Comodo Sandbox: State of the Art Review

Comodo Sandbox: State of the Art Review Roman Fekolkin Client Security Architecture, A7005E Luleå University of Technology, [email protected] Abstract – In this work an analysis of the sandbox features offered by Comodo Internet security was performed. The features such as Virtual Desktop as well as running the browser in a sandboxed environment were reviewed and tested by means of a deliberate interaction with malicious software. that no cookies are stored and no browsing history is recorded except only within the virtualized environment while none of that data is stored on the real machine. So, since the virtual desktop can be used to access malicious websites and install potentially harmful applications, it would be needed to manually reset the sandbox(because it’s not performed automatically with the reboot) removing all of the data from it in order to secure user’s privacy from undesirable exposure. In general, the applications run within the sandbox do not affect the integrity and confidentiality of the data stored on the actual machine and the area of influence of those applications is limited because they exist only within the virtualized area. However, if the user wants to access data that was downloaded by the browser in the virtualized space from the host machine, it’s possible to use shared space where the data would be accessible from the real machine. That data, in its turn, would have the access to data on the real machine, however in a read-only manner which can also be adjusted by the user to lift the access level. Thus, when saving files to the shared space, the user should be certain about non-malicious nature of the shared files. Furthermore, a properly structured password for the virtual desktop could be used to prevent certain users from exiting the virtualized environment and gaining access to the real machine. The tool such as the virtual keyboard, which can be used in the virtual desktop, is an important security tool in terms of the increased confidentiality of the entered data. It is actually one of the important factors that makes the virtual desktop a secure environment for performing financial tasks, because it prevents an unauthorized monitoring of the entered data which could be done by means of some sort of key-logging malware and which could otherwise simply monitor the entered passwords, credit card number and other types of sensitive information. The applications can be either executed in the sandbox automatically or the user could explicitly choose when to use the sandbox for running an application in. The automatic sandboxing occurs(if it’s been set up in the settings) when an application was detected to be of suspicious nature basing the conclusion either on signaturebased whitelisting or heuristics approach of determination of capabilities of an application to execute presumably harmful operations. The manual sandboxing is performed only when the user wants it. There is also a possibility to run a browser in the sandbox mode, allowing using the usual browsing features in a fully virtual environment, allowing to access malicious Keywords - fingerprinting, sandbox, virtual desktop INTRODUCTION The purpose of the sandbox is to isolate potentially malicious content from the general working environment preventing it to make any sort of damage to the system due to the limited access to the system’s resources. The sandboxing is a significant addition to security measures provided by anti-malware software, because it usually detects the malicious threats based on a list of pre-defined signatures [3], while the sandbox allows testing the software that has not yet been identified as malicious. This is especially important because the malware constantly evolve making it difficult for anti-malware to keep up and update its database of the threats on time before exposing users to security risks. COMODO SANDBOX FEATURE I. Review of the sandbox features offered by Comodo Internet Security The Comodo Internet Security’s Sandbox[4] provides isolation of the malicious content by means of the partial virtualization of the file system and the register, where the applications from the user’s machine are placed inside the sandbox, or in other words the sample of a malware is executed in an environment dedicated to testing for possibly harmful behavior [1]. So, any attempts of modification of the user’s data will only result in the changes of the copies of the actual data inside that sandbox, meaning that the integrity of the actual data will remain preserved. In other words, the sandbox allows evaluating the safety of using some particular software observing the potential effect it might have on the system. In this work, the review of the sandbox feature was performed using the 7th version of Comodo Internet Security. There are several ways to use the sandbox features. The “Virtual Desktop” feature allows to use an isolated or in other words virtualized environment, where users can run suspicious applications and make sensitive operations on Internet such as online banking, due to the fact September 23, 2014 1 stopped[1],[2].. This is done based on the results of the analysis of Internet connectivity in the system that it operates in, possibly discovering that it’s really just a sandbox environment. This issue with sandbox fingerprinting has been noted to be a widely spread vulnerability that can be exploited in order for malware to stay undetected during the analysis [2]. websites without exposing the real system to threats. When running a browser in a sandbox, it is denoted by graphically informing the user about the sandboxed status, drawing a green frame around the browser window. II. Testing the sandbox To confirm that the Comodo sandbox does it job, a test was performed where malicious executable files were downloaded by intentionally entering in the browser the URL links to those files. After that, they were run in Comodo sandbox. After that, in order to determine whether the malware succeeded in making any changes to the real machine, a scan for malware was run and it did not find any malware on the real system, confirming that the sandbox isolated the malware from harming that system. Another test was performed, in which Firefox was run in the sandbox mode. The files that got downloaded, by using the same links mentioned previously, within this mode remained in the virtual environment regardless that the folder and the files in it might look exactly as the ones on the real machine, except that they were actually just virtual copies, the interaction with which will not actually change their state on the real machine. By using sandboxed browser the surfing becomes secure no matter what kind of malicious threats you might run into, considering the fact that the browsers are practically used as a gateway for most malicious software to come into the system. CONCLUSIONS In this work a review of the sandbox features offered by Comodo Internet Security was performed. The features included the possibilities to use a sandbox browser as well as an even more secure virtual desktop, both of which aimed at isolating the malicious software from damaging the user’s real system. By running an unknown application within the sandbox might it is possible to prevent harmful effects it might expose the user’s system to. Regardless of the statements about sandboxing features being not 100% prone to malware attacks, there is really no way to be completely secure due to the constant competition between malware and anti-malware in which one always tries to overcome the other by evolving their attack and protection features respectively. REFERENCES [1]. KASAMA, T. (2014). A Study on Malware Analysis Leveraging Sandbox Evasive Behaviors (Doctoral dissertation, School of Environment and Information Sciences, Yokohama National University). III. Limitations of sandbox offered by security software mentioned in the literature As it was mentioned previously, it’s important to take precautions and reset the sandbox to eliminate the chances of the data stored in the virtualized environment from exposure. Furthermore, the sandbox provided by security software does not provide a full guarantee of correct malware detection since it is not prone to fingerprinting methods used to identify the true nature of the environment that the malware is being executed in, no matter if it’s a sandbox or a virtual machine [2]. There was noted to be a way a malware could overcome the sandbox analysis by adjusting its behavior temporarily postponing its malicious activities until the sandbox-limited application execution is [2]. Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., & Weippl, E. Enter Sandbox: Android Sandbox Comparison. Proceedings of the IEEE. [3]. https://www.comodo.com/home/internetsecurity/updates/vdp/database.php, (Last accessed: 22.09.2014) [4]. https://www.comodo.com/, (Last accessed: 23.09.2014) September 23, 2014 2