How to circumvent the sandbox easily

Tested with 594 on XP SP3.

1.) Start the Comodo leaktest sandboxed. Then start the method “Explorer as parent”. The sandboxed clt.exe creates the iexplore.exe process outside of the sandbox.
http://www.testmypcsecurity.com/securitytests/firewall_test_suite.html

2.) Go to system32 and start taskmgr.exe sandboxed. With it start a MSI install package. It seems like if the Windows Installer would be sandboxed due to the red frame around its window. But in fact it creates files outside of the sandbox.

Did you uncheck the first option in Real-time shields > Process Virtualization > Expert Settings? It is enabled by default.

Thanks for checking. I’ll be glad if the programmers take a look, specially Lukas or pk.

Unfortunately, that doesn’t help.

Could a developer please comment on this?

Other tests that the sandbox is also failing:

Tech, that Leaktest doesn’t test the sandbox, it tests the firewall and HIPS. (But Julian_evil was testing the sandbox; by trying to see if something would get created outside of it) The anti-virus component blocks some of them but the firewall doesn’t respond to them. And here’s the reason for this.

Are you sure?
I’m not. I’ve tested Comodo Firewal and Defense+ and the results were ridiculous.
The very beginning they say I need to sandbox the process: https://forums.comodo.com/leak-testingattacksvulnerability-research/comparison-of-comodo-firewall-and-defense-with-avast-internet-security-t58804.0.html;msg411881#msg411881

??? Ok I just tested it.

Outside of sandbox: 110/340
Inside sandbox: 170/340

@Julian_evil, when I ran clt.exe virtualized, it didn’t create anything outside of the sandbox.

Tested it too :

Outside of sandbox : 150/340
Inside of sandbox : 200/340 ( using Sandboxie ) .

I think it has to do with permissions. Some sandboxed programs can’t open because of no permission, even if you click run as administrator. So maybe that’s why you get a better score when it’s virtualized, because of the blocking. Anyway, the sandbox isn’t tested by leaktests, they could help, but they mainly test firewalls and HIPS. After all, a sandbox’s job is to make sure nothing reaches your real computer.

I tested both on XP SP3 and Seven x64. The result is an IEXPLORE.exe running outside of the sandbox:

http://www.abload.de/thumb/result0220.png

Everytime I do it, iexplore.exe is sandboxed and no files are created outside of the sandbox. Am I doing something wrong? ??? http://www.screencast.com/t/NDRlY2EyZDMt

With the firewall on ask :

  • Outside the sandbox : 150/340
  • Inside the sandbox : 200/340

And I can confirm GloobyGoob findings: Iexplorer is sandboxed, ExplorerAsParent impersonation is not vulnerable.

Greetz, Red.

Btw. If it is ok with you guys, I will ask Petr if he can shine a light on this.