Advice Request Incompatibility Issue or A Feature of Comodo AutoSandbox?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
I am testing the compatibility between Malwarebytes Antiexploit (MBAE) Free and the Auto-Sandbox of Comodo Firewall on a virtual machine running Win 7 32-bit.

We all know that if you want to use MBAE along with Sandboxie, you need to do some configuration manually, i.e., editing the config file of Sandboxie to add a template corresponding to MBAE. Sometimes this approach does not work at all...

By contrast, it seems that we do not need to do any configuration to use MBAE with Comodo (I still exclude MBAE from the detection of shellcode injection). When I launch Firefox.exe in the auto-sandbox of Comodo with the context menu item (or by creating a sandbox rule to force Firefox into the Sandbox), MBAE will always alert you that it is protecting the browser. It seems fine.

The problem happens when I try to run the test tool provided by Malwarebytes:
How to verify that MBAE is working correctly - Anti-Exploit Product Support - Malwarebytes Forum

When I run this test tool in the sandbox of Comodo and click "Exploit", in almost all the cases, this tool simply terminates. I have repeated this test several times, and clean the sandbox of Comodo after each test. Only in two tests MBAE shows the pop-up saying that the exploit is prevented.

So, would this be an incompatibility issue, or just a feature of Comodo auto-sandbox, which also prevents the exploit?

Thanks.:)
 
  • Like
Reactions: DracusNarcrym
H

hjlbx

Online_Sword said:
I am testing the compatibility between Malwarebytes Antiexploit (MBAE) Free and the Auto-Sandbox of Comodo Firewall on a virtual machine running Win 7 32-bit.

We all know that if you want to use MBAE along with Sandboxie, you need to do some configuration manually, i.e., editing the config file of Sandboxie to add a template corresponding to MBAE. Sometimes this approach does not work at all...

By contrast, it seems that we do not need to do any configuration to use MBAE with Comodo (I still exclude MBAE from the detection of shellcode injection). When I launch Firefox.exe in the auto-sandbox of Comodo with the context menu item (or by creating a sandbox rule to force Firefox into the Sandbox), MBAE will always alert you that it is protecting the browser. It seems fine.

The problem happens when I try to run the test tool provided by Malwarebytes:
How to verify that MBAE is working correctly - Anti-Exploit Product Support - Malwarebytes Forum

When I run this test tool in the sandbox of Comodo and click "Exploit", in almost all the cases, this tool simply terminates. I have repeated this test several times, and clean the sandbox of Comodo after each test. Only in two tests MBAE shows the pop-up saying that the exploit is prevented.

So, would this be an incompatibility issue, or just a feature of Comodo auto-sandbox, which also prevents the exploit?

Thanks.:)
Click to expand...

COMODO sandbox denies direct raw disk, raw memory and services access. Access to registry and file system is only permitted to those registry and file system objects duplicated by COMODO in the virtual container.

One or more of the above could be reason(s) why Malwarebytes Exploit Test Utility does not function when run inside the sandbox.

You can ask Malwarebytes if it accessing any of the above. They should solve the riddle.

Did you try to run in Virtual Kiosk ?

Sandbox and Virtual Kiosk are not identical - that is as much as I know since no technical infos - so you might get different result.
 
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
@hjlbx

I have tried the virtual desktop and got the same result. The test tool just terminates.

I find that, when the protection of MBAE is stopped, then the test tool could function properly inside the sandbox. It makes this problem more like a incompatibility issue, but I am not sure.

Maybe I need to try to visit a malicious website with browsers inside the sandbox to see what would happen. But I do not know which site could trigger MBAE in the normal case.

By the way, I find the following statement in the forum of MBAE. Maybe it is related to my problem:

  • New Comodo Bug. We found a second new bug in Comodo which may cause conflict with MBAE and result in browsers not being able to open correctly. It seems when MBAE injects after Comodo there is no problem, but if Comodo injects after MBAE then Comodo doesn't handle the chained hooks correctly. A fresh re-install of MBAE might temporarily solve the problem (as it sometimes makes MBAE handle the API hooks after Comodo) but the definite bug fix must come from Comodo.
Click to expand...

I installed MBAE after Comodo. But I am not sure whether MBAE actually injects after Comodo.

I can open my browser correctly and browse the websites correctly.
 
Last edited:
H

hjlbx

Online_Sword said:
@hjlbx

I have tried the virtual desktop and got the same result. The test tool just terminates.

I find that, when the protection of MBAE is stopped, then the test tool could function properly inside the sandbox. It makes this problem more like a incompatibility issue, but I am not sure.

Maybe I need to try to visit a malicious website with browsers inside the sandbox to see what would happen. But I do not know which site could trigger MBAE in the normal case.

By the way, I find the following statement in the forum of MBAE. Maybe it is related to my problem:



I installed MBAE after Comodo. But I am not sure whether MBAE actually injects after Comodo.

I can open my browser correctly and browse the websites correctly.
Click to expand...

After attempting to run utility, check Defense+ log. COMODO should record and list what the utility is attempting to do and\or access: Create Process, Access Memory, Access COM Interface, etc, etc.

Once you determine what the utility is attempting to access, you can create HIPS Allow rule(s) granting access to those resources.

HINT: If you use Training Mode, and it still doesn't work then it is some form of incompatibility - probably - but such things aren't always clear-cut. There's no telling if the issue is wholly COMODO, Malwarebytes, or something else. Figuring it out is a completely trial-and-error process.
 
  • Like
Reactions: Online_Sword
Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
hjlbx said:
After attempting to run utility, check Defense+ log
Click to expand...

There is no D+ event generated during the test.

hjlbx said:
If you use Training Mode, and it still doesn't work then it is some form of incompatibility - probably - but such things aren't always clear-cut.
Click to expand...

This problem persists even if I turn off HIPS...
 
H

hjlbx

Online_Sword said:
There is no D+ event generated during the test.



This problem persists even if I turn off HIPS...
Click to expand...

In that case, just write the experiment off. It's pointless to try and figure it out. Serves no purpose other than to drive you nuts...

If you feel so inclined you can submit infos to Malwarebytes and COMODO.

However, you already know that a submission to COMODO requires a lot of time and effort - and you will get no reply whatsoever except for, perhaps, a notice from a forum moderator that the report has been moved to the confirmed issue thread and submitted to the tracker.

I have learned to leave such things alone.

Pity... innit ?
 
  • Like
Reactions: Online_Sword
Status
Not open for further replies.

Similar threads

cartaphilus
    • Like
Question Looking for non flammable version of an honest question: what makes sandboxie different from Comodo Sandbox?
Replies
14
Views
622
Comodo
rashmi
rashmi
Shadowra
    • Like
    • +Reputation
    • Applause
  • Locked
App Review COMODO Internet Security 2025 Premium
Replies
117
Views
12,409
Video Reviews - Security and Privacy
Victor M
Victor M
ErzCrz
    • Like
New Update Comodo Internet Security 2024 v12.3.2.8124 BETA (Feb 2024)
Replies
16
Views
2,678
Comodo
Nikola Milanovic
Nikola Milanovic

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top