A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.
- Can U reproduce the problem & if so how reliably?:
yes
- If U can, exact steps to reproduce. If not, exactly what U did & what happened:
(1) I checked the protected objects.
It means "the sandboxed applications can not create any file under C:\WINDOWS "
(2) I ran the malware.
(3) It was sandboxed as partially limited.
(4) logs:
2013-05-17 20:25:37 C:\Documents and Settings\All Users\Application Data\Shared Space\test.exe\geloyun.exe Sandboxed As Partially Limited2013-05-17 20:25:39 C:\WINDOWS\SysService.exe Sandboxed As Partially Limited
2013-05-17 20:25:46 C:\Documents and Settings\All Users\Application Data\Shared Space\test.exe\geloyun.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysService
2013-05-17 20:25:46 C:\Documents and Settings\All Users\Application Data\Shared Space\test.exe\geloyun.exe Modify File C:\WINDOWS\SysService.exe
(5) I checked the file.
The size of it is 0KB.
- If not obvious, what U expected to happen:
Behavior Blocker should block the malware for creating the file.
- If a software compatibility problem have U tried the conflict FAQ?:
- Any software except CIS/OS involved? If so - name, & exact version:
- Any other information, eg your guess at the cause, how U tried to fix it etc:
-
Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)
[/ol]
B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:
version = 6.1 build 2813
configuration = internet security
- Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
HIPS=off, BBlocker=partially-limited, Firewall=Safe, AV=cloud is off
- Have U made any other changes to the default config? (egs here.):
none
- Have U updated (without uninstall) from a CIS 5?:
no
[li]if so, have U tried a a clean reinstall - if not please do?:
[/li]- Have U imported a config from a previous version of CIS:
no
[li]if so, have U tried a standard config - if not please do:
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows XP Pro, SP3, 32bit, UAC=off, admin, Real
- Other security/s’box software a) currently installed b) installed since OS: a= b=
none
[/ol]
[attachment deleted by admin]