Advice Request Comodo latest version vs Gruel

[LuciferSam]

Hello there,
i was testing the auto-sandbox vs Gruel on a VM with Win 7 64 bit, but even if the only rule for the autosandbox was "fully virtualized" and with restriction "not safe" comodo put the file with "partially limited". Is a known bug?
No other rules was enabled.

 

[Tony Cole]

The best lady to ask is cruelsister, she is very good - also watch the video's she produced, in these cruelsister explains what settings to use for max security. These two are very good:



P.S. welcome to MalwareTips!!!

 

[Online_Sword]

Hi, could you give some details about the only sandbox rule that you created? Some screenshots would be better.

 

[LabZero]

Waiting for an eminent opinion of our Comodo's experts, could it be a bad implementation in the virtualized environment (VM)?

 

[cruelsister]

Am I correct that we are discussing the Gruel worm? I hope so because Gruel is super cute!

On the assumption that it is the worm, I'm doing up a video that will show you how to change the sandbox setting, as well as why I suggest setting it at Untrusted versus anything below that.

Sam- that is an excellent file to test with. My compliments!

 

[FleischmannTV]

Aas well as why I suggest setting it at Untrusted versus anything below that.

I don't understand why you suggest using untrusted in Comodo. Nothing really works at untrusted. You might just block unrecognized files, like malicious files are. I understand that untrusted is safer, but I also understand that you cannot call it virtualization when nothing works in that environment. Crashing applications is not virtualization, but everything less than untrusted is insecure. So in the end you either have a sandbox in which nothing works or that is not really secure. That is why the Comodo sandbox in my opinion is nothing but an automatic anti-executable, powered by a crappy cloud reputation database, and not a sandbox, not virtualization.

Though that's the problem on Windows. You cannot restrict something in a way that is really secure without breaking it, unless you design the application to work that way, like it was done with Chromium/Chrome, or unless you use Mircovirtualization as in Bromium vSentry, where the host OS actually can be compromised, because everything runs in a separate micro VM.

 

[LuciferSam]

Hello everybody,
I was testing a version of the (in)famous worm Gruel (MD5: b0feccddd78039aed7f1d68dae4d73d3) in a virtual environment with the following setup:
Windows 7 Professional 64 bit
8 GB Ram
CIS 8.2.0.4792 with no antivirus enabled, HIPS disabled and Proactive Security
Software running the VM: Virtualbox 5.0.10 under a Fedora x64 23

I was testing a fully virtualized sandbox with full restriction but here some interesting screenshots
==CONFIGURATION==



==HOW THE WORM IS SANDBOXED==


If you keep executing the worm, the worm can terminate explorer.exe but no registry key is touched. You should restart Windows for having a normal execution of the operating system.

* Even removing the "Enable file source tracking" nothing is changing.
* Even removing the check for installers nothing is changing
* If I keep the standard rules enabled we have the same results

I don't think it's a bug, because, if I remove the restrictions the program go "fully virtualized". Perhaps is a wrong configuration? But why Comodo keeps to put into "partially limited"? If I put the Windows calculator executable, comodo sandbox put the calc.exe into "untrusted" mode.

For the curious I could upload gruel to the malware hub, but if you search the md5 you can find it @ malwr.com (you must be registered)
EDIT: Here the calc.exe in "untrusted" mode with the same rules in the "configuration section": View image: calc exe

EDIT: This post is the same on the comodo forums, sorry

 

[cruelsister]

Fleischmann- Actually legitimate applications can indeed run with the sandbox at Untrusted. I've read what you stated a few times here at MT and must tell you that it is quite untrue. It will prevent malware from doing any things, but a browser, for instance, can operate well when sandboxed as Untrusted (check your PM).

Sam- your issue is that you are not elevating the sandbox to run at anything other than Partially Limited (default). A new video should be showing up soon that highlights how to change the Sandbox options and how the sandbox will handle Gruel.

 

[LuciferSam]

CUT!

Sam- your issue is that you are not elevating the sandbox to run at anything other than Partially Limited (default). A new video should be showing up soon that highlights how to change the Sandbox options and how the sandbox will handle Gruel.

Ok, that explains the problem. But why the sandbox puts calc.exe in untrusted mode? Because it's an application which does not requires admin privileges?

 

[cruelsister]

I have no idea why calc.exe is being sandboxed at all for you at any level. Certainly doesn't happen on my systems.

Maybe you should send your calc.exe to VT?

 

[LuciferSam]

A guy on comodo forums say that could be Virtualbox 5 which isn't very compatible with CIS. Somewhere I have a license for VMWare workstation: i'll try with that.

 

[vivid]

Seems like it's intended behavior.

Comodo 8.2.0.4792 Sandbox vs a Worm (GRUEL) : possible bug or misconfiguration? - Install / Setup / Configuration Help - CIS

 

[Deleted member 2913]

cruelsister,
Is cruelsister1 on youtube you?
Just watched the video on youtube

If its your video -
Why you mentioned Default Partial Limited? Isn't default "Full Virtual"? And sandbox options (Partial Limited) Test, why didn't you "Ticked" Set Restriction Level?

 

[Tony Cole]

Cruelsister, how do I go about running the web browser FV with the settings of untrusted? Google Chrome runs at limited, but anything above it crashes, am I doing anything wrong?

Hope all is well, I've subscribed to your youtube channel - it's very good, amazing talent!

 

[LuciferSam]

Finally: i've found the problem: it was the UAC.

I have disabled from the registry key (for 8 and 10) and now comodo can put all the files into untrusted mode.

One strange thing: even if I tried with the "Administrator" user, the problem was present before I disabled the UAC at all.

Anyway: thank you, guys!

 

[LuciferSam]

Finally: i've found the problem: it was the UAC.

I have disabled it from the registry key (for 8 and 10) and now comodo can put all the files into untrusted mode.

PS: Could a mod put a tag like "SOLVED" on the thread title? Thank you!