configuration:
Comodo Internet Security 7.0.317799.4142 with Configuration File attached

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Complete - D+/HIPS, Autosandbox/BBlocker, Firewall, AV, KillSwitch, and CCE

Have U made any other changes to the default config? (egs here.):
Heuristics - High

Have U updated (without uninstall) from CIS 5 or CIS6?:
Restore point which included a clean install of CIS 7.0.317799.4142 as part of the Restore Point

 [b]if so, have U tried a a a clean reinstall - if not please do?[/b]:
 No - not necessary

Have U imported a config from a previous version of CIS:
No
if so, have U tried a standard config - if not please do:
Yes

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1, AMD (x86)-64, Notify me only when apps try to make changes to my computer (default), Administrator, None

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a= HitmanPro.Alert 2.6 b= Windows Defender - disabled, HitmanPro.Alert 2.6, Comodo Internet Security 7.0.317799.4142

C. ATTACH REQUIRED FILES

KillSwitch Report - NOTE: CCC.exe NOT listed on KillSwitch Report
Diagnostic Tool Report (CISReport)
Images (jpegs) showing inability to Reset Sandbox - NOTE: CCC.exe NOT indicated as virutalized (gray shading) in attached image of KillSwitch, but clearly shown as Untrusted. This image was taken AFTER the sandbox was reset.

PRE- SANDBOX RESET KillSwitch Full Dump files here:

http://www.myupload.dk/showfile/c4bnkt.7z

POST- SANDBOX RESET KillSwitch Full Dump files here:

http://www.myupload.dk/showfile/c4ih0p.7z

[attachment deleted by admin]

Set autosandbox as Fully virtualized.

No…that does not fix the issue

Please make sure that you have attached a KillSwitch Process List from both before the process was attempted to be killed, and right after. If it’s not possible to get one for both that’s okay.

Also, if you still have the process running, please right-click on CCC.exe through KillSwitch and make a Full Dump of it.
Also, is CCC the only process which you have seen this happen with?

Thanks.

Due to a completely unrelated Windows 8.1 (non-Comodo IS) issue my system crashed and was unbootable. Even a restore point did not work. The only option available was to Refresh my PC.

Despite my best efforts, Windows “stuff” occurred and now I’m back to square one…

The issue has happened with CCC.exe in CIS 7 and firefox/dwm.exe in CIS 8 Beta

That is unfortunate. For the moment I think it’s best to wait and see if it happens again. If it does, please be sure to at least get the Full Dump of the process which was not correctly killed by the reset. This is likely very important information.

I’m willing to wait a few days to see if you are able to get that information. After that I’ll forward this with what we have, but I worry that without a Full Dump file it may not be enough for the devs to replicate, and fix, this issue. Please let me know if you find anything more.

Thanks.

hjlbx, has this happened again?

Thanks.

I could not make it repeat the Sandbox Reset issue…

However, I do document other quirky behaviors in the first Bug Report I submitted. You moved to [Resoved] CIS 8 Beta Bug Report thread here: https://forums.comodo.com/resolvedoutdated-issues-beta-corner-cis/resetting-sandbox-did-not-erase-processes-running-in-sandbox-report-attached-t107793.0.html;msg783637#msg783637

At this point, I have CIS 7 installed, and functioning, on my system and I am not inclined to re-install CIS 8.0.0.4314 Beta. Each time I installed it I experienced multiple issues.

Various new Bug Reports to follow within next few days.

In that case would you mind if I moved this bug report to Resolved, seeing as it is specific to the Resetting issue?

Thanks.

***** Update - the issue of “Resetting the Sandbox does NOT Erase Contents of the Sandbox” has occurred again on my system. *****

I have a bunch of PRE-RESET KillSwitch process full dump files from last week, and I have a single POST-FAILED-RESET full dump.

What else do you need to effectively report this instance to the developers???

In that case please attach that information to the first post. You can use a file uploading service, such as this one, for this if you like. Then let me know and I will forward this to the devs.

Thanks.

Done.

Please forward to developers.

11/17 12:08 pm - ADDED Post- Sandbox Reset AMD Catalyst Control Center (CCC.exe) KillSwitch Full Dump file to thread

***** NOTE: Specific portions of AMD’s HydraVision interferes with the proper function of CIS’ graphical user interface (GUI). It does not, however, negatively affect CIS’ ability to protect my system - as far as I can determine at this point in time. I will post a specific Bug Report in the coming weeks.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Here is AMD Catalyst Control Center (ccc.exe) KillSwitch full dump file:

http://www.myupload.dk/showfile/c4xx7e.7z

I tried to modify my original post but for whatever reason the Modify function is not present/disabled.

I think it very important that the developers get the following information:

The issue of processes continuing to run in the sandbox after reset has occurred in several occasions. Most of the time it happened with AMD’s Catalyst Control Center (ccc.exe) and/or certain modules of AMD’s HydraVision software (specifically Hydra Desktop Manager (HydraMD.exe) and HydraGrid (HydraGrid64.exe)).

In all instances the HIPS module of CIS alerted that the application was Unrecognized and then the Behavior Blocker auto-sandboxed the application. At the point that CIS produced a HIPS alert, and then subsequent Behavior Blocker alert, I had not rated the application as Trusted after completing a Rating Scan. So, in other words, CIS’ alerts and actions were correct and as designed/intended.

Once a bug report has been moved to this section it is only possible for a Mod to edit it. That is intentional.

However, I have passed on all of your information into the tracker. Thank you.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

hjlbx, when applications such as ccc.exe are run in the sandbox, do you mean that it is run as Fully Virtualized or is it run restricted, but on the real computer?

Thanks.

Chiron,

I have the sandbox set at Untrusted for Unrecognized files.

Over the past week I had a real problem with ATI/AMD’s Catalyst Control Center and CIS. CIS placed CCC.exe and ATI.exe into the Unrecognized Files list, did not generate an alert, and did not allow them to run in the sandbox. This cause my system to become unbootable (Black Screen).

hjlbx

For whatever reason(s) Comodo’s Cloud has, as of yet, assigned a Trusted designation to AMD’s Catalyst Control Center. It’s release date is ancient and, I also believe, that it is digitally signed by ATI/AMD - which I would think both would be classified as Trusted Vendors. It has been an unending source of problems on my system…especially since ccc.exe supplies display, desktop and power setting Drivers.

In any case, this type of problem should be able to be averted with CIS 8 since we will be able to assign sandbox rules on a file-by-file basis. Is this not correct?

Please do test this with the new version, which can be downloaded from here:
https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-8004337-is-released-t108001.0.html
and let me know what you find.

Thanks.