Some programs can start unrecognized programs w/o a prompt with sandboxing off

Issue: some programs can start unrecognized programs without a prompt in Safe Mode when Sandboxing Security Level is Disabled.

CIS version: 5.8.213334.2131
OS: Windows 7 x64
Program used to launch unrecognized program: What’s Running v3.0 Beta 9 (http://www.whatsrunning.net/)
Unrecognized program: CloneVDI v2.05 (virtualbox.org • View topic - CloneVDI tool - Discussion & Support)
Configuration: Proactive Security
Defense+ Security Level: Safe Mode
Sandboxing Security Level: Disabled

To launch a program via What’s Running: menu File->Take Snapshot->Compare with snapshot on file. Navigate to folder containing unrecognized program. Right-click unrecognized program and select Open. In my tests, the unrecognized program runs without a prompt. I’m sure the unrecognized program is truly unrecognized by CIS because I get a prompt when starting it via Windows Explorer.

I also noticed that the What’s Running executable doesn’t appear in the list of Trusted Files. Yet, if you try to add it, CIS tells you that it’s already a safe file.

Are these bugs?

Did another test: deleted all Defense+ policies, rebooted, tested launch again. Still get same results.

I neglected to mention before that these tests are being done in a VirtualBox v4.0.12 virtual machine.

I’ve repeated the cycle from my last post about 6 or 7 times. Most of the time I now do get a prompt when launching the unrecognized program from What’s Running, but not always. These tests were conducted with Prevx v3.0.5.220 x64 installed in the virtual machine. I will now uninstall Prevx and do some more testing.

Update: I’ve reproduced the issue without Prevx installed in the virtual machine. I might get a prompt the first 9 times (as an example) when launching an unrecognized program, but then on the 10th time there is no prompt.

I’ve noticed that whenever I can launch an unrecognized program from What’s Running without a prompt, I can also launch any other unrecognized program from What’s Running without a prompt.

As I’m doing these tests in a virtual machine, I don’t know if this issue also occurs in a real machine. There is no other security software installed in the virtual machine. The virtual machine is also fairly pristine, with few installed programs or deviations from Microsoft defaults.

Another round of testing: checked that there are no Defense+ policies. Rebooted. Launched What’s Running, then launched an unrecognized program from What’s Running. Got a prompt. Exited unrecognized program. Launched same unrecognized program from What’s Running. Got a prompt. Exited unrecognized program. I repeated this over and over and counted that I got a prompt the first 12 times, but on the 13th time and thereafter, no prompt.

Just to point out (I know, McBrian that you are aware) that the devs say ‘please don’t use CIS with VirtualBox it may give unreliable results’

So in a way MrBrian is either
a) performing a valuable service by confirming this :slight_smile:
b) discovering a bug which needs confirmation outside the virtual box environment

Best wishes

Mouse

Thanks Mouse :). Actually I wasn’t aware of that when I created the topic, but I found it out later when reading the VirtualBox thread. I plan to test this issue on a real machine the next time that I do a full backup. As you noted, either way it’s an interesting issue.

I’ve now tested this issue on a real machine (i.e. not in a virtual machine), with the same results as I got above.

Thanks very much McBrian

I think this calls for an issue report. A guess at what may be happening is that ‘What’s running’ is vendor trusted and is being granted elevated privileges (installer updater rights). I think if a file is regraded as trusted it is granted elevated privs if it asks for them.

Still if happening this would be a vulnerability. A separate policy for progs needing enhanced rights which can run arbitrary other progs may be needed

A quick look at the active process list in CIS should tell you. Meanwhile probably best to use process explorer or some such.

Best wishes

Mouse

Thank you very much Mouse for your feedback.

I checked the Active Process List, and indeed WhatsRunning.exe is listed as “Trusted/Installer”. I don’t have anything in Trusted Software Vendors, because I deleted everything there to rule that out as a possible cause. So WhatsRunning.exe must be getting this status from the cloud?

The inconsistent behavior mentioned in post #4 also happens in the real machine, so there is still an issue present.

Further testing seems to reveal that WhatsRunning.exe gets Trusted/Installer status from the CIS local database.

Thanks please make a bug report in standard format and document your experiments.

I think the installer privs are granted locally (trusted files ask they get it), but cannot see why the trusted status should be.

Devs could claim this is expected behavior, but in getting round explorer.exe restrictions, it creates a vulnerability IMHO. May not be easy to address though.

Best wishes

Mouse