If I run TeamViewer or any remote desktop utility with standard user rights and inside COMODO sandbox
and let someone remotely connect to my machine through the virtualized program, will they be able to
modify/alter/delete files on my machine?
Where was the text file saved to and then deleted from? If the modification happened in any location that is specified in the “Do not virtualize access to the specified files/folders” then it is working as intended. Also how did you specifically run teamviewer in the sandbox. Was any executable running outside the sandbox for example a service executable that starts at windows logon?
The controller was able to modify files on the real system through the sandboxed TeamViewer. “Do not virtualize access to […]” was disabled. The controller was also able to accept CIS alerts like HIPS and Firewall alerts!
Likely it’s because TeamViewer moves the cursor and simulates key presses, I’m guessing the sandbox doesn’t virtualize nor block these and instead just lets them happen. Maybe bug, maybe expected behaviour, an issue either way. Why an issue? Well, imagine it’s not TeamViewer but rather an unknown malware that gets launched in the Sandbox, the attacker could then modify the real system, quite some damage could be done that way. Best solution would probably be to not allowed sandboxed applications to modify the cursor or simulate key presses.
I think by design the sandbox doesn’t prevent direct keyboard or direct screen/monitor access which allows applications like video games and other applications that need/use direct keyboard or monitor access to function properly. When setting teamviewer to unrecognized and using HIPS does request for direct keyboard and/or direct monitor access get alerted for teamviewer?
I also tested before my first post. I have a custom rule to block all applications from direct keyboard and monitor access. I add exclusions for required applications as I need to and place them in the hierarchy. I went in and disabled the rule(s) and retested. Sure enough then I was able to edit and delete a .txt file. This could be used as a vulnerability and is I think a serious issue.
Adding a custom rule to block all applications will prevent this but it also means taking the extra steps of adding rules per applications as needed such an games and applications you want/need to have these accesses.
Edit: Thanks for pointing this out OP. Good to know about this behavior.
COMODO has been and still is a great security companion throughout me using Windows.
It has been … 5 years since I use it? :-TU
Best protection i’ve had. So I try to give something back to the community.
I’m sure the developers are looking to provide best possible protection and to patch
security flaws. So if I could help here at least with this small bit, then I am happy