VIDEO: Trusted Files Generate Alerts When Run In Sandbox ** Feedback Please **

Hello,

VIDEO LINK: CIS Trusted File in Sandbox on Vimeo

*** VIDEO ATTACHED for download at end of post ***

The phenomena shown in the video has been persistent since CIS v. 7. It is absolutely reproducible.

It is independent of:

1. CIS configuration
2. any software installed on system
3. any software removed from system
4. CIS uninstall\re-install
5. clean install of OS
6. physical system (e.g. AMD or Intel, A8\10 or i3\5)
7. the application run inside the sandbox; all Trusted files generate alerts when run in the sandbox
8. whether the Trusted file rating was assigned via FLS or user

I have tried for many months now to connect the issue to something specific - to no avail.

NOTE: The only thing I have not been able to test is the OS version - e.g. on W7 - since all my systems are W8.1.

In the video you will notice the alerts are limited to firewall alerts - as expected with Internet Explorer - the Trusted app used to illustrate the issue. However, rest assured I have also seen HIPS alerts, but I cannot remember the exact combination of events\files that generated the HIPS alerts.

For the sake of thoroughness I show that previous versions of IE (4\17) and updated versions (6\9) are all rated as Trusted in the CIS File List.

The attached video is in Microsoft Video 1 AVI format. It can be viewed using Windows Media Player, VLC Player
or Classic Media Player. The video is zipped in 7z Ultra format and is about 4.5 MB in size.

Any thoughts would be greatly appreciated; is it, or is it not, a bug?

I’d really like to get a definitive answer on this matter once and for all.

Best Regards,

HJLBX

PS - I forgot to mention that sometimes CIS will forget that rules exist and create alerts for Trusted files run in sandbox. Issue is intermittent.

[attachment deleted by admin]

Video link added…

Best Regards,

HJLBX

I’m unclear what you perceive to be a problem.

First off, you should understand that Trusted File status only pertains to whether CIS recognizes the file. If it is recognized, then it is not considered malicious and will operate in accordance to the security configuration that has been implemented.

In general, a browser should have the following rules implemented:

Allow TCP out from in [local_0] to in [local_127] source port ANY dest port ANY
Allow TCP out from in [NIC] to ANY source port ANY dest port in [HTTP Ports]
Allow TCP out from in [NIC] to ANY source port ANY dest port in [Adobe RTMP]

[local_0] is a network zone = 0.0.0.0
[local_127] is a network zone = 127.0.0.1
You could use the loopback rule for this instead.

[NIC] is the host adapter; I have a fixed IP address and do not use DHCP. If you use DHCP, then replace [NIC] with Any

[HTTP Ports] is a port set = 80, 81, 443, 8080
[Adobe RTMP] is a port set = 843, 1935

This will allow the browser to perform any TCP protocol to any IP address on common ports without any alerts.

The only exceptions would be unusual ports. For that reason I have another rule:

Allow TCP out from in [NIC] to in [webcs.yahoo] source port ANY to dest port in [5050 / 843]

That rule is necessary to view web-mail in Yahoo Home page. Its needed because of port 5050 or 843.

Moreover, Amazon is unique with its request for port 6667

So I have an additional rule:

Allow TCP out from in [NIC] to in [174_125_Amazonaws] source port ANY to in 6667

Where [174_125_Amazonaws] is a network zone specific to the IP address required by Amazon web-page.

The ONLY alerts I get from the browser will be for ANY protocol other than TCP or to any destination ports not explicitly allowed in the above rules. Those unusual ports will be unique for different web-sites and are usually particular to specific CDN, e.g., banner adds, embedded videos, etc.

If its a one off thing, I just allow, but not ‘remember this’, except for sites I frequent, e.g. Amazon and I make an exception to unusual port specific to a restricted range / set of IP address.

The only other thing that can alert is DNS. This is done via UDP on dest port 53. For that I have an app rule called DNS: It has ONE rule:

Allow UDP out from in [NIC] to in [DNS] soure port ANY dest port 53.

[DNS] is a network zone of my DNS servers. And the APP NAME is a file-group of ALL applications that require DNS lookup.

That’s it, browser hardly ever bothers me with alerts. Other applications are setup in similar fashion, except that they can only go to the IP address they NEED, and typically are restricted to dest port 80. If they need to go to dest port 443, then there’s a specific rule for that. If the same IP address sometimes goes to 80 sometimes to 443, then I have one rule for that IP with dest port in [80 / 443]

Sometimes an app needs to go to weird ports, e.g., Comodo wants to hit 4443 / 4447 with both UDP and TCP. But only particular IP address are so, they are in their own network zone. ALL the other IP address are to either 80 or 443.

That notwithstanding, in the sandbox / virtual desktop, nothing gets saved to the real system. ALL confiurations should be made in physical system. They get read into the virtual desktop / sandbox and any changes are saved into the sandbox and stay there. If physical app is launched, it only reads physical configuration. If sandboxed / virtual desktop is launched, configuration is read out of sandbox which has original physical settings + sandbox changes.

Do you not see that IE11 - a Trusted app - when run in the sandbox - none of the following firewall rules are applied?

Allow TCP out from in [local_0] to in [local_127] source port ANY dest port ANY
Allow TCP out from in [NIC] to ANY source port ANY dest port in [HTTP Ports]
Allow TCP out from in [NIC] to ANY source port ANY dest port in [Adobe RTMP]

IE11 is rated by Comodo as a Trusted app since it is digitally signed by Microsoft. Consequently, IE11 should generate no alerts when run inside the sandbox.

The problem is this: When running any Trusted app inside the sandbox, CIS ignores their Trusted status\rating.

It’s a very simple concept.

Plus, the video clearly shows that firewall rules created in the sandbox are saved to the real system.

The browser rules I cited are components to custom policy for my browser that I’ve defined on my system. My firewall security configuration has been set to custom policy, i.e., each app has its own set of allow rules per TCP/IP parameters: protocol, source IP address, destination IP address, source port, destination port, and in the case of protocol other than UDP or TCP the the specific type of protocol. You will not have those rules unless you explicitly make them.

Your Firewall security configuration will determine how applications are handled by the firewall. There are several, block, custom, safe, training mode or disabled. The latter needs no splaining. Training mode generates no alerts and creates ALLOW rules - per app - automatically in perpetuity, while SAFE will only generate alerts for those apps installed since setting the Firewall to SAFE security configuration. Any app that’s been on your system prior to then will continue to have ALLOW rules created for it automatically w/ out alert.

CUSTOM POLICY will alert each and every time an instance of internet connection activity occurs for which the specific parameters have not been define for the app at issue.

A Trusted File in CIS is nothing more than something Comodo has deemed non-malicious, i.e., it won’t be relegated into the dungeon of the sandbox and subject to the auspices of the security restrictions imposed by such . The ‘trusted app’ firewall policy is a predefined firewall security policy that has only ONE rule, i.e., ALLOW ANY Protocol FROM ANYWHERE IN OR OUT I shun that like the frakkin’ plague; NOTHING on my system has that kind of carte blanche.

The predefined firewall security policy WEB APPLICATION has the following rules:

ALLOW access to loopback zone
ALLOW all outgoing HTTP
ALLOW all outgoing FTP
ALLOW all outgoing FTP-PASV
ALLOW all outgoing DNS
BLOCK and log all unmatched requests

That’s good enough for those short on knowledge of networking principles and need the best security possible with that specific constraint and not be overwhelmed with - something so frequently used - mind boggling obtuse firewall alerts in both frequency and content.

If you’re observing that policy / configuration changes are affective to the physical installation from within sandboxed sessions, then your virtualization configuration is insufficiently robust to prevent malicious process from borking your real system. What’s the point of a sandbox if such isolation can infect the physical platform.

And if its not that specifically, then its pertains to protected files and folders configuration. There is a specific character that can enhance security immensely and that is the pipe: |

The pipe symbol insists that not even apps in the sandbox can access / modify the resource. I questioned why that was even needed to be implemented - thinking of the poor coders required to create that functionality - until I realized sandboxing is constrained only by the level of virtualization any arbitrary app is constrained to. Setting the virtualization too high breaks the app; it can’t access physical system resources it needs to function.

CIS sandbox / desktop is NOT a VM, but it is a pretty good emulation of a very close approximation of a VM. Its one of the issues I have with CIS is that sandboxed browser that launches Adobe PDF Reader - inherently runs in its own sandbox - has issues communicating with the “real world”. What is a sandbox inside a sandbox?

What I see with your video - thanks for hosting the one on Vimeo as the attached one was all aspect-ratio wrapped garbled - you’re on the cusp of having an epiphany about the greater whole of CIS; the question you’re asking demands such inferrence.