Hello all. I have a question.
If I run TeamViewer or any remote desktop utility with standard user rights and inside COMODO sandbox
and let someone remotely connect to my machine through the virtualized program, will they be able to
modify/alter/delete files on my machine?
Thank you.
UPDATE:
I’ve tested this with a friend.
He connected to me via a comodo sandboxed Teamviewer Session (that was running under standard user rights)
He tried to edit a text file and delete it. The changes were committed on the real machine.
So… is this normal?
Hi cocalaur, If your running TeamViewer virtualized on your end and someone connects to you all changes made should be committed to the sandbox only. So no that is not normal.
Should I fill in a bug report somewhere? I reckon this is pretty important…
Where was the text file saved to and then deleted from? If the modification happened in any location that is specified in the “Do not virtualize access to the specified files/folders” then it is working as intended. Also how did you specifically run teamviewer in the sandbox. Was any executable running outside the sandbox for example a service executable that starts at windows logon?
Confirmed here.
Likely it’s because TeamViewer moves the cursor and simulates key presses, I’m guessing the sandbox doesn’t virtualize nor block these and instead just lets them happen. Maybe bug, maybe expected behaviour, an issue either way. Why an issue? Well, imagine it’s not TeamViewer but rather an unknown malware that gets launched in the Sandbox, the attacker could then modify the real system, quite some damage could be done that way. Best solution would probably be to not allowed sandboxed applications to modify the cursor or simulate key presses.
Hello.
The text file was edited and deleted from the desktop. The desktop was not in the sandbox exception list, shared workspace was not used.
The latest teamviewer was downloaded from the official site and was explicitly run sandboxed as fully virtualized. Then i selected to run, not install.
I think by design the sandbox doesn’t prevent direct keyboard or direct screen/monitor access which allows applications like video games and other applications that need/use direct keyboard or monitor access to function properly. When setting teamviewer to unrecognized and using HIPS does request for direct keyboard and/or direct monitor access get alerted for teamviewer?
Yes, when setting it to unrecognized and using HIPS, CIS will alert for direct keyboard access and direct screen access.
I also tested before my first post. I have a custom rule to block all applications from direct keyboard and monitor access. I add exclusions for required applications as I need to and place them in the hierarchy. I went in and disabled the rule(s) and retested. Sure enough then I was able to edit and delete a .txt file. This could be used as a vulnerability and is I think a serious issue.
Adding a custom rule to block all applications will prevent this but it also means taking the extra steps of adding rules per applications as needed such an games and applications you want/need to have these accesses.
Edit: Thanks for pointing this out OP. Good to know about this behavior.
Thank you for the feedback, sAyer.
COMODO has been and still is a great security companion throughout me using Windows.
It has been … 5 years since I use it? :-TU
Best protection i’ve had. So I try to give something back to the community.
I’m sure the developers are looking to provide best possible protection and to patch
security flaws. So if I could help here at least with this small bit, then I am happy 