There are two ways to prevent the COMODO sandbox from being bypassed by the rootkit.

There are two ways to prevent the COMODO sandbox from being bypassed by the TDSS rootkit.

1.choose Limited



OR

2.right click on the virus and choose "Run in COMODO sandbox"

 

I have mine set to untrusted.

 

Does this mean that it's bypassed in the default 'partially limited' setting .I've not managed to do so with a TDSS sample yet.

 

It's an useful trick even if the sandbox is disabled ?

 

I want to know the same.

 

Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

I want to know the same.

 

Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

I can confirm the OPs findings (although I've tested with first v5 release a while back). With Partially limited as the "sandbox" (hipsbox) setting some TDL samples would get by. Usually there's a RPC/spoolsvc alert from HIPS on default settings, but sometimes (even when retesting with the same sample) there'd be no warning at all and TDL would install (clean image restored after each re-test).

 

Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

I'm sure that the issue you're referring to was addressed a while ago.

 

Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

I'm not sure (maybe you're referring to rogues bypassing CIS?). I've read the OPs thread on the Comodo forum and it's the same issue with latest v5 as with earlier releases by the looks of it.

 

Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

You may well be right,I'll need to read up on it there.I do remember a similar bypass when running the default 'internet security' setting (not with proactive).An update modified the D+ rules to address that particular one.

 

Treat unrecognized files as partially limited

the language of the OS

1.Traditional Chinese

failed to block

2.Simplified Chinese

block successfully

 

According to languy99, he and Egemen have tried it and the rootkit is easily blocked with default configuration.
http://forums.comodo.com/news-annou...ypass-sandbox-partially-limited-t65062.0.html

So what is going on exactky?

LOL this is Comodo.

 

Thats why I have D+ set for untrusted. I had done some testing and realized that things were getting by partially limited. Block all works well too but alot of the time its blocking...well....everything. I would be cursing when a program wouldn't start and then realise that comodo was blocking it.

 

Probably they tested another variant