Some Executables Bypass the Restriction Level set in the Sandbox. [M1415]

A. Some Executables Bypass the Restriction Level set in the sandbox.

Can you reproduce the problem & if so how reliably?:

Yes. I have the following rule in my rule sets for the sandbox:
Action: Run virtually
Target: All applications
Reputation: Unrecognized
Location: any ; Origin: any
Options: I enabled restriction level and I set to Limited.

I got malware samples that comodo did not detected and i ran them by double clicking, comodo virtualized them, however some samples were virtualized and partially limited not virtualized and limited.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

Explained above.

One or two sentences explaining what actually happened:

Some malware can bypass the restriction level set in the sandbox.

One or two sentences explaining what you expected to happen:

All malware should run as limited in the sandbox

If a software compatibility problem have you tried the advice to make programs work with CIS?:


Any software except CIS/OS involved? If so - name, & exact version:


Any other information, eg your guess at the cause, how you tried to fix it etc:



Exact CIS version & configuration:


Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Antivirus - stateful, Autosandbox - enabled, Firewall - enabled

Have you made any other changes to the default config? (egs here.):

No. Except the Sand box rule modified

Have you updated (without uninstall) from CIS 5, 6 or 7?:

if so, have you tried a a a clean reinstall - if not please do?:

Have you imported a config from a previous version of CIS:

if so, have you tried a standard config - if not please do:

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 7 Home Premium, SP1, 64 Bit, UAC enabled, Administrator, V.Machine is used.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a=none b=none

how are you determining that the files are run as partially limited?

I used killswitch.

I have seen a report where killswitch is reporting the wrong restriction level when the process is also running as fully virtualized. Can you try looking in the log files.

Can you tell me how ?

  1. click tasks → View logs
  2. From the drop down menu select Defense + Events

This should show what gets autosandboxed and what level of restriction its running at.

For all .exe files that i ran it gives me info about date, application and flags. Under flags, it is written “run Virtually”

ok thanks for checking that.

Can you send me a link to an application/malware that was run partially limited so i can give it to the devs

I will upload five .exe files that I tested and I believe they are malware.

by the way I changed the restriction level to untrusted and there was no difference.

[attachment deleted by admin]

what OS are you on? Also what level do you have each module set to? (antivirus, firewall, sandbox, HIPS)

Which VM software are you using?

Windows 7 Home Premium, SP 1, 64 Bit. I have them on defult setting. But i modified the sandbox rules for the unrecognized file so that i it run all unrecognized files as virtuallized and limited.

For the last question I am not sure what VM stand for. However I am using the latest version of comodo internet security.

Sorry i shouldnt have used the abbreviation. VM stands for virtual machine.

VirtualBox latest version

Have you tried testing this on a real system? (Not virtual machine). Last i have heard CIS is not compatible with virtualbox. This info came from the head developer of CIS. I will send him a PM to make sure this is still the case.

In the mean time, if you can, test this on a real system and let me know if you still can reproduce.


Yes I have and there is no difference. Can you please tell which virtual machines that CIS is compatible with ?

last thing what does PM stands for ?

i know its compatible with vmware but not sure what others there are. Since this does reproduce on a real machine i will forward it. Also can you please attach your diagnostics file (instructions on how to do this provided here) and the KillSwitch Process List (instructions on how to do that provided here) and put the resulting file in a zip file and attach it here

Sorry again, i get stuck using abbreviations from habbit. PM (Personal message)

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

We have been informed that this behavior is by design. Applications that require UAC are launched with “Partially Limited” restriction, regardless of the selected restriction level.

In the meantime, I will move this report to “Resolved” section.

Thank you.