A virus pass sandboxie

There are two anti-malware programs in my computer.

COMODO Firewall 3.12.111745.560

Sandboxie 3.40

XP SP3,NTFS

1.I execute a virus with sandboxed.

2.COMODO displays an alert"virus access the memory of explorer.exe"

3.I click allow

4.The virus pass sandbpxie,because it creat a file
"C:\WINDOWS:svchost.com"
out of the sandbox

--------------
Then, I unistall COMODO Firewall.

The virus can not pass sanboxie.

 

did you delete the sandbox?

 

Keep Sandboxie.

Cheers

 

i mean if he delete the sandbox the virus will be gone

 

Be sure to read the entire thread: http://www.sandboxie.com/phpbb/viewtopic.php?t=5253&highlight=comodo

 

There was a similar issue when testing some of Matousec's POCs sandboxed with Malware Defender present. The POCs would bypass Sandboxie when Malware Defender was installed. Uninstalling Malware Defender was the only workaround at the time. Tzuk fixed the issue with 3.40. I would post your findings at the Sandboxie forum along with a link to your sample.

 

What if you have only some programs be the only programs allowed to run in Sandboxie? I'm sure that will stop this problem.

 

thats way sandboxie is the best

 

Heh take that malware.

 

Isn't this the same guy who allways posting links directly to viruses, trying to get members of this forum infected ? check his post history, I'm pretty sure it's the same guy.That being said, who really cares if he got a virus on his PC ? I for one could care less

 

well looking again at his username.. looks kind a fishy already!

 

Which one is your file system?

NTFS FAT32

 

That's it!! Dump a full clip of hollow points on the messenger!!

No,seriously,I have never understood why people post these "I have found a giant hole in,or this maleware owns, Sandboxie,Returnil,DefenceWall,etc!!"
Threads here,before they raise the issue at the website-forum of the application concerned.
If the issue is real,it will be from there, it is solved.

 

Finally, I find that it can not pass sandboxie with COMODO installed.

Becase I use the anti-rookit program "Xue Tr",
the virus can pass sandboxie at this time.

http://i234.photobucket.com/albums/ee153/a256886572008/vv1-1.png

 

Thanks for the sample. I already have vvv.exe and tested it a few months ago against Sandboxie + Malware Defender (Sandboxie and/vs. Malware Defender). I will make some time tomorrow to play with XueTr + other apps.

 

When you click "allow", you are letting Comodo take control of that file and remove it from Sandboxie's protection. Comodo is doing what you wouldn't normally allow - it is taking an infected file out of the secure sandbox and moving it to your real hard drive. Sandboxie does not prevent a user from moving files out of the sandbox. This process is called "recovery" and is normally used when a downloaded file has been deemed safe to move on to the real hard drive.

Rule #1 for Sandboxie. We don't ourselves move programs out of the sandbox and execute them unless we are reasonably certain that they are safe.
Rule #2 for Sandboxie. We don't allow programs on our computer to move programs out of the sandbox and/or execute them unless we are reasonably certain they are safe.

 

Clicking allow should not mean that the end user is letting any program dictate actions to SB.
That just does not make sense.

"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. "

I don't understand why people are saying it's user error when SB has allowed another program, in this case Comodo, to recover a file.
Also, telling people to modify propgrams to stop this action would leave the novice or average user, those not involved in this forum, in the position of not being protected properly.

I use SB paid and enjoy the protection it affords. But the posts here and at the SB forum which was linked to in this thread do make me feel vulnerable.
Nothing should be able to get to my drive when I'm running SB.
However, I also know that Tzuk is fantastic about addressing problems.
Hugger

 

Doesn't make sense to you, perhaps..

Sandboxie only controls the sandbox and what is initiated from within. It doesn't make the user smart, nor does it prevent the user from doing things to harm their own computer. If you take something out of the sandbox or allow other programs to take something out of the sandbox, all bets are off. These actions referred to in this thread are not occuring remotely, by outside users or those interested in doing you harm..The actions of Comodo in this instance are essentially user-initiated or user-condoned actions - imo not much different than allowing a batch file to copy files out of your sandbox...

If you allowed a batch file to copy files out of the sandbox, I would say you were foolish to do so.. I wouldn't blame it on Sandboxie... And if you allow Comodo to do the same thing, I say the same thing.... It's your fault.

 

Cadillakin,
I understand what you are saying.
But 'or allow other programs to take something out of the sandbox' is where I have a problem.
When I read the SB web site and then read your statement I think that they are conflicting statements.
Sandboxie has it's control over what goes to the hard drive.
Shouldn't that be the only way for SB to be manipulated?
Thanks.
Hugger

 

Doesn't make sense to me either. Clicking 'allow' on Comodo is surely allowing the action that would otherwise have occurred without Comodo installed. I don't see any "actions of Comodo". Clicking allow means "don't take any action" for Comodo. The virus was initiated from within the sandbox after all.

EDIT: or are you saying that by clicking "allow" then Comodo proactively performs the action that would otherwise have been allowed? i.e. it didn't just suspend the action.

 

Tried it out and Avast alerted me to a virus and had me disconnect.

 

Interesting follow-up post by TZUK http://www.sandboxie.com/phpbb/viewtopic.php?t=6516

 

Your understanding is definitely wrong. Comodo is neither taking any control nor it,s moving the file anywhere. Allow only means that it,s allowing the said application to access explorer.exe in memory. That,s all.

 

I can confirm what you see. If I execute XueTr before I run vvv.exe sandboxed (on a clean XP SP3), LADS and GMER will detect new alternate data streams. The real registry is written to as well...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5C866437-FC0B-FAE8-6D9C-920BD098F52B}]
"StubPath"="C:\\WINDOWS:svchosv.com"