A virus pass sandboxie

a256886572008 · #1 October 24th, 2009, 11:30 PM

There are two anti-malware programs in my computer.

COMODO Firewall 3.12.111745.560

Sandboxie 3.40

XP SP3,NTFS

1.I execute a virus with sandboxed.

2.COMODO displays an alert"virus access the memory of explorer.exe"

3.I click allow

4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox

--------------
Then, I unistall COMODO Firewall.

The virus can not pass sanboxie.

jmonge · #2 October 24th, 2009, 11:38 PM

Quote:

Originally Posted by a256886572008

There are two anti-malware programs in my computer.

COMODO Firewall 3.12.111745.560

Sandboxie 3.40

1.I execute a virus with sandboxed.

2.COMODO displays an alert"virus access the memory of explorer.exe"

3.I click allow

4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox

--------------
Then, I unistall COMODO Firewall.

The virus can not pass sanboxie.

did you delete the sandbox?

subset · #3 October 24th, 2009, 11:38 PM

Keep Sandboxie.

Cheers

jmonge · #4 October 24th, 2009, 11:40 PM

Quote:

Originally Posted by subset

Keep Sandboxie.

Cheers

i mean if he delete the sandbox the virus will be gone

Peter2150 · #5 October 24th, 2009, 11:57 PM

Check the sandboxie forum. I believe there was an issue between Comodo stuff and Sandboxie.

I agree that I'd keep Sandboxie myself.

Doodler · #6 October 25th, 2009, 12:12 AM

Quote:

Originally Posted by a256886572008

There are two anti-malware programs in my computer.
COMODO Firewall 3.12.111745.560
Sandboxie 3.40
1.I execute a virus with sandboxed.
2.COMODO displays an alert"virus access the memory of explorer.exe"
3.I click allow
4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox
--------------
Then, I unistall COMODO Firewall.
The virus can not pass sanboxie.

Quote:

Originally Posted by Peter2150

Check the sandboxie forum. I believe there was an issue between Comodo stuff and Sandboxie.

Be sure to read the entire thread: http://www.sandboxie.com/phpbb/viewt...ghlight=comodo

nick s · #7 October 25th, 2009, 12:13 AM

There was a similar issue when testing some of Matousec's POCs sandboxed with Malware Defender present. The POCs would bypass Sandboxie when Malware Defender was installed. Uninstalling Malware Defender was the only workaround at the time. Tzuk fixed the issue with 3.40. I would post your findings at the Sandboxie forum along with a link to your sample.

cheater87 · #9 October 25th, 2009, 12:26 AM

What if you have only some programs be the only programs allowed to run in Sandboxie? I'm sure that will stop this problem.

reinwald · #11 October 25th, 2009, 12:49 AM

thats way sandboxie is the best

cheater87 · #12 October 25th, 2009, 01:02 AM

Heh take that malware.

ccomputertek · #13 October 25th, 2009, 01:26 AM

Quote:

Originally Posted by a256886572008

There are two anti-malware programs in my computer.

COMODO Firewall 3.12.111745.560

Sandboxie 3.40

1.I execute a virus with sandboxed.

2.COMODO displays an alert"virus access the memory of explorer.exe"

3.I click allow

4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox

--------------
Then, I unistall COMODO Firewall.

The virus can not pass sanboxie.

Isn't this the same guy who allways posting links directly to viruses, trying to get members of this forum infected ? check his post history, I'm pretty sure it's the same guy.That being said, who really cares if he got a virus on his PC ? I for one could care less

reinwald · #14 October 25th, 2009, 01:32 AM

well looking again at his username.. looks kind a fishy already!

a256886572008 · #16 October 25th, 2009, 02:06 AM

Which one is your file system?

NTFS FAT32

SammyJack · #17 October 25th, 2009, 02:11 AM

That's it!! Dump a full clip of hollow points on the messenger!!

No,seriously,I have never understood why people post these "I have found a giant hole in,or this maleware owns, Sandboxie,Returnil,DefenceWall,etc!!"
Threads here,before they raise the issue at the website-forum of the application concerned.
If the issue is real,it will be from there, it is solved.

a256886572008 · #19 October 25th, 2009, 02:30 AM

Finally, I find that it can not pass sandboxie with COMODO installed.

Becase I use the anti-rookit program "Xue Tr",
the virus can pass sandboxie at this time.

http://i234.photobucket.com/albums/e...2008/vv1-1.png

nick s · #20 October 25th, 2009, 02:56 AM

Quote:

Originally Posted by a256886572008

Finally, I find that it can not pass sandboxie with COMODO installed.

Becase I use the anti-rookit program "Xue Tr",
the virus can pass sandboxie at this time.

http://i234.photobucket.com/albums/e...2008/vv1-1.png

Thanks for the sample. I already have vvv.exe and tested it a few months ago against Sandboxie + Malware Defender (Sandboxie and/vs. Malware Defender). I will make some time tomorrow to play with XueTr + other apps.

Cadillakin · #21 October 25th, 2009, 09:13 AM

Quote:

Originally Posted by a256886572008

There are two anti-malware programs in my computer.

COMODO Firewall 3.12.111745.560

Sandboxie 3.40

XP SP3,NTFS

1.I execute a virus with sandboxed.

2.COMODO displays an alert"virus access the memory of explorer.exe"

3.I click allow

4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox

--------------
Then, I unistall COMODO Firewall.

The virus can not pass sanboxie.

When you click "allow", you are letting Comodo take control of that file and remove it from Sandboxie's protection. Comodo is doing what you wouldn't normally allow - it is taking an infected file out of the secure sandbox and moving it to your real hard drive. Sandboxie does not prevent a user from moving files out of the sandbox. This process is called "recovery" and is normally used when a downloaded file has been deemed safe to move on to the real hard drive.

Rule #1 for Sandboxie. We don't ourselves move programs out of the sandbox and execute them unless we are reasonably certain that they are safe.
Rule #2 for Sandboxie. We don't allow programs on our computer to move programs out of the sandbox and/or execute them unless we are reasonably certain they are safe.

Hugger · #22 October 25th, 2009, 10:16 AM

Clicking allow should not mean that the end user is letting any program dictate actions to SB.
That just does not make sense.

"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. "

I don't understand why people are saying it's user error when SB has allowed another program, in this case Comodo, to recover a file.
Also, telling people to modify propgrams to stop this action would leave the novice or average user, those not involved in this forum, in the position of not being protected properly.

I use SB paid and enjoy the protection it affords. But the posts here and at the SB forum which was linked to in this thread do make me feel vulnerable.
Nothing should be able to get to my drive when I'm running SB.
However, I also know that Tzuk is fantastic about addressing problems.
Hugger

Cadillakin · #23 October 25th, 2009, 10:31 AM

Quote:

Originally Posted by Hugger

Clicking allow should not mean that the end user is letting any program dictate actions to SB.
That just does not make sense.

"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. "

Doesn't make sense to you, perhaps..

Sandboxie only controls the sandbox and what is initiated from within. It doesn't make the user smart, nor does it prevent the user from doing things to harm their own computer. If you take something out of the sandbox or allow other programs to take something out of the sandbox, all bets are off. These actions referred to in this thread are not occuring remotely, by outside users or those interested in doing you harm..The actions of Comodo in this instance are essentially user-initiated or user-condoned actions - imo not much different than allowing a batch file to copy files out of your sandbox...

If you allowed a batch file to copy files out of the sandbox, I would say you were foolish to do so.. I wouldn't blame it on Sandboxie... And if you allow Comodo to do the same thing, I say the same thing.... It's your fault.

Hugger · #24 October 25th, 2009, 12:27 PM

Cadillakin,
I understand what you are saying.
But 'or allow other programs to take something out of the sandbox' is where I have a problem.
When I read the SB web site and then read your statement I think that they are conflicting statements.
Sandboxie has it's control over what goes to the hard drive.
Shouldn't that be the only way for SB to be manipulated?
Thanks.
Hugger

Scoobs72 · #25 October 25th, 2009, 12:28 PM

Quote:

Originally Posted by Cadillakin

Doesn't make sense to you, perhaps..

Doesn't make sense to me either. Clicking 'allow' on Comodo is surely allowing the action that would otherwise have occurred without Comodo installed. I don't see any "actions of Comodo". Clicking allow means "don't take any action" for Comodo. The virus was initiated from within the sandbox after all.

EDIT: or are you saying that by clicking "allow" then Comodo proactively performs the action that would otherwise have been allowed? i.e. it didn't just suspend the action.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search