Spyshelter test

Hi, I have written something about this problem here https://forums.comodo.com/format-verified-issue-reports-cis/limited-and-restricted-block-screen-capture-but-untrusted-does-not-m399-t95001.30.html

It’s a well-know bug CIS 6 and CIS 7 had with keyloggers. Now that I have CIS 8 installed, I have tried to download the Spyshelter tests (AntiTest.exe, downloadable from here https://www.spyshelter.com/download/AntiTest.zip).
This is the summary of my results

CONFIGURATION
Windows Vista Home Premium 32bit with SP2
CIS 8.1.0.4426 in Proactive Security mode
Antivirus: stateful
Firewall: safe
HIPS: safe
Auto-Sandbox: enabled

Let’s focus on the Auto-Sandbox rule for unrecognized files

  1. RUN VIRTUALIZED (default setting)
    CIS can pass the screenshot tests 1b, 2b, 3b, 4b,5b and 6, but all the other tests fail. The result doesn’t change if you modify the restriction level from “Options”.
    Then, I don’t know if the virtual environment could prevent a real keylogger to send information out of my PC, but the fact is that CIS fails most of Spyshelter tests

  2. RUN LIMITED
    AntiTest.exe can’t even start. You get a Windows error message just after CIS sandbox pop-up. If you click “don’t sandbox again”, then AntiTest.exe can run and CIS fails every test, no matter what restriction level you set.
    This is strange, because with CIS 6 and 7 the result was (for the screenshot test):
    Fully Virtualized - Total Failure
    Partially Limited - Total Failure
    Limited - 100% Blocked
    Restricted - 100% Blocked
    Untrusted - Failed 3 out of 11 (because of the bug mentioned above)

  3. BLOCK
    AntiTest.exe can’t even start. You get a Windows error message just after CIS sandbox pop-up. If you click “don’t sandbox again”, then AntiTest.exe can run and CIS fails every test
    This is quite bad, in my opinion. If you click “don’t sandbox again”, CIS 8 will add the file to the trust list and it won’t warn you about anything

  4. REMOVE THE RULE FOR UNRECOGNIZED FILES
    In this way, the HIPS will react instead of the auto-sandbox.
    When you click on AntiTest.exe you get a HIPS pop-up to alert you. Even if you allow it, you’ll get a pop-up when the app tries to access a protected key or location and you’ll get a pop-up when you try to perform a test (you’ll get a pop-up for every test).
    Of course, if you allow this last pop-up, CIS will fail the test… but at least you’ll get several warnings that let you understand what the file is trying to do and help you in choosing whether is better to block it or let it go.

CONCLUSIONS
I’m not a fan on virtualization, especially considering the several bugs, workarounds and strange behaviors, like the one I wrote above.
But it seems that CIS developers have pushed a lot on virtualization, while not improving (I’d say worsening) the “run limited” choice.
What I have personally done is to choose the options No. 4 and remove the rules for unrecognized files.
Maybe I’ll get more HIPS pop-ups, but at least I can see what happens and decide how CIS should react.
If I have a doubt about a file, I can block it first, then run it as fully virtualized by right-clicking on the exe and choosing the option.

Does anyone have any other ideas or explanations?

Thanks

Any comment is welcome :slight_smile:

Fully virtualized is only designed to protect the actual file system and registry from modification by creating a virtualized environment that provides a virtual file system and registry that is transparent to the application. As for ‘keylogger sending information out’ that is what the firewall component of CIS is for, if it attempts to access the network you will get a firewall alert in which you can block such action thereby preventing the keylogger for sending information.

2) RUN LIMITED AntiTest.exe can't even start. You get a Windows error message just after CIS sandbox pop-up. If you click [b]"don't sandbox again"[/b], then AntiTest.exe can run and CIS fails every test, no matter what restriction level you set.
You do realize that by clicking don't sandbox/isolate/virualize you are instructing CIS to ignore and add to trusted files in which case it will be allowed to do what it wants. This is by design and has been the intended behavior since the sandbox was introduced to CIS, even the help sections specifically mentions this. This is a user fail and not a CIS fail.
This is strange, because with CIS 6 and 7 the result was (for the screenshot test): Fully Virtualized - Total Failure Partially Limited - Total Failure Limited - 100% Blocked Restricted - 100% Blocked Untrusted - Failed 3 out of 11 (because of the bug mentioned above)
Nothing strange about a program which has been added to the trusted files being able to do what it wants. However, you are correct about the bug in which applications being sandboxed/isolated as untrusted were able to capture the screen directly, but this has been fixed in v8 so no longer an issue here.
3) [b]BLOCK[/b] AntiTest.exe [b]can't even start.[/b] You get a Windows error message just after CIS sandbox pop-up. If you click "don't sandbox again", then AntiTest.exe can run and CIS fails every test This is quite bad, in my opinion. If you click "don't sandbox again", CIS 8 will add the file to the trust list and it won't warn you about anything
I have to major issues with this statement. First, Blocked action is just that..blocked, what did you expect to happen? Again by design any application that is treated as blocked will not be allowed to execute in the first place, this is explained in the help section as well. Second, now you admit that by clicking don't sandbox again the application gets added to trusted files, and your still somehow surprised that CIS "fails" and won't alert you to anything? What? Why would CIS ever alert you to actions made by trusted applications? Especially if you have HIPS set to safe mode. If you want to get alerts about safe/trusted applications set HIP to paranoid mode. Again by design CIS will not interfere with or alert to you about safe/trusted applications.
4) REMOVE THE RULE FOR UNRECOGNIZED FILES In this way, the HIPS will react instead of the auto-sandbox.
Or you know...you could just disable the auto-sandbox, no need to modify sandbox rules.
When you click on AntiTest.exe you get a HIPS pop-up to alert you. Even if you allow it, you'll get a pop-up when the app tries to access a protected key or location and you'll get a pop-up when you try to perform a test (you'll get a pop-up for every test). [b]Of course, if you allow this last pop-up, CIS will fail the test... [/b]but at least you'll get several warnings that let you understand what the file is trying to do and help you in choosing whether is better to block it or let it go.
Again not a CIS fail, only a user fail, BIG difference. But yes agree on the warnings again thats what defense+ is for.
CONCLUSIONS I'm not a fan on virtualization, especially considering the several bugs, workarounds and strange behaviors, like the one I wrote above. But it seems that CIS developers have pushed a lot on virtualization, while not improving (I'd say worsening) the "run limited" choice. What I have personally done is to choose the options No. 4 and remove the rules for unrecognized files. Maybe I'll get more HIPS pop-ups, but at least I can see what happens and decide how CIS should react. If I have a doubt about a file, I can block it first, then run it as fully virtualized by right-clicking on the exe and choosing the option.

Does anyone have any other ideas or explanations?


I, like others are not into the whole virtualizaion and choose to stick using the firewall and hips/defense+ components of CIS, however it is ignorant to say that the developers are pushing virtualization. If that where true defense+ would be removed from CIS and you wouldn’t be able to disable the sandbox. All in all the current version of CIS as it is now is amazing and really is the best one yet, sure there are some issues that need to be worked out, ones that im not really comfortable disclosing publicly due to not wanting to cause a big uproar against, but thats another issue. In conclusion, if you want to use the sandbox great if you don’t then don’t either way thats what makes Comodo great, you can configure CIS anyway you please. The protection provided by CIS is unmatched by any other security software and it takes a good understanding of what CIS is and how it works to really make it an effective solution to protect end-users.

Thanks for the answer, I agree on almost all your statements, especially about CIS offering unmatching protection and for free!!!
:love:
The only one where I don’t agree is about the “run restricted → untrusted”.
What I don’t understand is why on CIS 7 “run restricted → untrusted” let the exe start, but didn’t allow it to do anything dangerous, but on CIS 8 “run restricted → untrusted” prevents the exe to execute.
The difference is huge. In CIS 7 you were able to see what the application was trying to do, on CIS 8 you can’t because the application is blocked.
But this should be the behaviour of “block”, not of “run restricted”.
Or am I missing something?

Quote from CIS 7 help Behaviour Blocker, Network Access, Internet Protection | Internet Security v7.0
The Behavior Blocker will auto-sandbox an unknown executable and restrict its execution privileges according to an access restriction level set by you. Access restriction levels determine what level of rights a sandboxed application has to access other software and hardware resources on your computer:
Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.(Default)
Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.
Blocked - The application is not allowed to run at all.

Fully Virtualized - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.

Quote from CIS 8 help Configure Rules for Auto-Sandbox, Sandbox Security Software | internet Security
Set Restriction Level – When Run Restricted is selected in Action, then this option is automatically selected and cannot be unchecked while for Run Virtually action the option can be checked or unchecked. The options for Restriction levels are:
Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.(Default)
Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

If an application is not executing because of being run untrusted then it’s probably because of the bug fix that applied more access restrictions to the untrusted sandbox mode. This is intended behavior and is specifically mentioned in the help documentation some applications may not operate properly under this setting. when this happens you should lower the sandbox restriction to either ‘restricted’ or ‘limited’. This is a common side affect when applications that are sandboxed as untrusted, because they run with such limited access restrictions that they don’t function correctly to the point where they don’t run/execute at all or just crash unexpectedly. Hope this clears that up for you.

I did that, but even if i use “run restricted → limited” the exe doesn’t start at all

must be an issue with your settings I have no problem launching antitest under any restriction level on both windows xp and windows 7.

[attachment deleted by admin]

Hi,

Thanks for the answer, I agree on almost all your statements, especially about CIS offering unmatching protection and for free!!!

I agree…Comodo is a solid program even with the HIPS only: SpyShelter test is passed successfully:

I’m sorry, what did you choose under “Action” (see attached pictures from CIS online help), “Run Virtually” or “Run Restricted” ?
I was referring to Action → Run Restricted, then Options → Set Restriction Level → Untrusted

Set Restriction Level – When Run Restricted is selected in Action, then this option is automatically selected and cannot be unchecked while for Run Virtually action the option can be checked or unchecked.
The options for Restriction levels are:
Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.(Default)
Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

[attachment deleted by admin]

In my previous post I have a screenshot attached showing the spyshelter test being auto sandboxed with the untrusted restriction level. So yes I have set action to run restricted with restriction level set to untrusted.

Well, I tried the same configuration, but I got an error message (please check the pictures in attachment).
Sorry, it’s in Italian, but the meaning is: “Impossible to start the application correctly (0xc0000022). Click OK to close the application”.
This is what you should get if you set “block”, not “run restricted”

[attachment deleted by admin]

I found what the problem was :slight_smile:
I added c:\users on the HIPS protected objects, so the app was not able to access the resources it needed to start.
I removed that entry and re-do the test. CIS 8 correctly sandboxed the app and every test was successfully pass :slight_smile:
Moderators, if you like, you can close this post.
:love: