Installed CIS on a clean, test machine. Default settings. Ran a virus. It was sandboxed as partially limited. Still, managed to take control of the system. Further restart of the PC was useless: the system is not usable.
The virus display a scary message (police blocked your PC for something, you have to pay money) and you simply can not escape that window. Nothing else works (you don’t see the desktop, no icon, no taskbar, ctrl + alt + del doesn’t work etc). Restarting the PC in safe mode also has no effect (the PC restarts itself).
Attached here is the virus. The password for the archive is “virus”. After you run it, you need to wait a little bit until it activates.
Mod Edit: Ive removed the rared malware and placed a copy in the malware research group. Please dont post live malware on the public boards. PM a mod or someone in the malware research group and possibly send them the file or post a virustotal link to it HERE
Mod Edit: Iv`e removed the rared malware and placed a copy in the malware research group. Please don`t post live malware on the public boards. PM a mod or someone in the malware research group and possibly send them the file or post a virustotal link to it HERE
Ok, sorry for that. However, I wanted not just post a sample to be blacklisted but to get an answer as why the sandboxed malware is able to take over the PC.
Because you are running in partially limited, key word being “partially” This setting is the least secure but the one most programs work in. If you have time, you could try running the same virus as limited or above and see which settings blocks the virus, my bet is that limited will do this.
Why is it partially limited by default? I don’t know, probably since most programs works with that setting and because Fully Virtualized hasn’t officially made its way into the auto-sandbox settings yet and must be activated through the registry.
On this forum it feels like it comes reports about new malware every week that can bypass partially limited. I’d recommend you change the settings from partially limited to at least limited or above.
Myself I’m using Fully Virtualized which I had to activate through regedit, this offers great security and most programs runs in it, at the moment I’d recommend it since I myself don’t know any malware that bypasses it.
We believe this problem to be resolved, because you told us so, it’s on a fix list, or we have checked and found it resolved. So I am moving it to resolved issues.
If you feel it is not resolved, now or at any time in the future, please PM an active mod who will move it back to the main board for consideration. When it is moved please add to the topic your reasons for believing it not resolved.