Sandbox doesn't block direct disk access and global hooks

Hello,
for example disk or mbr killers can do their work without getting interrupted by Avast.
Regarding global hooks: The Cpilsuite leaktest of Comodo can break out of the sandbox.

Tested with the newst beta and latest final build on XP SP3.

Comodo’s not a valuable reference here ::slight_smile:

edit: forgot to mention that I tested their CIS 4 sandbox, it’s a complete disaster, can break a whole system if left with default settings, i.e. sandboxing automatically “unrecognized programs”. + running purposely many software through this same sandbox either crashes the app either does nothing >>> no process started ???

But I am and anti Comodo trolling won’t change this. :wink:

So, here’s the proof:
Start CPILSuite.exe sandboxed.
Choose method 2 or 3.
The Internet Explorer gets started outside of the sandbox (bypassed / breakout):

http://www.ld-host.de/uploads/thumbnails/eb8273b96414b455e637d5a0594ccdad.png

http://www.ld-host.de/uploads/thumbnails/a6e3584c9d82adbe6d8b586f6fcf392b.png

What did happen? The leaktest injected it’s code into explorer.exe which the sandbox didn’t prevent. Then the explorer.exe started the Internet Explorer.

Regarding the direct disk access issue: I could only show you an image in which the VM says that it can’t boot anymore.
But if you want I can send you the sample via PM so that you can convince yourself.

I won’t even bother looking at your Comodo trolling pics, ya see what happens when two trolls meet ;D

Any developer comment?

  • direct volume write access should be blocked in the upcoming beta version
  • global hooks virtualization is already done, but it won’t be included in this release, because it needs more time to test it (i.e. global hooks are emulated to be valid only within the given sandboxed process group; this depends on virtualized windows/classes, so we need to test it properly and define the most common exceptions).

This sounds good - thank you. :slight_smile: