Sandboxed Items Question

sreaction · January 21, 2017, 2:42am

CIS 10.0.0.6092 has sand-boxed these items & titled them as unrecognized.

C_cmd.exe_05EC7D9DD053150573962419F40B89D8529B0BF4.bat
C_cmd.exe_4BD807D9DF9B1407C3B137749CCA401B5C58F595.bat
C_cmd.exe_EE2A559FFF16DCA3E9A198FFD98E33A4E7A2EAB7.bat

The file path is:

programdata/comodo/cis/tempscrpt

Anyone have a clue what they are? It looks like they belong to Comodo…

L.A.R_Grizzly · January 21, 2017, 2:50am

Kinda neat how the new CIS makes its own viruses!

Jon79 · January 21, 2017, 7:55am

Check here, reply #171 from egemen:

https://forums.comodo.com/news-announcements-feedback-cis/brand-new-comodo-internet-security-10-with-secure-shopping-is-released-t117514.0.html;msg847406#msg847406

sreaction · January 24, 2017, 10:31am

Interesting

"Fileless malware uses script interpreters such as powershell.exe to execute code through commandline. There are various ways. What CIS 10 does is it catches embedded commandlines and sandboxed them.

But while sandboxing them, we create a file out of them i.e. convert file-less scripts into files in C:\ProgramData\Comodo\Cis\tempscrpt. If is the command-line interpreter. "

Hmm, I have no idea what to do with them since I dont know what the real source is. I dl’d some file recovery software from CNET and CIS may have sandboxed remnants of that software? Yeah, no clue what to do.

Jon79 · January 26, 2017, 3:37pm

For what I understood, they are temporary files created by CIS when CIS catches an embedded commandline.
Once the original app is close, these temp files can be deleted (I did so), so I guess you can safely ignore the sandbox popup and then delete every file in C:\ProgramData\Comodo\Cis\tempscrpt

L.A.R_Grizzly · January 26, 2017, 5:30pm

The thing is, CIS shouldn’t be sandboxing files it creates. Maybe that folder should be on an exclusion list.

Jon79 · January 26, 2017, 5:54pm

if you place it in the exclusion list and the bat file is created by malware, then how can you get it?

L.A.R_Grizzly · January 26, 2017, 5:58pm

From what I understand, CIS creates the bat file, so it should be safe. No need for sandboxing if it’s safe and put in a special folder. Maybe I’m not understanding the principle correctly?

Jon79 · January 26, 2017, 6:27pm

cis creates a bat file from an unknown app that created a script

DecimaTech · January 26, 2017, 6:58pm

To see embedded code detection in action open up a command prompt and run this

cmd /C echo hello

or from a command prompt run

powershell -Command Get-Date

You could then go to the tempscript directory to view the scripts and see that they contain the above commands echo hello and Get-Date