Windows 7, 32bit.
CIS Configuration: All Defaults. No other Security Software.
First of all, Cangratulations with the new CIS 4 release. The only issue I have at the moment is the Comodo Sandbox.
I have experienced 3 different rouge application, Not detected by the AV, Nor checked by Defense+ Malware Heuristic, and do not even get a “elevation alert” - COMODO sandboxes these rouge applications but they run anyway. Last night, I had a nasty rouge to the point I had to reinstall Windows - CIS 4 was CONSTANTLY Sandboxing a rouge process, over and over again… I could not get rid of it! CIS GUI didn’t even start. I was forced to reinstall Windows. Off course this was for testing purposes.
I hope rouge applications are handled much better in the future, Because obviously applications/executables do need to pass security checks (Antivirus, Buffer overflow and Defense+ malware heuristic) to be sandboxed, but in this case, even if rouges are sandboxed, they run anyway.
Whether the rogues run With File System/Registry Virtualization or or not, They still run and One of the rouges force you to reinstall Windows. CIS 4 won’t even open up when one of the rogues are run.
See screen shot attatched for one of the rogues. The process sandboxed here is the rogue (See sandbox Alert), but freely runs… I could not get a screen shot for the other rouge, it prevents programs running including screen capturing, etc.
Anyway, It’s not to say ALL rogues bypass CIS 4. If not detected by the AV, Defense+ Heuristic will alert you, or you will get a elevation prvilege alert… But still, tricky ones like these need to be addressed, especially when it bypasses the security checks (AV, D+ Heurstic, Buffer overflow…) And sandbox can’t handle them properly.
A application/executable goes through the security checks (Antivirus, Defense+ Malware Heuristic, Buffer overflow) before being auto sandboxed. If a exectuable passes these security checks, then it’s sandboxed. Off course if a exectuable is on the Comodo’s Safe list then auto sandboxing does not occur (or if you add it to “My Own Safe Files” or “My Trusted Software Vendors”.
In this case with these particular rogues, the rogue passed the security checks, and even if the rogue was sandboxed, it runs anyway.
Okay, this time I right clicked the Rogue’s and clicked “Run in COMODO Sandbox” and this prevented the Rogue’s from running.
And also these Rogues I have are now detected by the AV, So I disabled the AV, and after Sandboxing the Rogues on-demand, I enabled the AV again and it was detecting a few of the Rogue’s exectuables in C:\Sandbox folder, and could not remove them (AV was constantly detecting them… removed or not).
Atleast however now these are now caught by the AV. But there are MANY Rogues out there and no AV can detect them all. While in the mean time, the Comodo AV can’t detect them, Sandbox then can’t handle them properly when auto-sandboxed, atleast on-demand sandbox can. I hope the developers look into this. I understand Comodo are new to the Sandboxing world, Just like Avast! and Kaspersky… So I hope in a month or so, these flaws, along with many other reported flaws here in the Sandbox, will be fixed.
Thanks for your response. But please understand: I was FORCED to reinstall windows when one of the Rouges was on my machine. You mention “In your case, its files are there but thats it” - This is a Rogue that is not simply dropping files and that’s it. It’s not just throwing a GUI in your face. I could NOT open up CIS 4 GUI to try and terminate and block the rogue, It even ran in Safe mode… let alone normal mode on startup. Comodo Dragon Browser did not even connect to the internet properly, I was forced to use IE instead. Some antimalware scanners such as Malwarebytes Anti-Malware did not install. You mention Automatic Sandboxed apps can’t modify protected keys/files and do admin stuff…
Why did I need to reinstall Windows?
Why could’t I use CIS 4 GUI properly? MisterMooth also reported same issues as I have!
Is there a misconfiguration bug somewhere? Dunno… I will let you figure that one out.
Do you call this not harming the system? This is malicious behavior where SYSTEM malfunction has occurred with the symptoms I have mentioned. This is a MASSIVE inconvenience, Obviously CIS 4 is designed for mothers, But how will mothers deal with such Rogues causing such behavior? Because in the mean time, the AV will NOT detect them, It will bypass other security checks such as Defense+ Heuristic and Buffer overflow, And Sandbox let’s them run and cause the symptoms (or similar too) mentioned above…