A virus pass sandboxie

Here is another thread highlighting Comodo and Sandboxies interactions. According to the OP and a few of the posters who could replicate, Comodo does copy files outside the sandbox. It's interesting reading and you'll probably notice some similarities with this thread..

http://sandboxie.com/phpbb/viewtopi...t=comodo&sid=858d1844a8ae7057002b548221bbe7f6

And then read this one too, added by Doodler, earlier in the thread. Same issues.

http://www.sandboxie.com/phpbb/viewt...ghlight=comodo

 

I agree. It's not just with Comodo.. although Comodo does seem to be the most frequent offender of this type, I've noted the posts from other users who have different security programs that are also assisting sandboxed files to move out of their secure space... Malware Defender, etc.. In moving the files for their own purposes, to scan, quarantine, or whatever, they are inadvertently controverting Sandboxie's strong user protections.

As noted in the Sandboxie forum threads, some of these files will not drop or create other files while stored and executed in the sandbox, but on breaking out and executed, they can. That fact should probably be a concern to anybody running Sandboxie alongside some of these other apps - especially on family computers.

 

Actually anti roootkit programs, do tell you which hooks for instance are 'trapped' by which programs. In general it is a good idea to have the least possible of overlap, since not all programmers check whether they pass the info correctly after their own program has executed.

Regards Kees

 

I was quoating, because I agree with you that 'to many cooks spoil the soupe'.

Some anti-rootkits also show what is ownwed by whome in the SSDT, but there are more which provide info like: Process hacker or the sysinternal suite.

Surun also sets hooks. So it is also part of your real system.


Cheers Kees

 

Thanks for running these tests SSJ. I hope "Nothing created on Real system" applies to Malware Defender as well

 

Has the conflict with Avira been fixed or does it still exist?
Thanks.
Hugger

 

Malware Defender will successfully control vvv.exe, sandboxed or unsandboxed, with or without XueTr resident.

 

It's more efficient to put MD in Learning Mode and observe the logging.

It is. The real system is untouched when running vvv.exe sandboxed (3.40) + MD 2.4.1 beta 3 without XueTr resident.

 

Great! Thanks. I'm curious as to what it is with XueTr that causes this then. Guess we'll have to wait for TZUK to investigate.

 

Quoting tzuk's latest post on the XueTr issue: