There are two ways to prevent the COMODO sandbox from being bypassed by the rootkit.

Discussion in 'other anti-malware software' started by a256886572008, Nov 13, 2010.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    There are two ways to prevent the COMODO sandbox from being bypassed by the TDSS rootkit.

    1.choose Limited

    tdss7.png

    OR

    2.right click on the virus and choose "Run in COMODO sandbox"

    tdss8.png
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    I have mine set to untrusted.
     
    Last edited: Nov 13, 2010
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Does this mean that it's bypassed in the default 'partially limited' settingo_O .I've not managed to do so with a TDSS sample yet.
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    It's an useful trick even if the sandbox is disabled ?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I want to know the same.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

    I want to know the same.
     
  7. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

    I can confirm the OPs findings (although I've tested with first v5 release a while back). With Partially limited as the "sandbox" (hipsbox) setting some TDL samples would get by. Usually there's a RPC/spoolsvc alert from HIPS on default settings, but sometimes (even when retesting with the same sample) there'd be no warning at all and TDL would install (clean image restored after each re-test).
     
  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

    I'm sure that the issue you're referring to was addressed a while ago.
     
  9. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

    I'm not sure (maybe you're referring to rogues bypassing CIS?). I've read the OPs thread on the Comodo forum and it's the same issue with latest v5 as with earlier releases by the looks of it.
     
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Re: There are two ways to prevent the COMODO sandbox from being bypassed by the rootk

    You may well be right,I'll need to read up on it there.I do remember a similar bypass when running the default 'internet security' setting (not with proactive).An update modified the D+ rules to address that particular one.
     
  11. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Treat unrecognized files as partially limited

    the language of the OS

    1.Traditional Chinese

    failed to block

    2.Simplified Chinese

    block successfully

    :ouch: :ouch:
     
  12. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    377
  13. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Thats why I have D+ set for untrusted. I had done some testing and realized that things were getting by partially limited. Block all works well too but alot of the time its blocking...well....everything. I would be cursing when a program wouldn't start and then realise that comodo was blocking it.
     
  14. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Probably they tested another variant :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.