Honestly I don’t see the problem of being able to change the stuff within VTRoot, as long as the items inside that folder can’t change anything outside of that folder.
A malicious program that is allowed to run outside of the sandbox could do much more damage than just changing stuff in the VTRoot folder, these items would still be reset at a restart of the computer.
So the real issue would be a malicious program within the sandbox that somehow got out, but even then it’s not the biggest of deals since we still have HIPS and Auto-sandbox to protect us, that is if the malware isn’t detected by the Anti-virus component.
So in my opinion a program changing files in the sandbox folder is okay, but a program within the sandbox changing the files outside of the sandbox folder… that is a huge security threat.
I opened a virtual firefox window and I have downloaded a malicious file from net just to test how it can affect the system. Now when I ran it, no harm was done to the system and I was satisfied.
But, later when I was searching for some files in Windows via “search”, it came up with this “downloaded malware” in it’s results, which I think is extremely dangerous. I thought the “virtualised browsing” was completely isolated, but still the downloads are saved to this “VTRoot” folder which is normally accessible to all users and all applications in windows.
PLEASE…either encrypt the folder or restrict access to the folder in some way…It is extremely dangerous to keep it available to all apps and users normally…
When a sandboxed program executes another program the other program gets sandboxed too.
The root of the system disk has never been protected by CIS. CIS allows you to add it to the protected files and folders list. After adding c:\ to the protected files and folders list try again.
well, if we move our bat file to let’s say C:\2 folder and add cd … at the top, then same thing happens.
Also I don’t think sandbox resets on restart, when you use reset sandbox button, vtroot folder is completly deleted with any contents there, but when I restart, the folder is still there.
It’s not normally accessible, it’s hidden and ins secure location. Could be made system via an attribute change maybe, then you get a warning. You could probably set this yourself without adverse results, not sure
In Sandboxes Privacy is normally protected by deletion, which will be made secure deletion soon I suspect - they have it in CSC. Maybe you could encrypt VTRoot using a separate utility - or even OS facilities. Not sure if that would work with CIS, but it might. Encryption is a nice idea.
If you start the malware it starts virtualised, shouldn’t do any thing to the rest of the computer.
So the only risk I can see is copying to the non-virtualised environment. Then it would be unknown if run, and the BB would nuke it
You can put your own restrictions on the folder I expect, using standard OS facilities, but you have to klmake sure this would not inhibit CIS.
My FAQ deals with the program comms issues that have been raised, and how to control them.
Malware in the real environment getting data from the virtual one and sending it somewhere. Well it should be unknown so behavior blocked, so that should not be possible.
Malware in the virtual environment getting data from the real and sending it somewhere. That’s the only one I can see posing any risk at the moment. Needs more thought. Not sure if unknown visualized apps can read from non-virtual - that would be a possible restriction. Some of the advanced ways you can use CIS could control this maybe.
And please note quite a lot of the advanced ways which you can exert greater control over sandboxed process depend on VTRoot being optionally accessible (See my FAQ Leaks? section). Also even checking virtualisation actually works and does not leak may depend on this too. So lots of disadvantages. Try making it ‘system’ if you want more control an see if that causes problems.
c:\2 is not a standard protected folder. Please try making c:\ a protected folder and try again. It during testing you made the batch file a trusted file then make sure to remove it from the Trusted Files list.
Also I don't think sandbox resets on restart, when you use reset sandbox button, vtroot folder is completly deleted with any contents there, but when I restart, the folder is still there.
Do you mean the folder is still there after resetting the sandbox yet it is empty?
I mean that after restart the folder is still there with all of it’s contents intact. “Reset sandbox” works as it should though.
I don’t understand why I need to add anything to protected files. the bat file was detected as unrecognized, yet it was able to do stuff in vtroot folder, untill i set BB level to restricted. I never made it trusted.
I bet any of you can repeat this experiment. Just create a bat file, place it anywhere, guide it to c:\vtroot and tell it to do stuff there. File will be unrecornized but will do whatever you typed there.
If the bat file is sandboxed then of course it can change the files in the VTRoot, these are the files that sandboxed applications are supposed to be able to change, if the applications can’t change any files on any hard-drive then they simply can’t run or work, they need a central point to save on the hard-drive and with CIS they have a common folder for all sandboxed applications.
Also, try making the bat file deleting another file on your system that is not in the VTRoot folder, if the bat file is sandboxed it should fail.
When I have add Comodo Dragon to auto-sandbox (Fully Virtualized) it also runs with all the extensions and saves the bookmarks, however when I restart my computer and start Comodo Dragon it starts as it was just installed, no bookmarks, default homepage, no extensions. Is this expected behavior?
Oh, OK. I don’t know. I haven’t tested the fully-virtualized auto-sandbox.
I do suspect however, that based on the previous auto-sandbox behavior, (harmful processes are gone upon restart) that if this is not intended behavior, it is at the very least a side-effect of the intended behavior.
I would suggest that it’s a better idea to run your browser in the manual sandbox, rather than the automatic sandbox.
Yes, the batch file is run from real system, file is isolated by Behaviour Blocker (previously known as auto-sandbox), but it is still able to perform actions in vtroot folder (program from “outside” being able to mess with files inside vtroot folder, which is basically sandbox and should be isolated from the real system), unless BB is set to Restricted or higher. As far as I understand BB does not virtualize (sandbox) unknown files (unless set to fully virtualize), but just takes some rights from them.
So the question is, should unrecognized file be able to perform actions within vtroot folder, when default BB setting (Partially limited) is used?
Let me answer that with a question. What malware would try to voluntarily get into the sandbox? I have never heard of one. Usually a malware would like to get out of it.
umm… what if malware from the outside tries to start malware from inside vtroot folder? “Outside” malware will be isolated as partialy unknown, but will it prevent it from starting something from vtroot folder (or it’s subfolders)? It’s pretty unlikely scenerio, I understand but someone might try it…I guess?
Now we are into more general vulnerability questions, specifically that relating to inter-program comms. Chiron’s thread addresses that.
To answer Eric’s question - which I think is exactly the right one - I think your exploit is only likely to be a problem where the sandbox is being used to permanently store important information. (Then if malware gets in it could cause damage). This is not a traditional sandbox application - traditionally sandboxes are viewed as disposable.
But Comodo is maybe stretching that with the notion of a banking Kiosk. You might store passwords in it I suppose using something like Keypass. You might setup your browser in a very specific way. You might find it convenient to install your personal finance app there too to make transfer easy.
But equally maybe that’s not what Comodo intends you to do?
