App Review Sandboxes against a simple API exploit

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

FleischmannTV

Level 7
Verified
Honorary Member
Well-known
Jun 12, 2014
314
no, because every Sandboxie's user that is a little bit interested by Sandboxie will know to tick the "Drop my right" checkbox. This is the first tweak veterans Sbie's users give as advice.

And every time it causes issues, tweaker veterans recommend to untick it.

"Hey my program doesn't work in Sandboxie..."
"Well, you shouldn't have ticked DropMyRights, fool."

"Hey, this malware escapes Sandboxie..."
"Well, you should have ticked DropMyRights, fool."

Amazing software :confused:
 
H

hjlbx

And every time it causes issues, tweaker veterans recommend to untick it.

"Hey my program doesn't work in Sandboxie..."
"Well, you shouldn't have ticked DropMyRights, fool."

"Hey, this malware escapes Sandboxie..."
"Well, you should have ticked DropMyRights, fool."

Amazing software :confused:

That's how most softs work...

I cannot get SBIE to work properly on my specific systems - despite massive time and effort.

If a user wants almost perfect reliability, dependability and usability, then opt for Shadow Defender.
 
  • Like
Reactions: Overkill
H

hjlbx

Guess I should have specified that I was using my suggested settings- sandboxed processes as Untrusted.

Right there is a big issue. SBIE, at default settings, essentially allows unrestricted reads and writes within the virtual container - plus access permissions outside the sandbox - whereas Comodo sandbox with an Untrusted configuration does not.

There is no fair comparison between Comodo sandbox and SBIE unless both are at default settings... or both configured equivalently (or, at least as close as possible) at their respective maximum restriction settings.

As a Comodo user I'm all for demonstrating Comodo's protections, but test comparison methodology has to be fair...
 
Last edited by a moderator:

Moose

Level 22
Jun 14, 2011
2,271
Salutations, Friends!

My concern is simple,which one will give better protection and have less headaches!

Kind regards,
 
H

hjlbx

Salutations, Friends!

My concern is simple,which one will give better protection and have less headaches!

Kind regards,

Better protection = my experience leads me to Comodo. This is debatable if just looking at virtualization capabilities alone... Comodo sandbox - huge flexibility in terms of file policies - permissions, blocking file types, force run files sandboxed always, etc, etc.

Have less headaches = unknown... you have to try each one individually on your specific system.

SBIE might not work on your system, then again Comodo might not work either... at the very least you will have to contend with some bugs whichever you choose.

So, in the end, you might not use either - but instead opt for Shadow Defender.
 
D

Deleted member 2913

Most programs are added by Comodo to their Safe List by the on-going efforts of many users. If it weren't for them, CIS would detect most safe programs as Unrecognized. Lots of CIS users are unaware of this fact... the white-list\black-list file submission champion is MT's very own @Malware1...

It takes Comodo about a year to add most Windows files to the Safe List - believe it or not... and the process never ends because Microsoft must continually issue Windows updates. Comodo technicians must review each file manually before it is added to the Safe List... as Comodo File Ratings are not Virus Total based.

@yesnoo

After Windows Update - over the course of a week, run a Rating Scan... you will see exactly what I mean.

I will give an example, every time Flash (a Trusted file) is updated via automatic updates, CIS will sandbox it... because it has changed and CIS has changed the rating from Trusted to Unrecognized. This CIS behavior is independent of configuration.

Also, CIS only alerts and sandboxes to files loaded into active memory. So, if a file is updated - but is never loaded into active memory - then CIS will never generate any kind of alert nor sandbox it.
I am not an expert when it comes to technical details.

Microsoft Files & Windows Updates - These are core system files. There are whitelist & status given to product/services in CIS. I mean Whitelist - you know versions needs to be whitelisted...if any particular/new version is not whitelisted...it will be unknown & so autosandboxed or alerts will be there.
Status - By status I mean "Installers", etc... status given to product/services. And I thought status gives unlimited rights to the products/services & updates/upgrades are considered trusted & so doesn't reqire whitelisting every updates/upgrades/versions, etc..., m I wrong here?

Flash & Java - I have always updated these manually i.e either checked for updates manually or from official site. And previously 1-2 times I have got alert for upgrades. But from the CIS version AutoSandbox/Sandbox default "Internet" I didn't recieved any alert or autosandboxed for the updates/upgrades of flash/java...atleast yet.

And I do think Autosandbox/Sandbox new default "Internet" & options like "source tracking" in sandbox & etc... new hidden rules/policy for option "Internet" (I say hidden rules coz I/we dont know what criteria, etc.. "Internet" rules follows/works on) enhances the usability for installed/new programs/services, etc.. i.e I mean I think 'Internet", "source tracking", "hidden rules - critera for "Internet'" rules", etc.. will autosandbox or alert less compared to other autosandbox options & source tracking disabled, etc...

I may be wrong but the above is the reason of using defaults here...enhanced usability with strong/effective protection especially for average users.
 

Moose

Level 22
Jun 14, 2011
2,271
Last edited:
H

hjlbx

I am not an expert when it comes to technical details.

Microsoft Files & Windows Updates - These are core system files. There are whitelist & status given to product/services in CIS. I mean Whitelist - you know versions needs to be whitelisted...if any particular/new version is not whitelisted...it will be unknown & so autosandboxed or alerts will be there.
Status - By status I mean "Installers", etc... status given to product/services. And I thought status gives unlimited rights to the products/services & updates/upgrades are considered trusted & so doesn't reqire whitelisting every updates/upgrades/versions, etc..., m I wrong here?

Flash & Java - I have always updated these manually i.e either checked for updates manually or from official site. And previously 1-2 times I have got alert for upgrades. But from the CIS version AutoSandbox/Sandbox default "Internet" I didn't recieved any alert or autosandboxed for the updates/upgrades of flash/java...atleast yet.

And I do think Autosandbox/Sandbox new default "Internet" & options like "source tracking" in sandbox & etc... new hidden rules/policy for option "Internet" (I say hidden rules coz I/we dont know what criteria, etc.. "Internet" rules follows/works on) enhances the usability for installed/new programs/services, etc.. i.e I mean I think 'Internet", "source tracking", "hidden rules - critera for "Internet'" rules", etc.. will autosandbox or alert less compared to other autosandbox options & source tracking disabled, etc...

I may be wrong but the above is the reason of using defaults here...enhanced usability with strong/effective protection especially for average users.

A lot of CIS users think all Microsoft files are automatically white-listed when they update. That is not the case. Trusted Microsoft files, when they change via updates, are "re-rated" as Unrecognized by CIS. The user can then allow them to function by creating Allow rules until Comodo recognizes the file as Trusted - or - the user can manually add the file to the local Trusted File List.

Many Microsoft files are not digitally signed - so they never qualify as completely Trusted according to Comodo rules for white-listing.

This CIS behavior is independent of configuration... and how Comodo engineers designed CIS to work.

After Windows updates, run a Rating Scan... over time you will see that core, and various other, system files change from Trusted to Unrecognized.
 
H

hjlbx

Salutations, Friends!

Choices below:

> Toolwiz time freeze: http://www.toolwiz.com/en/products/toolwiz-time-freeze/
> Sandboxie: http://www.sandboxie.com/
> Shadow Defender: http://www.shadowdefender.com/
> Comodo Firewall: Comodo Firewall http://download.comodo.com/cis/download/installs/4020/standalone/cmd_fw_installer.exe

The questions is which of the above software work together ( teamwork) not separately.

Kind regards,

Shadow Defender works with almost everything. I say almost because it and Webroot did not work properly together on my specific system = W8.1.

Currently, I use Shadow Defender with Comodo with no problems on W8.1.

It works with Sandboxie as well, but I do not use Sandboxie... best to ask @Umbra about SD + SBIE combo...
 
  • Like
Reactions: Moose

Moose

Level 22
Jun 14, 2011
2,271
Salutations, Friends!

I would love see all the different combinations that you guys and gals could come up with? And include AV of your choice that work
the above! Post # 68. And/or other security software!


Kind regards,
 
Last edited:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
a) Sandbox as a security layer

or

b) Sandbox as a maintenance component.

Both of them should work just a matter of tweaks in order not to fool out, however the thing makes it totally downfall is by human error where mistakes couldn't revert immediately.

In such reality a strong sample suppose can break for isolated environment but for sure not a typical user can do that.

Speaking in Comodo, well all I can see is its totally a maintenance software which you cannot leave the configuration for a long time; especially the autosandbox feature.
 

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
I don't use Sandboxie, but if you change Comodo Sandbox settings to make it more secure then the same should be done with Sandboxie settings to do a fair comparison.
 
  • Like
Reactions: Overkill
D

Deleted member 2913

A lot of CIS users think all Microsoft files are automatically white-listed when they update. That is not the case. Trusted Microsoft files, when they change via updates, are "re-rated" as Unrecognized by CIS. The user can then allow them to function by creating Allow rules until Comodo recognizes the file as Trusted - or - the user can manually add the file to the local Trusted File List.

Many Microsoft files are not digitally signed - so they never qualify as completely Trusted according to Comodo rules for white-listing.

This CIS behavior is independent of configuration... and how Comodo engineers designed CIS to work.

After Windows updates, run a Rating Scan... over time you will see that core, and various other, system files change from Trusted to Unrecognized.
I am little confused now as never saw Windows Updates or Core System Files in Unrecognized or Rating Scan. I think these are treated differently. Aren't there set rules for these in settings?
 
H

hjlbx

I am little confused now as never saw Windows Updates or Core System Files in Unrecognized or Rating Scan. I think these are treated differently. Aren't there set rules for these in settings?

CIS does not treat Microsoft/System files any differently than any other files...
 
D

Deleted member 2913

CIS does not treat Microsoft/System files any differently than any other files...
Windows Updater Applications - is treated as Installer/Updater in CIS HIPS Rules.
And as per CIS help files for Installer/Updater---
"Note on 'Installer or Updater' Rule :Applying the Predefined Ruleset 'Installer or Updater' for an application defines it as a trusted installer and all files created by the application will also be considered as trusted files. Some applications may have hidden code that could impair the security of your computer if allowed to create files of their own. Comodo advises you to use this Predefined Ruleset - 'Installer or Updater' with caution. On applying this ruleset to any application, an alert dialog will be displayed, describing the risks involved".

Windows System Applications - is treated as Windows System Applications in CIS HIPS Rules.
I couldn't find an explanation for Windows System Applications Rules in help files.
 
H

hjlbx

Windows Updater Applications - is treated as Installer/Updater in CIS HIPS Rules.
And as per CIS help files for Installer/Updater---
"Note on 'Installer or Updater' Rule :Applying the Predefined Ruleset 'Installer or Updater' for an application defines it as a trusted installer and all files created by the application will also be considered as trusted files. Some applications may have hidden code that could impair the security of your computer if allowed to create files of their own. Comodo advises you to use this Predefined Ruleset - 'Installer or Updater' with caution. On applying this ruleset to any application, an alert dialog will be displayed, describing the risks involved".

Windows System Applications - is treated as Windows System Applications in CIS HIPS Rules.
I couldn't find an explanation for Windows System Applications Rules in help files.

All I can tell you is that is not how CIS functions on my W8.1 system.

If you look further in the manual it also states when any file changes (is modified, updates), then CIS automatically changes the rating from Trusted to Unrecognized. There is no distinction between Microsoft and any other files; they are all treated the same by CIS.
 
D

Deleted member 2913

All I can tell you is that is not how CIS functions on my W8.1 system.

If you look further in the manual it also states when any file changes (is modified, updates), then CIS automatically changes the rating from Trusted to Unrecognized. There is no distinction between Microsoft and any other files; they are all treated the same by CIS.
"Installer/Updater" - Isn't installer/updater means/includes modified/updates, etc...? I think so...

Do you have any such apps that modifies/creates files often? I dont have such apps...
If you have such apps then the often modified/created files must be getting autosandboxed or alert, right?
You can try & see by treating those apps as installer/updater...

I guess this way we can find the explanation of installer/updater rule.

Can you give me the link of the help file page mentioning any files changes/modified...?
And I do think file changes/modified, etc...is correct... but doesn't apply to apps treated as installer/updater.
 
Last edited by a moderator:
H

hjlbx

"Installer/Updater" - Isn't installer/updater means/includes modified/updates, etc...? I think so...

Do you have any such apps that modifies/creates files often? I dont have such apps...
If you have such apps then the often modified/created files must be getting autosandboxed or alert, right?
You can try & see by treating those apps as installer/updater...

I guess this way we can find the explanation of installer/updater rule.

Oh man... Comodo is so crazy right now I'm seriously thinking about ditching it for something else ...

I have no confidence that a clean install will fix anything. Perhaps reverting to 4591 would be the solution for the time being.

Initially, I thought all files installed by msiexec.exe and wuauclt.exe (essentially Windows updates) were always rated as Trusted by CIS.

You can imagine my surprise when I ran Rating Scans immediately after Windows Updates - and found many Microsoft files in the list rated as Unrecognized. I have observed this behavior on my W8.1 system since CIS early version 7 and using all CIS configs.

You have one experience, and I have another. That doesn't surprise me because I have compared notes with other CIS users - and in some cases - CIS behaves quite differently on W8.1 versus W7 and earlier.

Based upon your feedback I don't know what to make of it... it needs further investigation\observation.

FYI... I have both "Trust Applications Signed by Trusted Vendors" and "Trust Files Installed by Trusted Installers."

Additionally, the manual states two different things... or seemingly two different things. It isn't exactly clear, but the explanation perfectly fit what I am seeing on my specific system. So it seemed logical that this is, indeed, how Comodo designed CIS to operate.

Also, if you lookup Microsoft and System files via Cloud (File Lookup Server) you will find that many of those files are Unrecognized by Comodo.

Maybe what I am seeing on my specific system has something to do with the FLS query... not sure.
 
D

Deleted member 2913

HJLBX,

You have tested all config - by this you mean all config with their defaults or all config with your customization?

If you haven't yet then once try the default internet security config with its default & no single modification to the default settings.
If you do try then uninstall CIS completely & do clean CIS install.

I dont have any experience of CIS on Win 8.
But currently for me on Win 10 64 CIS is behaving the same as Win 7 64 & working fine yet.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top