There are two ways to prevent the COMODO sandbox from being bypassed by the TDSS rootkit.

1.choose Limited

223366

OR

2.right click on the virus and choose "Run in COMODO sandbox"

223367

I have mine set to untrusted.

Does this mean that it's bypassed in the default 'partially limited' setting??? .I've not managed to do so with a TDSS sample yet.

It's an useful trick even if the sandbox is disabled ?

-{ Quote: "Does this mean that it's bypassed in the default 'partially limited' setting??? .I've not managed to do so with a TDSS sample yet." }-
I want to know the same.

-{ Quote: "Does this mean that it's bypassed in the default 'partially limited' setting??? .I've not managed to do so with a TDSS sample yet." }-
I want to know the same.

I can confirm the OPs findings (although I've tested with first v5 release a while back). With Partially limited as the "sandbox" (hipsbox) setting some TDL samples would get by. Usually there's a RPC/spoolsvc alert from HIPS on default settings, but sometimes (even when retesting with the same sample) there'd be no warning at all and TDL would install (clean image restored after each re-test).

-{ Quote: "I can confirm the OPs findings (although I've tested with first v5 release a while back). With Partially limited as the "sandbox" (hipsbox) setting some TDL samples would get by. Usually there's a RPC/spoolsvc alert from HIPS on default settings, but sometimes (even when retesting with the same sample) there'd be no warning at all and TDL would install (clean image restored after each re-test)." }-
I'm sure that the issue you're referring to was addressed a while ago.

-{ Quote: "I'm sure that the issue you're referring to was addressed a while ago." }-
I'm not sure (maybe you're referring to rogues bypassing CIS?). I've read the OPs thread on the Comodo forum and it's the same issue with latest v5 as with earlier releases by the looks of it.

-{ Quote: "I'm not sure (maybe you're referring to rogues bypassing CIS?). I've read the OPs thread on the Comodo forum and it's the same issue with latest v5 as with earlier releases by the looks of it." }-
You may well be right,I'll need to read up on it there.I do remember a similar bypass when running the default 'internet security' setting (not with proactive).An update modified the D+ rules to address that particular one.

Treat unrecognized files as partially limited

the language of the OS

1.Traditional Chinese

failed to block

2.Simplified Chinese

block successfully

:ouch: :ouch:

According to languy99, he and Egemen have tried it and the rootkit is easily blocked with default configuration.
http://forums.comodo.com/news-announcements-feedback-cis/bypass-sandbox-partially-limited-t65062.0.html

So what is going on exactky?

LOL this is Comodo.

Thats why I have D+ set for untrusted. I had done some testing and realized that things were getting by partially limited. Block all works well too but alot of the time its blocking...well....everything. I would be cursing when a program wouldn't start and then realise that comodo was blocking it.

Probably they tested another variant ::)