Standard software treated as installer by Sandbox (4.0.135239.724 x32)

Problem description: The appended software generated an ‘Elevated Privs Alert’, and when accepted was run unsandboxed. But it is not an installer. I have had this happen 2-3 times with different software.

  • CIS version: 4.0.135239.724 x32
  • Your Operating System (32 or 64 bit, Service Pack revision, and account privs: XP SP3 32 Bit, admin account (on Pentium 4 CPU 3Ghz, 4Gb RAM)
  • Other Security and Utility Software Installed: See appended config report for details. Usually: Comodo - CIS, CVE, CIV, CLP, CSE, CAS, IVault; Other- Filezilla, Wallwatcher, Sony Ericsson PC software, Actual Window Manager, Routerstats, Revo, Process Explorer, Google Desktop, Process Tamer, Process Explorer, Kiwi Syslog, Idrive, Clipmate, Hotspotshield, Stuffit
  • Step by step description to reproduce the issue: Just run the software.
  • How you tried to resolve the problem: N/A
  • Upload Memory Dumps on crash if you encounter any: N/A
  • Attach screenshots to your posts to clarify the issue further: Appended
  • Virus database version: Please see appended config report
  • Any other information you think that might be useful. CIS settings: See appended config report for details.

[attachment deleted by admin]

[attachment deleted by admin]

How can CIS know if it is an installer or not?

I assume it gives the alert for any program that asks for elevated privileges. Windows uses the dumb rule of elevating any program with setup in the name.

It looks like CIS elevated prompts are usually triggered:

[ol]- When an unrecognized application got an embedded elevation (requireAdministrator) manifest (eg CLT)

  • When an unrecognized application filename includes specific words (like setup or installer)[/ol]

The latter can be used as workaround in case some unrecognized installer/application cannot trigger D+ elevation prompt (append setup or installer to the name)

I get the elevated privileges alert for SkypePortable.exe and MyDefrag.exe.

[attachment deleted by admin]

Application triggering D+ elevation alerts out of a corresponding elevation manifest can be verified using sigcheck -m and confirming requestedExecutionLevel level=“requireAdministrator” in the console output.

Adding those applications to “My Safe Files” will suppress D+ elevation alert as welll.

My observations suggest that its asking for admin privs that triggers these alerts, at least under XP.

There are alternatives. It would be reasonably feasible to make a list of all widely used installation file creation software, and look for specific signs in the generated installation files.

Seems to me this would be more secure.

Though maybe all that is needed is a change to the elevated privs alert, needs to say “If you did not just ask an installer to run, or run a file that you know requires admin privs you should probably deny this alert!” Plus maybe the ability to choose to allow elevated privs but monitor the software using D+ alerts


Stripping CLT.exe of its elevation manifest (eg using Resource Hacker to remove the 24\1\1049 branch) won’t trigger D+ elevation alerts on XP.

Probably all the application insofar listed in this topic will behave in the same way.

Yep, don’t think this is very sophisticated installer detection :slight_smile:

I guess something more sophisticated won’t be needed as long Vista works in a similar fashion :wink:

Perhaps the corresponding sandbox setting could be rephrased but probably nothing would look easy to understand and synthetic at the same time.

Yeah :slight_smile:

The essential problem remains though:
a) CIS is supposed to be designed for Mop and Pop
b) Mop and Pop are not going to know which Elevated Privs alerts to allow.
c) Software masquerading as installers can easily trick them
d) Allow the elevated privs alert and the software has pretty much free access

Ergo : Installer detection needs to be better for Mop and Pop, or some other solution is needed - QED?

Automatic detection of installers could only be done by a white list and allowing signed executables (does it do this already?). Anything else could be mimicked by malware. If the application is unknown it is up to the user to decide.

I would have plenty to say in that regard and I will probably do when a related topic will focus on these aspect for non bugreporting purposes.

To make it short I’ll link one of the article easily available on the net that outline what real (non-masquerading non-fake) installers can be used for:

Fake Codecs; How to get ■■■■■■■ the easy way …

Ergo: Mom and Pop would not need to get a Software “masquerading as installer” to get infected…

Yes I agree, some other solution would be better, and I agree lets leave it there.

The Mop and Pop problem remains unfortunately

Best wishes