the term 'automatic sandbox' confuses people (with PoC & video & poll);topic=62222.0;attach=56118;image

the term ‘automatic sandbox’ may confuse some people

Discussion index

  • Argument
  • Conclusion
  • Appendix

First of all, i want you guys to look at this.
if you search google with ‘comodo sandbox’ you can see this result.

  1. I think this comes from misunderstand of ‘automatic sandbox’,
    which comes from comodo’s term ‘sandbox

  2. COMODO’s ‘automatic sandbox’ is not a sandbox, it’s just an ‘auto-deny’ capabilities.
    because it doesn’t protect the system from filesystem and registry modification.

if you see comodo’s Introduction to the sandbox(links below), we can see this article.

[b]Automatic sandboxing does not virtualise software[/b] Files and registry keys created by the software are NOT stored in a separate place on your hard disk. (Instead, to protect system integrity, the sandboxed program is prevented from writing to protected folders, pre-existing files, and registry keys - see link above for details).

this contains a logical contradiction.
sandbox is a sort of virtualization, and if it doesn’t virtualise, what for sandbox?
it’s just a restriction. ( I can feel some rhyme; it reminds me of Sum 41 - Still Waiting lol ;D ;D )

that’s because, according to wikipedia, sandbox typically provides “scratch space” on disk and memory, which means temporary storage ( in COMODO, “C:\VirtualRoot” corresponds to this )

in this regard, COMODO’s manual sandbox is a sandbox, it’s just like an any other sandboxes, but ‘auto-sandbox’ is not.
that can be the clue why some people misunderstand and say things like “COMODO sandbox sux, use another one”
and it definitely damages the reputation of COMODO, whether it’s true or false.

  1. I suggest we should say this an “auto (privilege) limiting” or something that appropriately expresses this feature.
    but some people say both auto-sandbox and sandboxie is a sandbox, so the defining can be controversial.


  1. if the scratch space is not provided, can we still define it a “sandbox” ?
  2. if not, should the name get changed? for what term?

currently I’m running a poll about this, if you are interested come visit here

and i saw a cool suggestion once Chiron said:

it can be a good alternative, then we don’t have to change the name nor change the current policy.
I’ve requested this feature here. hope it gets reflected.

that’s all, and I want your opinion. thanks in advance.

PoC I’ve just made a malware that utilizes the weakness of ‘auto-sandbox’
put it on your desktop, and run it with CIS enabled. it won’t harm you. ;D
source code: here
(source is quite awful, I’m currently learning C++ & asm in my school :stuck_out_tongue: :stuck_out_tongue: :P)

Video and it’s for those who want to see the PoC rather than execute it:

Reference FYI, you can check these articles:

Introduction to the 5.x sandbox(written by mouse1)
Sandbox Technology (a sandbox survey)

PS I’ve already posted it in another thread but I thought i’d rather post it separated.

[attachment deleted by admin]

It’s the confusion where the general concept of sandbox is identified with one, successful, manifestation of a sandbox.

It is like saying Hyunday is not a car because Lexus sets the exclusive standard for what defines a car. ??? 88)

People don’t make such mistakes when it comes to cars… so why not apply that same reasoning to sandboxes? :-X

because that example isnt even close, hyundai would still follow the core function and construction of a car, as does lexus, this auto sandbox of comodo does NOT follow the core function of what a sandbox is or does, that why ur example makes absolutely no sense and has no relevence just so u know

im not here to comment on the quality of this function in comodo, just that it is mis-represented and i think should get a name change

People think Sandboxie = Comodo Sandbox…

Maybe we should call it Comodo Jail, Comodo Alcatraz, Comodo Program Penitentiary… :P0l

yap, I think it’s the core of this controversy :wink:
unfortunately COMODO is a latecomer in this area, so people can’t understand :frowning:

actually, people think sandboxie=sandbox because that is what a sandbox in computer terms is, thats why wen comodo names their auto sandbox a sandbox as well, it confuses people since thats not what it is

To tell you the truth, with comodo 5, I removed sandboxie as I don’t need it anymore, partial limited allow even keygens and s*it to run without danger of damaging system, partial limited just works! :-TU
Not that I recommend taking bread from developers who make great software, i just like to demo it a bit longer… >:-D

beware, it can scatter some garbages on ur system (even if it won’t harm you :D)

definitely ;D

so what, it will be sandboxed anyway, right? :smiley: >:-D

I think Comodo sandbox protect the registry and the app in the sandbox can’t communicate with other process (that’s why they call it sandbox…)

I’ve just made a PoC that utilizes the weakness of the auto sandbox.

put that on the desktop, and run it.

You forgot to attach the file to your post but let me guess…
A batch file which randomly creates lots of files?

[at] dax123,

Please check your ■■■. Request for POC source code sent.

Ewen :slight_smile:

bingo ;D
it’s on the top of the thread, you can check it.

checked :wink:

The latest system call is the nice touch, is it the one that left a cmd in the sandbox? :slight_smile:

I dunno.

First attachment shows repeated “Access is denied” messages.
Second attachment shows your end message.

There was no other interaction with my system other than writing to the screen.

My CIS5 is a very, very vanilla config, with only one modification to allow interprocess comms between Logitech’s lwemon.exe and CIS.

CIS config is set to Proactive
Sandbox enabled
D+ set to SAFE
Firewall set to SAFE

What was it supposed to do?

Ewen :slight_smile:

[attachment deleted by admin]

Set your CIS settings to Internet instead of Proactive, and you’ll have a real vanilla install :slight_smile:
I tested it and his PoC works.

Ho, and check your sandbox if it didn’t leave a surprise in there :slight_smile:

Rebooted and changed CIS config to Internet. Reran the POC and got exactly the same results.


I’m using proactive security with no changes.

Using either config, I’ve got a series of alerts from each time I’ve run the POC, where it attempted to create a series of files in C:\WINDOWS\SYSTEM32 called DUNG_HAHAHA_XX (where XX = 0 - 49).

The DUNG files were not created, as shown by the “Access is denied” messages.

Still ???