A post by @cruelsister today on malwaretips.com mentions data stealers and SBIE. Link here: https://malwaretips.com/threads/comodo-firewall-component-being-ignored.122497/post-1036735 This is an excerpt: Question for @cruelsister or @DavidXanatos or others: If one has proper start-run restrictions in place in a sandbox, how can a data stealer (downloaded into that sandbox) spawn anything, because it cannot run (due to those restrictions) in the first place?
If it's able to run then I suppose it can spawn other processes. But if you have configured start-restrictions, it shouldn't even be able to run in the protected sandbox. No matter if it's launched by the user or exploit.
