Unknown file actions run outside the sandbox

liosant · December 14, 2016, 3:45pm

Can you reproduce the problem & if so how reliably?:
Yes, sometimes they occur with a clean install and running unknown files for example

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Clean install and restart
2:I run the file
3:It runs out of the sandbox or can make unauthorized changes
4: In some cases it starts with the system outside the sandbox and makes unauthorized changes

One or two sentences explaining what actually happened:
Sandbox seems to fail or does not recognize access to system files

One or two sentences explaining what you expected to happen:
Let everything be run in the sandbox and system files will not be accessed

If a software compatibility problem have you tried the advice to make programs work with CIS?:
Perhaps because it is a virtual machine, errors are more constant than in the real machine

Any software except CIS/OS involved? If so - name, & exact version:
No
Any other information, eg your guess at the cause, how you tried to fix it etc:
Processes can extract files to %temp% folder and sometimes run outside the sandbox (most noticeable on reboots where the user can not access the interface);
Unknown file actions run outside the sandbox;
Apparently the problem seems to be linked to user elevation (admin, setup, owner …)
The files when changed folder, CIS has different behavior;

B. YOUR SETUP
Exact CIS version & configuration:
CIS 10.0.0.6071
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
internet security and proactive security
Have you made any other changes to the default config? (egs here.):
?
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No
if so, have you tried a clean reinstall - if not please do?:

Have you imported a config from a previous version of CIS:
No
if so, have you tried a standard config - if not please do:

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
windows 7 sp1 (64bit), UAC desable, admin, virtualbox
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=? b=?

qmarius · December 14, 2016, 3:57pm

Please provide file.

liosant · December 15, 2016, 6:07pm

Do not run on the personal machine, unless you want to take risk

qmarius · December 15, 2016, 6:40pm

Another question : Did you right-click > Run in Sandbox?

Thanks.

liosant · December 16, 2016, 1:18am

Yes, the result is the same. Full or partial actions are running out

qmarius · December 16, 2016, 1:28pm

Hi liosant,

I checked it with default configuration. Created an application > Used drag & drop with virtual machine > Application is not virtualized. This happens because it assumes you had the application in your system. (better usability)
On the other hand, with proactive configuration looks like there is no problem. This happens because it does not rely on file tracking. (worse usability)

And now, checked it with your application & proactive configuration. There is no problem on my virtual machine (Windows 7, x86).

Additionally, (what might cause confusion among users is that) you should run the sample after UI is launched. This is because unknown applications cannot launch by themselves, add autoruns, etc. Note: There is no risk.

Hope it helps.