What you did: I executed veximm.exe in automatic sandbox
What actually happened or you actually saw: two shortcuts created on desktop. One shortcut leads to a Chinese web page in Internet Explorer.
What you expected to happen or see: no D+ alert
How you tried to fix it & what happened: I switched the restriction level to limited, than to untrusted. Same results. The veximm.exe is submitted to Comodo.
Details (exact version) of any software involved with download link: I don’t know the original source, only this one: http://####/#### (moderator edit: Malware link removed. Posting links to malware is a violation of forum policy. Please DO NOT attach malware or post links to malware in this forum.)
Any other information you think may help us: no
Files appended
Screenshots illustrating the bug: Attached
Screenshots of related event logs or the active processes list: Attached
A CIS config report or file: Attached
Crash or freeze dump file: no
Your set-up
CIS version & configuration used: 5.0 build 1135, Full suite
Whether you imported a configuration, if so from what version:no
Defense+ and Sandbox OR Firewall security level: AV:On access, D+: Safe, FW: Custom Policy, SB: Active, Restriction level: Partially limited
OS version, service pack, no of bits, UAC setting, & account type: XP SP 3, 32 bit, Admin account
Excellent bug report - pretty much exemplary - and I can understand why this concerns you, but I just need to check what CIS aims to do about this.
CIS’s other facilities should in principle catch any threat from the website if visited. Secure DNS may very well block access to the site in the first place.
Hello. This is not a bug, sandbox doesn’t protect desktop from file creating, because it’s not in “Protected Files and folders”. If you want CIS to protect your desktop folder, add it to protected files and folder.
I think that people do not like having malware drop any files (harmful or not) on their computer. So, if there is way way to modify the behavior the sandbox (to either prevent the files from being dropped or to eliminate all the dropped files on reboot) then please let us know.
Thanks for looking at this Alsinic. Just to make you aware, this Board covers ‘issue’ report, not just bug reports. So it covers all things that users see as problems with CIS, not just things that do not comply with the design spec.
In this case, I agree that users could extend the protections of the sandbox if they were sufficiently technically aware. That’s great for such users and I applaud you for providing the tailorability. We probably should have told this user this (apologies, I forgot!).
However less technically competent users ‘Mom and Pop’ are probably going to expect that the autosandbox provides protections against this kind of thing without tailoring.
Up to you of course whether you agree and whether this can be done without creating problems
You can just run application in Sandbox via right-click menu, and all files and registry keys created, dropped or changed by the application will be in virtual file system, without any risk for your data.
Hello blattida, in “Protected Files and Folders” CIS window, “|” symbol added to the end of the file and folder path strings protects these files and folders from the Sandboxed and unrecognized applications, but files and folders that do not have “|” symbol are protected only from unrecognized applications. For example,
C:\users\username\desktop*|
Writing to the desktop probably should not be prevented by default or people would have too many problems with software that gets automatically sandboxed. Would it be better to have *.lnk in protected files so only the creation of links is protected for sandboxed programs. The problem here is that links are created to dubious web sites not that the desktop was written to.
