The automatic sandbox circumvented.

If veximm.exe will be run in automatic sandbox, then it will be two shortcut created on desktop: Internet Explorer and ÂÌÉ«µ¼º½.
In addition, the sandbox does not automatically protect the operating system is completely fair, because when it is modify the host file and Internet Explorer start page.

If veximm exe is run in manual sandbox, then nothing happens.

I know that the file system and registry virtualization is inactive in the automatic sandbox.
Might help if there would be active the registry and file system virtualization.

Automatic sandbox. partially limited, Defense+: safe, av: on access, firewall: custom policy.
But no matter what mode is running on the four security module can not affect the results… >:(

Vexim.exe is submitted.

Attached screen shots and veximm.exe

Please DO NOT attach Malware to forum posts anyone can see/download

[attachment deleted by admin]

The start page of IE is not changed at all… The malware creates 2 shortcuts on the desktop but if you go to tools/ internet settings in IE , the start page is not changed… And when you use another usual link to ie (ex : in the quick lauch bar) , you get your usual ie session… so the computer is not damaged… that’s jut annoying…

The host file doesn’t appear to be modified after reboot either; >:-D

this malware should have been caught by the av…anyway

Confirmed also.

Ok, but the principle is the point.
Why can’t I have received notification that the veximm.exe trying to access the desktop?

While getting off sandbox under Defense + notification that veximm.exe trying to access to explorer.exe but it was blocking it, even the two shortcut on the desktop.

This is not how it should happen…

I need a moderator to move this topic to bug reports! Thanks!

I read that the sandbox doesn’t block the creation of files and folders. It may be a normal behavior…
Did you try to launch the shortcut?

Unfortunately, this is a malware. Other users already infected. :-[

Sure, my question wasn’t about the detection.
Did it try to run something by itself?
Did it try to connect to a server?
Did it try to do something else than creating shorcut?
Because in that case, Comodo partially succeeded, you computer isn’t infected, you only have 2 shortcuts on your desktop…

Yes, i tried. One shortcut leads to a Chinese web page in Internet Explorer.
Not only I have reported this problem. Others, under the default settings, such as the modification of the host file.

I believe all that is going on is that the default level for the sandbox does allow malware, or legitimate files by the way, to create files and folders. This was done so that more files can run correctly in the sandbox.

It is a balance. You’re not happy that there are unwanted files on your computer, that can’t hurt you, but you’d also complain if every file you tried to run in the sandbox failed.
At least I know I would. :wink:

I don’t believe it’s a bug, just the way it works.

This seems to me to be more a useability issue than a bug,but if I’m wrong please let me know.

Or rather not fully understanding the working of automatic sandboxing.

Automatic sandboxing does not fully isolate a program from the OS. It allows programs to drop files in non critical areas. The malware cannot autostart. Even though it runs in the sandbox it won’t run after reboot. That’s the protection it brings.

The idea behind all of this is that the sandbox is being used to make the Default Deny principle user friendly. That means that every unknown file will get sandboxed. Therefor it will run legitimate programs as well and they need to function as well. That’s why you see files and folders being made in non critical areas.

That’s the ideas why it works like it does. The new automatic sandboxing brings strong protection.

The only problem left is the modification of the host file.

Who has a desire to test.
(So be careful!)


Moderator edit: Malware link removed

Posting links to malware is a violation of forum policy. Please DO NOT attach malware or post links to malware in this forum.

I didn’t test this software myself. But hosts file appears not to have been tampered with.

I just tested “veximm.exe” (presumably malware) with CIS 5, proactive security, sandbox enabled, and the rest of the settings at default. This is what I found during my tests:

[ol]- The host file was not altered.

  • Nothing was added to the trusted files list.
  • Four links are dropped: 2 links on the destop (IE icons, one named “ÂÌÉ«µ¼º½” and the other named “internet Explorer” that both link to a suspicious webpage), and 2 quick-launch links in the task bar (IE icons, each with a link to the same suspicious webpage). When I opened the suspicious webpage, nothing obvious attempted to download, so I am not sure if this application is just adware-like (helping to direct traffic to the website) or if it has some more malicious intent.
  • The IE home page was not changed [note: the IE links that are placed on the desktop and in the task bar are links to a specific web page that opens when IE is started from that link. This is not a change in the IE homepage.]
  • I cannot find any other files that are dropped.
  • The application terminates shortly after dropping the links.[/ol]

CIS 5.0…1135
XP SP3 32 bit running on VM player
Config = proactive
Firewall = safe mode
D+ = safe mode; image exec = enabled, sandbox = enabled
AV= stateful
All other settings were default


So this malware is at least a nuisance requiring me to clean up my desktop and task bar. Doesn’t this qualify as malware? Doesn’t this mean the AV has failed at some level? As all AV will fail for many new threats, perhaps this is par for the course? Will an updated AV sig file clean up the infection?

It’s good critical areas were protected, but I am a little puzzled why creation of links anywhere isn’t flagged some way unless allowed as action by an installer, or trusted source.

Links, especially to sites potentially allowing dangerous attacks and privacy leaks are a little different in my mind than other files. But even data files can contain dangers. The whole idea that files dropped might include scripts, perhaps embedded in images or data files, or other executable content is scary. Allowing these dangers as well as links is a pretty big tradeoff for “ease of use.”

Celebrating as victory the fact it is just a nuisance dodges a good question.

Sanbox runs applications in “partial limited” mode.
Try changing to restricted (Defense+ Settings) and see if it works better

I’ve done.
It does no matter…same results. >:(

I think COMODO is doing some kind of term-flaw.
when we say “sandbox”, we mean things like sandboxie, COMODO’s manual sandbox, etc.
actually it’s not a sandbox, as it doesn’t protect the system from filesystem and registry modification.
we should say this an “automatic (privilege) limiter”, not an “automatic sandbox”

A sandbox is not identical to Sandboxie: Sandbox (computer security) - Wikipedia .

It is sorta saying that Lexus defines what car is and then saying that is not a car as it has not similar functionality and luxury Lexus has… :wink: