Windows updates getting sandboxed

I installed latest (1709) Windows 10 Home, latest Comodo CIS (v10.0.2.6396 from offline link), connected to internet, and started doing Windows updates. Some updates got Auto-Sandboxed. I had seen this in the past too - when I try to use auto-sandboxing, all or part of update of Windows (or other programs for that matter) would get auto-sandboxed / auto-contained.

There is a pop up that offers to NOT sandbox NEXT TIME, i.e. in the future, but how come it does not ask me whether to sandbox the FIRST time around? Is there some setting I am missing?

I like the idea of auto sandboxing but my concern is that some updates to windows or allowed apps (and sometimes Windows 10 updates on background when I am not around) will get partially or not applied due to sandboxing.

Any suggestions?

Thanks!

Highly unlikely Windows updates are getting auto-contained, can you export the containment logs and make sure filter by date and time is set to no filtering. To attach either change the file extension to .txt or just add the log into a zip folder.

Thanks futuretech. Please see the attached file for details.

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\svchost.exe

are all untrusted files apparently. Virustotal.com does not show issues with any of them.

The log is empty, make sure you right click inside the containment log and select entire period. Do you have trust applications signed by trusted vendors enabled and have cloud lookup enabled as well? Are the listed apps still rated as unrecognized or did they finally get set to trusted? If they are still unrecognized, collect comodo file properties json info by enabling comodo properties page from this here, then navigate to and right-click on one of the windows applications that are rated as unrecognized and select json: dump information for the file and attach.

Sorry, not sure why attachment did not work first time. I think it’s worked now. Please see my previous post - it now has the attachment of 9k+ size.

I have trust applications signed by trusted vendors enabled but not cloud lookup (my computer is offline most times anyway so cloud lookup may not often work + I want to minimize cloud related traffic). The files are now set as trusted: I manually set schtasks.exe as trusted - the other two might have gotten set in another way I guess… ?

Two of the files are not signed: when I look at file properties in Windows Explorer, there is no digital signature tab for schtasks.exe and conhost.exe. I see that svchost.exe is signed by certificate:

  • Signer Information Name: Microsoft Windows Publisher which is among the trusted vendors
  • date range: 1-year certificate from July 2017 to July 2018
  • issued by (directly) Microsoft Windows Production PCA 2011 (which is NOT on my trusted vendor list), so not sure why that one was not trusted earlier…
  • issued (at the root of chain) by Microsoft Root Certificate Authority 2010

FWIW, on another PC (with Win7 Pro), I see all 3 files as unsigned and I periodically get HIPS popups there with conhost.exe trying to do stuff in response to some of my actions (I think when I install something but don’t recall for sure). In fact, on this Win7 box, when I look at file list, I see 2 entries for conhost.exe: one is trusted and signed by Microsoft. Another is unsigned from couple days later and marked as Unrecognized. Both are from same path so the current version is the unsigned one… Hmm…

But I don’t mean to confuse the issue… I guess even on clean Win10 conhost.exe seems to be unsigned… Can you check yours? Strange…

I don’t think I have ever seen the digital signature tab for any windows system applications, but you can use sigcheck from sysinternals to verify if they are signed which here on Windows 7 they are:

c:\windows\system32\conhost.exe: Verified: Signed Signing date: 1:33 AM 9/15/2017 Publisher: Microsoft Windows Company: Microsoft Corporation Description: Console Window Host Product: Microsoft® Windows® Operating System Prod version: 6.1.7601.23915 File version: 6.1.7601.23915 (win7sp1_ldr.170913-0600) MachineType: 64-bit

It is still strange that they are not being rated as trusted.

Can you provide the JSON info of any windows system application that is currently not rated as trusted?

Ok, so looking at my Win7 C:\Windows\System32\conhost.exe… Sigcheck results

c:\windows\system32\conhost.exe:
Verified: Signed
Signing date: 5:54 PM 9/14/2017
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Console Window Host
Product: Microsoft« Windows« Operating System
Prod version: 6.1.7601.23915
File version: 6.1.7601.23915 (win7sp1_ldr.170913-0600)
MachineType: 64-bit
Binary Version: 6.1.7601.23915
Original Name: CONHOST.EXE
Internal Name: ConHost
Copyright: ⌐ Microsoft Corporation. All rights reserved.
Comments: n/a
Entropy: 6.233

Also attaching json (renamed as txt)

Thank you for looking into this!

For some reason CIS is not seeing the certificate, can you try removing conhost from the file list, press ok to save changes, then launch cmd.exe which will also executed conhost, then check file list to see if conhost is set to trusted automatically.

Win 7 box:

Removed both conhost.exe entries from the list (old trusted and newer not-trusted). Started command prompt (and even executed cmd.exe from within it too for good measure). conhost.exe got added as unrecognized to the file list. I reconfirmed this in View Logs → “File List Changes”. The logs show both, my manual removal of 2 conhost files, and comodo then adding conhost.exe when I ran the cmd.exe. It shows Old Value and New Value as blank on that history screen. As I mentioned though, it got added as “Unrecognized” in the File List.

I pretty much expected this behavior from what we know so far. What I got surprised about is that I never got a pop-up asking me whether I want to allow cmd.exe to run… ?! If it does not think file is recognized, why did not HIPS ask me this time if I want to run Command Prompt? I checked HIPS events log, and it does not say anything about conhost or anything interesting about me running cmd.exe. HIPS is in Safe mode. Overall, Comodo is in Proactive Security configuration.

Win 10 box:

This is where conhost.exe got to be trusted somehow. I tried same experiment and here Comodo recognized conhost and auto-added it as Trusted… but while looking at File List Changes logs, I see that there are a bunch of entries with path

“MemCompressionskVolume4/Wind” (yes, that’s the full Path) added by Comodo with Trusted rating

Some of these entries even have what looks like Chinese/Japanese/Korean symbol after “Wind”. I Googled but could not find anywhere what these things are. 6-7 of these entries appear to be logged every day, sometimes minutes apart. Sorry for piggybacking on the other question, but any idea on what these are?

Weird, sounds like a corrupt install, and the foreign characters issue sounds like the path is not being properly null-terminated so whatever is in memory is being displayed in the file path. I would uninstall and run this removal tool (make sure to use run as administrator right-click context-menu) then install using the offline installer. Just to check, do you have any other 3rd party security software installed that might be causing incompatibilities?

Hi futuretech,

Sorry, which one is the corrupt install? Win7 or Win10?

Win 10
I assume you mean Win 10 one. I also run Avira Antivirus there.

fwiw, both were done using offline installers already.

One other thing I just noticed regarding Win 10 install is that under Settings → Windows Defender → Windows Defender Security Center → it says Windows Defender Firewall is not active because you’re using other providers

BUT under Control Panel → Security and Maintenance → Security section → it says Windows firewall and Comodo firewall are both turned on. Note that running more than one firewall at a time can cause conflicts.

So, which part of Windows is lying?

In my Services, I see both Windows Defender Firewall and Windows Defender Antivirus Service as Auto and Running but not sure if that means much since for example, Windows Defender Antivirus is reported to be off by both paths, via Settings and Control Panel, even though its corresponding service is running (maybe for periodic scans though, which I have on)

Win 7

Any ideas regarding Win7? Why is that file not trusted and HIPS does not check with me when I run cmd.exe on whether to run conhost.exe?

Yes the Win10 install is probably corrupt or it is an Avira conflict. You can try latest version here that is set to go live tomorrow the 13th. As for the issue on Win7 I have no idea, do you happen to already have HIPS rules for cmd or conhost?