Author Topic: [12.3.2280-12.3.2281] CyberCapture exclusions not working? (Read 2107 times)

NON · « **on:** November 15, 2016, 02:43:13 PM »

Hello all,

I found a strange case that exclusions of CyberCapture is not working as expected, see attached picture.
Note that I use 12.3.2281 beta, while similar issue was reported in the Japanese forum whose OP uses 12.3.2280.

File "kinza.exe" is digitally signed, and DeepScreen did NOT interfere its execution. Executed then immediately captured by CC even if the path of the file is in the exclusion list.
When I add the path into File System Shield exclusion list, then CC stops capturing it.
Moreover, CC never stops capturing it how many times CC says "The file is clean".

The captured app "kinza.exe" is a web browser based on Chromium.
https://www.kinza.jp/en/

The file itself is not downloaded from the web, but installed by the installer downloaded from the web.
So, "Downloaded from the web" flag must be inherited.

I found these strings in avast log.
From Autosandbox.log

Code: [Select]

2016/11/15 21:35:51	Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
	[Source: local://*C:\Windows\System32\services.exe		]
	[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is trusted).

2016/11/15 21:59:58	Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
	[Source: local://*C:\Windows\System32\services.exe		]
	[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
	[Reason: 0x00020000]
	 --> Result: Not sandboxing (because the file is in the exception list).

From custody.log

Code: [Select]

2016/11/15 21:36:34	Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
	[Source: local://*C:\Windows\System32\services.exe		]
	[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
	[Reason: 0]
2016/11/15 22:00:32	Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
	[Source: local://*C:\Windows\System32\services.exe		]
	[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
	[Reason: 0]

I'll provide more information if needed.
Thanks.

Be Secure · « **Reply #1 on:** November 15, 2016, 02:49:27 PM »

Can you post the Virustotal link of that file?

Must be a bug. $:-\$

Eddy · « **Reply #2 on:** November 15, 2016, 02:53:04 PM »

As the installer is downloaded from the web, I suspect the hash of it is changing and makes Cybercapture treating it as a new file.
This is just a guess ofcourse.

NON · « **Reply #3 on:** November 15, 2016, 02:57:54 PM »

Quote from: Be Secure on November 15, 2016, 02:49:27 PM

Can you post the Virustotal link of that file?
Must be a bug. $:-\$

Here you go:
https://www.virustotal.com/ja/file/83a9b4c6351c4f7e15e70ce046a49944a8590d7d979974b727148cdad90b455d/analysis/1479217904/

Quote from: Eddy on November 15, 2016, 02:53:04 PM

As the installer is downloaded from the web, I suspect the hash of it is changing and makes Cybercapture treating it as a new file.
This is just a guess ofcourse.

I don't think the hash is different everytime, because Virustotal has a record about the file as of 6 days ago. (I re-scanned the file so now it gone $:-\$ )

Author Topic: [12.3.2280-12.3.2281] CyberCapture exclusions not working? (Read 2107 times)

NON

[12.3.2280-12.3.2281] CyberCapture exclusions not working?

Be Secure

Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?

Eddy

Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?

NON

Re: [12.3.2280-12.3.2281] CyberCapture exclusions not working?