How to circumvent the sandbox easily

[Julian_evil]

Tested with 594 on XP SP3.

1.) Start the Comodo leaktest sandboxed. Then start the method "Explorer as parent". The sandboxed clt.exe creates the iexplore.exe process outside of the sandbox.
http://www.testmypcsecurity.com/securitytests/firewall_test_suite.html

2.) Go to system32 and start taskmgr.exe sandboxed. With it start a MSI install package. It seems like if the Windows Installer would be sandboxed due to the red frame around its window. But in fact it creates files outside of the sandbox.

[GloobyGoob]

Did you uncheck the first option in Real-time shields > Process Virtualization > Expert Settings? It is enabled by default.

[Lisandro]

Thanks for checking. I'll be glad if the programmers take a look, specially Lukas or pk.

[Julian_evil]

Did you uncheck the first option in Real-time shields > Process Virtualization > Expert Settings? It is enabled by default.

Unfortunately, that doesn't help.

Could a developer please comment on this?

[Lisandro]

Other tests that the sandbox is also failing:

[GloobyGoob]

Other tests that the sandbox is also failing:

Tech, that Leaktest doesn't test the sandbox, it tests the firewall and HIPS. (But Julian_evil was testing the sandbox; by trying to see if something would get created outside of it) The anti-virus component blocks some of them but the firewall doesn't respond to them. And here's the reason for this.

My ALWIL contacts explained that since there's no malicious payload in the leak test programs there's no reason for avast! to block their behavior. That makes sense. Norton Internet Security 2010 and Panda Internet Security 2010 work in just the same way.

[Lisandro]

Tech, that Leaktest doesn't test the sandbox, it tests the firewall and HIPS.

Are you sure?
I'm not. I've tested Comodo Firewal and Defense+ and the results were ridiculous.
The very beginning they say I need to sandbox the process: https://forums.comodo.com/leak-testingattacksvulnerability-research/comparison-of-comodo-firewall-and-defense-with-avast-internet-security-t58804.0.html;msg411881#msg411881

[GloobyGoob]

Ok I just tested it.

Outside of sandbox: 110/340
Inside sandbox: 170/340

@Julian_evil, when I ran clt.exe virtualized, it didn't create anything outside of the sandbox.

[Sparxx]

Tested it too :

Outside of sandbox : 150/340
Inside of sandbox : 200/340 ( using Sandboxie ) .

[GloobyGoob]

Are you sure?
I'm not. I've tested Comodo Firewal and Defense+ and the results were ridiculous.
The very beginning they say I need to sandbox the process: https://forums.comodo.com/leak-testingattacksvulnerability-research/comparison-of-comodo-firewall-and-defense-with-avast-internet-security-t58804.0.html;msg411881#msg411881

I think it has to do with permissions. Some sandboxed programs can't open because of no permission, even if you click run as administrator. So maybe that's why you get a better score when it's virtualized, because of the blocking. Anyway, the sandbox isn't tested by leaktests, they could help, but they mainly test firewalls and HIPS. After all, a sandbox's job is to make sure nothing reaches your real computer.

[Julian_evil]

@Julian_evil, when I ran clt.exe virtualized, it didn't create anything outside of the sandbox.

I tested both on XP SP3 and Seven x64. The result is an IEXPLORE.exe running outside of the sandbox:

[GloobyGoob]

Everytime I do it, iexplore.exe is sandboxed and no files are created outside of the sandbox. Am I doing something wrong? http://www.screencast.com/t/NDRlY2EyZDMt

[Rednose]

With the firewall on ask :

- Outside the sandbox : 150/340
- Inside the sandbox   : 200/340

And I can confirm GloobyGoob findings: Iexplorer is sandboxed, ExplorerAsParent impersonation is not vulnerable.

Greetz, Red.



Btw. If it is ok with you guys, I will ask Petr if he can shine a light on this.