Removing files from the sandbox & handling sandbox alerts [v5]

[Guest]

[mouse1]

1. FIRST CHECK THIS:
If you have ‘Block all unknown requests’ ticked in Defense plus settings, and you have no reason to believe you are infected by malware, untick it. Then reboot. (It may seem strange to ask you to check this first, but if you have this ticked all the other solutions may fail).


2. THEN DO THE FOLLOWING:
If you are not sure the files is trustworthy please leave it sandboxed, submit it for analysis by Comodo using the Submit button in Defense plus ~ Unrecognised Files, and wait until it is pronounced safe or otherwise. If you are getting repeated alerts during this period you can try the workarounds.

If you are sure the file is trustworthy use the removal techniques below.

[mouse1]

REMOVAL TECHNIQUES
A. If a file is causing an 'Application Isolation' notification or a ‘Sandboxed As’ log entry or appears as Sandbox level=Partially limited, Verdict=Unknown in the Active processes list.

• Look in Defence plus ~ Unrecognised files, and choose 'Move' to move any files you trust to 'Trusted Files'. (You can also make a single file trusted using the link in the notification, but using unrecognised files is surer and deals with all the files in one go). Then reboot.
• If this des not work, or if this causes further files from the same directory to be sandboxed, go to Trusted Files and add the entire program directory and sub-directories to Trusted Files. Then reboot.
• If this does not work, this is likely because the program is being frequently updated. In this case when making the file trusted tick the box on the file selection dialog which says 'use file names not file hashes'.
• If all the above fail, make the file an installer/updater - this carries some security risks. To do this remove it from Trusted Files then go to Computer Security Policy ~ Defence plus rules ~ Add and apply the predefined 'Installer/Updater' Policy to it. You may need to use these techniques to ensure the policy is effective. Then reboot. For security reasons, do not do this for internet facing applications, or for applications you intend to use to run unknown files. Please do make sure that you don't use any file you make an installer/updater to run any files you don't know to be safe.

B. If a file is causing 'Unlimited Access' alerts or ‘Open file, block process’ log entries or appears as verdict=Unknown/Installer in the Active Processes List

• Tell CIS to 'always trust this file/package' on the alert. Then reboot.
• If this does not work, this is likely because the program is being frequently updated. Please try the solution in A.iii above.
• If this fails, please try the solution in A.iv above

C. If there are no sandbox alerts or log entries etc but you think a file may be sandboxed anyway Look in Defense Plus ~ Unrecognised Files choose 'Move' to move any files you trust to 'Trusted Files'. Then reboot.

D. If multiple files with similar names are causing any form of sandbox alert, log entry, or appear as sandboxed in the Active Processes List,  it probably means that a program is creating and running new executables as part of its function. The make facility in development tools (eg IDEs) do this. To resolve this determine the file that is creating or running the executables by observing the sequence in real time using the D+ active process list. Then go to Computer Security Policy ~ Defence plus rules ~ Add and apply the predefined 'Installer/Updater' Policy to it. You may need to use these techniques to ensure the policy is effective. Then reboot. If you cannot determine which file is involved try making the root executable - the one at the top of the process 'tree' (eg the main IDE interface) an installer/updater. For security reasons, do not do this for internet facing applications, or for applications you will use to run unknown files.  Please do make sure that you don't use any file you make an installer/updater to run any files you don't know to be safe.


If you cannot solve your problems using these techniques then you can try the workarounds here. Please PM me if any of these solve your version 5 problem, so I can update this FAQ and alert the developers.

[mouse1]

WORKAROUNDS

• If you think the file might be a Windows program try creating a restore point, and running 'sfc /scannow' at the DOS prompt with Windows installation disk in your CD drive, then rebooting This ensures all Windows files are code signed and correct versions. You can also try using Microsoft Update to bring your system files right up to date. Re-installing your service packs can also help if installation may have been incomplete, but is not for the faint hearted!
• If the file cannot be found anywhere on the disk (try a Windows Explorer search, explicitly including hidden and system files), you can try creating a dummy file using the guidance here , then adding the dummy file to 'My Safe Files' and rebooting. (With thanks to Piet2468, Languy99 and Don Clarke who helped discover this)
• Try manually sandboxing the files as partially limited & non-virtualised using Computer Security Policy ~ Always sandbox ~ Add, making sure to untick 'Enable file system virtualisation' and 'Enable registry virtualisation' on the Advanced tab. If the program won't work properly unvirtualised, try it virtualised. (This does not unsandbox the file but it may prevent repeated alerts or (particularly if virtualised) allow the software to run better than it does manually sandboxed.

[Tags:]