Some Executables Bypass the Restriction Level set in the Sandbox. [M1415]

Man9our · January 18, 2015, 3:45am

A. Some Executables Bypass the Restriction Level set in the sandbox.

Can you reproduce the problem & if so how reliably?:

Yes. I have the following rule in my rule sets for the sandbox:
Action: Run virtually
Target: All applications
Reputation: Unrecognized
Location: any ; Origin: any
Options: I enabled restriction level and I set to Limited.

I got malware samples that comodo did not detected and i ran them by double clicking, comodo virtualized them, however some samples were virtualized and partially limited not virtualized and limited.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

Explained above.

One or two sentences explaining what actually happened:

Some malware can bypass the restriction level set in the sandbox.

One or two sentences explaining what you expected to happen:

All malware should run as limited in the sandbox

If a software compatibility problem have you tried the advice to make programs work with CIS?:

NA

Any software except CIS/OS involved? If so - name, & exact version:

No

Any other information, eg your guess at the cause, how you tried to fix it etc:

NA

B. MY SETUP

Exact CIS version & configuration:

CIS 8.0.0.4344

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Antivirus - stateful, Autosandbox - enabled, Firewall - enabled

Have you made any other changes to the default config? (egs here.):

No. Except the Sand box rule modified

Have you updated (without uninstall) from CIS 5, 6 or 7?:

No
if so, have you tried a a a clean reinstall - if not please do?:
NA

Have you imported a config from a previous version of CIS:

NO
if so, have you tried a standard config - if not please do:
NA

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 7 Home Premium, SP1, 64 Bit, UAC enabled, Administrator, V.Machine is used.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a=none b=none

wasgij6 · January 18, 2015, 5:33am

how are you determining that the files are run as partially limited?

Man9our · January 18, 2015, 5:51am

I used killswitch.

wasgij6 · January 18, 2015, 6:06am

I have seen a report where killswitch is reporting the wrong restriction level when the process is also running as fully virtualized. Can you try looking in the log files.

Man9our · January 18, 2015, 8:12am

Can you tell me how ?

wasgij6 · January 18, 2015, 8:20am

click tasks → View logs
From the drop down menu select Defense + Events

This should show what gets autosandboxed and what level of restriction its running at.

Man9our · January 18, 2015, 8:35am

For all .exe files that i ran it gives me info about date, application and flags. Under flags, it is written “run Virtually”

wasgij6 · January 20, 2015, 6:56pm

ok thanks for checking that.

Can you send me a link to an application/malware that was run partially limited so i can give it to the devs

Man9our · January 20, 2015, 10:12pm

I will upload five .exe files that I tested and I believe they are malware.

by the way I changed the restriction level to untrusted and there was no difference.

[attachment deleted by admin]

wasgij6 · January 21, 2015, 6:46am

what OS are you on? Also what level do you have each module set to? (antivirus, firewall, sandbox, HIPS)

Which VM software are you using?

Man9our · January 21, 2015, 7:51am

Windows 7 Home Premium, SP 1, 64 Bit. I have them on defult setting. But i modified the sandbox rules for the unrecognized file so that i it run all unrecognized files as virtuallized and limited.

For the last question I am not sure what VM stand for. However I am using the latest version of comodo internet security.

wasgij6 · January 21, 2015, 8:27am

Sorry i shouldnt have used the abbreviation. VM stands for virtual machine.

Man9our · January 21, 2015, 8:42am

VirtualBox latest version

wasgij6 · January 22, 2015, 6:22am

Have you tried testing this on a real system? (Not virtual machine). Last i have heard CIS is not compatible with virtualbox. This info came from the head developer of CIS. I will send him a PM to make sure this is still the case.

In the mean time, if you can, test this on a real system and let me know if you still can reproduce.

Thanks

Man9our · January 22, 2015, 6:57am

Yes I have and there is no difference. Can you please tell which virtual machines that CIS is compatible with ?

last thing what does PM stands for ?

wasgij6 · January 22, 2015, 7:08am

i know its compatible with vmware but not sure what others there are. Since this does reproduce on a real machine i will forward it. Also can you please attach your diagnostics file (instructions on how to do this provided here) and the KillSwitch Process List (instructions on how to do that provided here) and put the resulting file in a zip file and attach it here

Sorry again, i get stuck using abbreviations from habbit. PM (Personal message)

wasgij6 · January 22, 2015, 7:09am

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

qmarius · February 10, 2015, 5:53pm

We have been informed that this behavior is by design. Applications that require UAC are launched with “Partially Limited” restriction, regardless of the selected restriction level.

In the meantime, I will move this report to “Resolved” section.

Thank you.