So the trusted sample now blacklisted 
Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)
- Thread starter Davidov
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Nov 19, 2014
- 2,350
I see. Their summary is flawed then. It should have shown last human expert analyst feedback date.Click on "Human Expert Analysis" tab.
Human Expert Analysis Results
Analysis Start Date: 2016-10-22 22:32:14 ( 8 days ago )
Analysis End Date: 2016-10-22 22:46:34 ( 8 days ago )
File Upload Date: 2016-10-22 20:25:13 ( 8 days ago )
Update Date: 2016-10-30 17:50:55 ( 26 minutes ago )
Human Expert Analyst Feedback: malware
Verdict: Malware
Comodo sandbox is much more sophisticated than Sandboxie. If someone can bypass Comodo Sandbox (which most likely evolves around real virtualisation via utilisation of Intel VM-x/AMD SVM - like a real virtual machine does) then they can bypass Sandboxie.Sandboxie is the answer
Believe it or not, Sandboxie mostly evolves around user-mode API hooks via DLL injection (like HIPS normally works) and redirects the functions from it's own callback, whilst running the program under a different user account - those sort of things. I doubt it utilises any real virtualisation for it's sandboxing.
I know how sandboxie works, that's why I said +Qihoo.
Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".
Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).
Sorry if I misunderstood you.
- Sep 9, 2012
- 470
I tried a sample of Sandboxie and outside the video, everything was ok but if you delete trustworthy supplier in Comodo will take all OK. Comodo's whitelist leaky power suppliers and unfortunately had vetted.Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".
Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).
Sorry if I misunderstood you.
@Wave should I reming you some of my PMs
Comodo let any file run if the file verdict is "safe". You can the file in Comodo sandbox manually, just like you did with Sandboxie.
- Sep 9, 2012
- 470
They had to react quickly to the public thing what if this technique nini exploits against corporations using Comodo .-)))
- Sep 9, 2012
- 470
But if you trust AutoSandbox so in this case you .....come off badly .-))@Wave should I reming you some of my PMs
Comodo let any file run if the file verdict is "safe". You can the file in Comodo sandbox manually, just like you did with Sandboxie.
- Nov 19, 2014
- 2,350
It should be automatic and showing the date of the last verdict. If it's not automatic then it should become automatic. Anw not really important. What i want to know is why the first guy marked it as safe but i am sure no Comodo guy will appear here and tell me.
This is why we have "layered" configurations > CIS
- Sep 9, 2012
- 470
Currently it too me wonder why voodooshield dissembled also lock down hath not such a big whitelist or that it had any same location for collecting data ?? Possible given it out for us men to send him a sample.
- Jul 3, 2015
- 8,153
what layer of CIS would have blocked it, if it had trusted status?
You can keep HIPS and Virsucope enabled.
Deselct the option on "Viruscope Settings" #Analyze only sandboxed process
So Virucope will checking its actions. and good new, Viruscope in CIS 10 is more powerful than CIS 8
- Jul 3, 2015
- 8,153
I can only hope that Viruscope would catch it, because if it has trusted status, then HIPS will stay pretty quiet
Title of this thread: "Comodo FW bypass the Sandbox...", first part of your post: "Sandboxie is the answer".
Maybe I just misunderstood what you really meant at first, but how I read your post is telling me that you said Sandboxie would be a better alternate to Comodo Sandbox in terms of security (since this is about a bypass).
Sorry if I misunderstood you.
It is, if you download and install Sandboxie and then download the sample and test it you will see mod edit. I also said Qihoo because it has amazing HIPS/BB so if anything will bypass Qihoo will get it.
I can't believe you just said this... You clearly don't understand how Sandboxie said like you said you did or you wouldn't have said this.
Hmm... I will explain a bit about how Sandboxie works for you:
When Sandboxie runs a program "isolated" it will be executed under a different user account (NT AUTHORITY\ANONYMOUS LOGON). There will be a DLL injected into the address space of this process called SbieDll.dll: Snaggy - easy screenshots
Snaggy - easy screenshots (program being isolated will be under this account also)
Within this DLL (SbieDll.dll) there is an exported function called SbieDll_Hook: Snaggy - easy screenshots - this function is used to hook many functions, even MessageboxA and MessageBoxW (to my surprise).
This SbieDll_Hook function takes in 3 parameters (char*, __int64 and __int64) - __int64 are real data types but I'd have to check the plugin definitions in IDA Pro for more information.
It hooks so many functions it would take me a long time to make you a list. It hooks not only NTAPI functions but many Win32 functions also.
As well as this, Sandboxie has a device driver which it talks to.
Snaggy - easy screenshots (program being isolated will be under this account also)
Within this DLL (SbieDll.dll) there is an exported function called SbieDll_Hook: Snaggy - easy screenshots - this function is used to hook many functions, even MessageboxA and MessageBoxW (to my surprise).
This SbieDll_Hook function takes in 3 parameters (char*, __int64 and __int64) - __int64 are real data types but I'd have to check the plugin definitions in IDA Pro for more information.
It hooks so many functions it would take me a long time to make you a list. It hooks not only NTAPI functions but many Win32 functions also.
As well as this, Sandboxie has a device driver which it talks to.
Have you read the information in the above spoiler? If not read it, then continue reading. Now you have read the spoiler, I will re-explain myself:
Let's go through this together say on case you didn't read the above properly:
1. Comodo Sandbox should work via real virtualisation methods (real virtualisation - utilisation of VT-X technology for example).
2. Sandboxie evolves around user-mode hooking like a BB/HIPS system
Therefore, if someone knows how to bypass the Comodo Sandbox, they will also know how to bypass Sandboxie. At NO point did I say the sample will also bypass Sandboxie (the one used in this video). I just stated that Comodo Sandbox is much more sophisticated than Sandboxie due to how the technology works, and that if someone is experienced enough to write code to bypass Comodo Sandbox, they'll know how to bypass Sandboxie also.
I neither even said that the sample in this video did bypass Comodo sandbox. I just replied to your post which implies you are claiming Sandboxie is better in terms of protection:
Sandboxie is the answer
Regardless of what you meant in your post:
Also, if you can bypass Sandboxie hooks you can bypass Qihoo the EXACT same way...
Are we on the same page now?
I hope we are, because if we aren't it's too bad, I'm done with this thread... If you don't want to believe me or think I am stupid then that's fine, but it's your loss.
If you think you are the expert and know how things work then please feel free to explain to me how both products work so you can help my knowledge instead, because if I am wrong, it'd be nice for you to correct me and explain why I am wrong instead of just saying I know nothing and assuming you are right.
- Jul 3, 2015
- 8,153
when I install new programs that are trusted, autosandbox and HIPS are both silent. This is in proactive mode.
I am really tired about explaining simple things again and again.
mod edit
This discussion was about Comodo, I quoted you about what you said to explain how Comodo was more advanced than Sandboxie based on how the internals work and how a cat fight has started up which isn't needed because you didn't believe me.
I've just tried to correct you and explain why Comodo is better in terms of how it works but you don't care. You are just interested in causing trouble and you've done this elsewhere in past few weeks... Little posts directed at me, your friends stalking me..
Let's end this now before the thread gets closed.
This discussion was about Comodo, I quoted you about what you said to explain how Comodo was more advanced than Sandboxie based on how the internals work and how a cat fight has started up which isn't needed because you didn't believe me.
I've just tried to correct you and explain why Comodo is better in terms of how it works but you don't care. You are just interested in causing trouble and you've done this elsewhere in past few weeks... Little posts directed at me, your friends stalking me..
Let's end this now before the thread gets closed.