Sandbox bypassed

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
#1

When this file is executed is not automatically sandboxed (the notification do not appear) and is able to drop files in the system and automatically activate a malware later.
http://www.virustotal.com/file-scan/report.html?id=ba0f57b6c93ae1f99703bfade953d342f12eb520bef7758b1ee5dd349cc04347-1285671464

One of the dropped files is this one:
http://www.virustotal.com/file-scan/report.html?id=586e69f1a88ecb53ee0f289632969c3c23b302ada011bccdebbdb0b7e2c788ba-1285670902
http://info.prevx.com/aboutprogramtext.asp?PX5=74CE09D90004146CD0E2008220BA77001C36858A

This file was active later on the system without any notification from the sandbox but seems that gave a .net error.

If somebody wants the file to check it, send me a PM. Probably I did something wrong ;D

#2

Did the file happen to be in a safe list somewhere?
What does Comodo event tell you?

#3

Sorry, am I reading correctly?
The file was NOT sandboxed and your computer get infected and it’s a sandbox bypass?
Probably I’m reading something wrong ;D

#4

The question is why the file wasn’t sandboxed…

#5

So weird, I didn’t change anything, I went to have lunch and now I have tried again now the file is being sandboxed, even if I open it again I can read in the log that the file was sandboxed every single time.

Before I didnt have anything in the log, everything was active, the file was not in trusted files…

So the bypass of the sandbox seems to be a false alarm

I uploaded the file to CAMAS
http://camas.comodo.com/cgi-bin/submit?file=ba0f57b6c93ae1f99703bfade953d342f12eb520bef7758b1ee5dd349cc04347

CAMAS says that the file is “Unexecutable” but in fact the file is a *.exe

Why? is a bug in CAMAS? or the file is “special”?

#6

I think you see the popup only the first time you run the file. After that, it’s automatically sandboxed without popup (you can see it if you open CIS from the systray).

#7

Probably but I also checked the log and the files only appeared 1 time, even after execute the file again and again.

#8

[quote]So the bypass of the sandbox seems to be a false alarm

I uploaded the file to CAMAS
http://camas.comodo.com/cgi-bin/submit?file=ba0f57b6c93ae1f99703bfade953d342f12eb520bef7758b1ee5dd349cc04347

CAMAS says that the file is “Unexecutable” but in fact the file is a *.exe

Why? is a bug in CAMAS? or the file is “special”?
[/quote]
Camas dont have .net, the files is coded in C++ , but requires framework 4.

#9

Version 4 had the nasty habit to alert it sandboxed a file rather late. May be that is what’s going on here. The way to find out would be to check the D+ logs and see if it got sandboxed the first time or not.