Sandboxed malware (Veximm.exe) deposits shortcuts on desktop [277]

The bug/issue

  1. What you did: I executed veximm.exe in automatic sandbox
  2. What actually happened or you actually saw: two shortcuts created on desktop. One shortcut leads to a Chinese web page in Internet Explorer.
  3. What you expected to happen or see: no D+ alert
  4. How you tried to fix it & what happened: I switched the restriction level to limited, than to untrusted. Same results. The veximm.exe is submitted to Comodo.
  5. Details (exact version) of any software involved with download link: I don’t know the original source, only this one: http://####/#### (moderator edit: Malware link removed. Posting links to malware is a violation of forum policy. Please DO NOT attach malware or post links to malware in this forum.)
  6. Any other information you think may help us: no

Files appended

  1. Screenshots illustrating the bug: Attached
  2. Screenshots of related event logs or the active processes list: Attached
  3. A CIS config report or file: Attached
  4. Crash or freeze dump file: no

Your set-up

  1. CIS version & configuration used: 5.0 build 1135, Full suite
  2. Whether you imported a configuration, if so from what version:no
  3. Defense+ and Sandbox OR Firewall security level: AV:On access, D+: Safe, FW: Custom Policy, SB: Active, Restriction level: Partially limited
  4. OS version, service pack, no of bits, UAC setting, & account type: XP SP 3, 32 bit, Admin account
  5. Other security and utility software running: no
  6. CIS AV database version: 6130

[attachment deleted by admin]

Excellent bug report - pretty much exemplary - and I can understand why this concerns you, but I just need to check what CIS aims to do about this.

CIS’s other facilities should in principle catch any threat from the website if visited. Secure DNS may very well block access to the site in the first place.

Am consulting the mods…

Many thanks again


Forwarding now. Many thanks for your help


Hello. This is not a bug, sandbox doesn’t protect desktop from file creating, because it’s not in “Protected Files and folders”. If you want CIS to protect your desktop folder, add it to protected files and folder.

I think that people do not like having malware drop any files (harmful or not) on their computer. So, if there is way way to modify the behavior the sandbox (to either prevent the files from being dropped or to eliminate all the dropped files on reboot) then please let us know.

Thanks for looking at this Alsinic. Just to make you aware, this Board covers ‘issue’ report, not just bug reports. So it covers all things that users see as problems with CIS, not just things that do not comply with the design spec.

In this case, I agree that users could extend the protections of the sandbox if they were sufficiently technically aware. That’s great for such users and I applaud you for providing the tailorability. We probably should have told this user this (apologies, I forgot!).

However less technically competent users ‘Mom and Pop’ are probably going to expect that the autosandbox provides protections against this kind of thing without tailoring.

Up to you of course whether you agree and whether this can be done without creating problems :slight_smile:

Best wishes


You can just run application in Sandbox via right-click menu, and all files and registry keys created, dropped or changed by the application will be in virtual file system, without any risk for your data.

Yes that’s a great facility, which this user might well find very helpful.

But the issue in this case is with an unrecognised file getting automatically sandboxed of course

Best wishes


This solution does not work. Just see the two shortcuts.

Hello blattida, in “Protected Files and Folders” CIS window, “|” symbol added to the end of the file and folder path strings protects these files and folders from the Sandboxed and unrecognized applications, but files and folders that do not have “|” symbol are protected only from unrecognized applications. For example,

Writing to the desktop probably should not be prevented by default or people would have too many problems with software that gets automatically sandboxed. Would it be better to have *.lnk in protected files so only the creation of links is protected for sandboxed programs. The problem here is that links are created to dubious web sites not that the desktop was written to.

Thanks tcarribon - seems like a possible solution!

Hello Alexei!

Thank you! It’s working!
The man is always learning… :wink:

Thanks very much Alsinic, I will add the idea of extending protection to the FAQ

Think tcarribon’s suggestion might be worth considering?