Sandbox Delayed Response

I update the beta versions of Firefox and Thunderbird weekly. I always disable the Auto Sandbox through the System Tray Menu while updating. After the update, I re-enable the Sandbox and launch FX and TB. The Sandbox would immediately catch the new .exe files and ask me to put them on the Trusted Files List.

Lately, after I update FX and TB in my usual manner, the Sandbox gives me no alert. The alert comes about 5 minutes later while I’m using the browser or email client.

Wouldn’t having this big delay leave my system vulnerable? Not to my FX and TB updates, but if the same delay happens to an infected file, my system could get infected before the Sandbox catches the infected file.

Anyone else noticing this behavior?

What does Killswitch say about the status of the updated version of FF and TB? Does it states it is running sandboxed before the alert pops up?

Well, I just tried the Firefox update and wouldn’t you know, everything went fine. This curious action doesn’t happen all the time. I can’t reproduce it at will, I just notice that it happens frequently. I’ll keep an eye on Killswitch when updating Firefox and see what it says if the anomaly happens again. I’ll post back if I reach any conclusion.

Keep us posted.

Well, it happened again today. I disabled the Sandbox for 60 minutes. I updated Firefox and Thunderbird. I re-enabled Auto-Sandbox and it was about a half hour till I got the alert from the CIS Sandbox that the .exe files had changed. In the meantime, Killswitch said that both programs were Safe. There seems to be a lag of detection when the Sandbox is re-enabled. I’m wondering if the rest of my system is compromised during this lag time (or is it just Firefox and Thunderbird). This symptom is not directly reproducible. It happens sporadically.

Edit-- Hmmm…I wonder if this just happens after updating CIS??? I recently updated to the latest version 6.3.302093.2976. This may be a hard one to track down!

Would the bold part describe the core of the problem?

I'm wondering if the rest of my system is compromised during this lag time (or is it just Firefox and Thunderbird). This symptom is not directly reproducible. It happens sporadically.
Can you check that installer of FF and TB are digitally signed and on the TVL? In that case, when using default setting to trust files installed by trusted installer, the new executables are trusted and does KS speak the truth and CIS is having a nasty hiccup.
Edit-- Hmmm...I wonder if this just happens after updating CIS??? I recently updated to the latest version 6.3.302093.2976. This may be a hard one to track down!
Is the problem consistent over versions?

Yes.

I have the Sandbox set as Untrusted. I’m not using the installers. I’m using the internal FX and TB updaters. Mozilla Corporation is on the TVL. I’m not using the TVL. Both of the executables are digitally signed. Killswitch seems to be telling the truth. It shows both as Safe and has them signed as Mozilla Corporation. I think CIS is having a hiccup.

Yes.

Here’s what I expect to happen:

  1. I’m using FX and TB and the Sandbox recognizes the current .exe files as safe because I have manually added them to my Trusted Files List.

  2. I disable the Auto-Sandbox through the CIS systray icon.

  3. I use the FX and TB internal updaters to update to the current releases.

  4. I re-enable the Sandbox.

  5. I open Firefox and I should get an immediate Sandbox alert because the new .exe is unrecognized (because I have the Sandbox set to Untrusted and I’m not using the TVL).

  6. I choose to add the new .exe to my TFL through the alert box.

When everything is working properly, this is what happens.

Here’s what happens when CIS hiccups:

  1. I’m using FX and TB and the Sandbox recognizes the current .exe files as safe because I have manually added them to my Trusted Files List.

  2. I disable the Auto-Sandbox through the CIS systray icon.

  3. I use the FX and TB internal updaters to update to the current releases.

  4. I re-enable the Sandbox.

  5. I open FX and/or TB and the program runs as an allowed application.

  6. After an undetermined amount of time, while I’m using either program, I start getting alerts from HIPS and the Firewall asking for permissions.

  7. I close FX and TB and re-open them, this time getting the previously missing alert from the Sandbox.

  8. I add the .exe file to my TFL through the alert box and everything’s OK.

That’s a very clear description which can be seen as a solid foundation for a bug report. :slight_smile:

Bug Report Filed:

https://forums.comodo.com/bug-reports-cis/sandbox-delayed-response-t99879.0.html