Sandboxed Malware Run From Downloads Can Delete Files In Same Folder [M1299]

1. The full product and its version:
COMODO Internet Security 8.0.0.4314 Beta 2

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
Windows 7 32bit

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Sandbox Enabled, otherwise at default.

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
New installation

5. Other Security, Sandboxing or Utility Software Installed:
None

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1). A malware file was placed in the Downloads directory
2). Other files were also added to the download directory
3). The malware file was run, and confirmed to be sandboxed
4). The parent malware file spawned a payload, au.exe, that appeared to be an installer. This file also was sandboxed (confirmed).
5). The spawned payload will run and take a listing of all files in the directory where the original parent malware resides (in this case, the Downloads folder).
6). All files in the downloads directory will be deleted.

7. What actually happened when you carried out these steps:
Although sandboxed the malware was still able to delete the real files placed in the same folder as it.

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):

Although obvious, a sandboxed executable should not be able to make these changes to the parent system. Note that in Comodo version 7 (sandbox at Fully virtualized level) no files were deleted- the parent and spawn were isolated.

9. Any other information:
Configuration and diagnostics file are attached.

[attachment deleted by admin]

Thank you for submitting this bug report. I made some changes to the first post. Please let me know if everything looks correct.

Also, please attach your diagnostics report to your first post. In addition, please export your configuration and attach it to the first post.
Once that is done please upload the malware sample you used to a file sharing site and send me a PM with the download link. Also, in your PM please link to this bug report topic so I don’t accidentally confuse it with any other samples I receive.

Thanks again.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

Because of default setting to not virtualize access to the shared spaces file group which contains the users download folder, fully virtualized applications can modify the contents of the downloads folder. Therefore moving to resolved.