What this guide is about and what words I will use
This guide covers just the virtualisation facilities of CIS, it does not cover the Behavior Blocker despite the fact that the Behavior Blocker used to be called, confusingly in my view, the ‘auto-sandbox’.
For consistency with the latest GUI, I will call the virtualisation facilities of CIS ‘the sandbox’ and what used to be called the autosandbox, the behavior blocker.
[i]Please help us improve this by posting suggestions here.
This introduction has been prepared by a volunteer moderator – with input from many other moderators and staff (Thanks everyone, especially: EricJH, Whoop, Chiron, Egemen - the latter via prior discussion, not review of this document). It has been produced on a best endeavors basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.[/i]
Updated: 28 Feb 2013, to reflect changes up to CIS version 6.0.xxx.2708
What is a sandbox?
A sandbox is a way of segregating information (whether programs or data) so it can be managed, controlled, used and deleted separately. The technology is most often used as a way of preventing harm to computers or their user’s interests by separating out or ‘walling off’ potentially unsafe programs or sensitive information.
Sandboxes are often implemented as a hidden directory an directories to hold segregated (‘virtualised’) files, and a set of segregated registry keys to hold segregated registry information. In Comodo’s case the hidden directory is C:\VTRoot, and the key is HKLM\SYSTEM\VritualRoot. (N.B. I would advise that you do not attempt to edit these folders and keys directly).
Sandbox software (eg the CIS sandboxing routines) set up and maintains the sandbox. It also allows the user to place information directly in the sandbox, and create rules that require or allow programs to write changes they make to the sandbox instead of the rest of the computer. This is what is referred to as ‘running a program in the sandbox’. The CIS sandbox software provides all this. In addition the CIS sandbox allows you say that all unrecognized (ie untrusted) executables, should automatically be run in the sandbox, albeit currently via a registry hack.
What is it for?
A sandbox (or virtual store) designed for harm prevention has the following main purposes:
[ol]- Protecting your systems and data from damage by
[li]isolating any detrimental effects that files may have.
isolating detrimental effects by unskilled users (eg children)
[/li]
Protecting your privacy by:
[li]Isolating detrimental files/processes so they cannot steal sensitive data from the rest of your computer
Helping you to delete sensitive data (eg banking passwords) quickly and easily. If you have chosen to segregate all your sensitive data in a sandbox, you can delete it all in one go by deleting the sandbox.
Making access to sensitive data stored in the sandbox difficult, and inadvertent access impossible.
[/li][/ol]
The Comodo sandbox currently focuses on protecting your computer from harm more than protecting your privacy. It can help with privacy issues, but it has limitations. For example, secure deletion of the sandbox is not yet supported. Currently, data erased from the sandbox could be retrieved using an undelete utility.
It tends to assume that what is to be protected is outside the sandbox, and what it’s to be protected from is inside. You’ll see why that is significant if you consider 2 b and c above. In these cases what is to be protected from access is inside the sandbox, and any dangers are to be kept outside or inhibited by deletion. We pick up on this apparent conflict below when we consider how secure the sandbox is.
…So what is the Kiosk for?
The Kiosk provides an alternative desktop in which you can work with the assurance of knowing that everything you do will be sandboxed unless you say otherwise. So you don’t need to worry about remembering to sandbox programs. (In contrast when you use your normal Windows Desktop files are only sandboxed if you ask them to be using the main CIS interface).
The relationship between Sandboxing via the main CIS interface and Kiosk is further explored here.
How do the sandbox and the behavior blocker differ?
A Behavior Blocker and a sandbox have similar purposes - both can help ensure that malware does not harm your system or your interests.
The difference is that the Behavior Blocker prevents harm by preventing unrecognised software doing dangerous things. This is like shackling a thief so he cannot steal, but letting him walk around the neighborhood.
The sandbox prevents harm mainly by allowing dangerous actions within a cordoned-off area, where these actions cannot do any damage - just like a real world sand pit. This is like not shackling the thief, but confining him to a prison cell so he still cannot steal. (In CIS’s case there are a few restrictions in place too, so maybe the thief has a curfew!).
The CIS sandbox is designed to sandbox programs, not whole operating systems. So it’s more like Sandboxie than Vmware.
When you run a program in the sandbox CIS:
[ol]- Redirects all changes that program makes to the sandbox. If it:
[li] Creates a file or registry key, that is stored in the sandbox
Updates a file or registry key, an updated copy of the file or registry key is created in the sandbox
Deletes a file or registry key, it deletes it from the sandbox if it exists in the sandbox, but does nothing if it does not. [/li]
Redirects all file and registry key reads the program does so it retrieves:
[li] the sandboxed version of a file or registry key if it exists
otherwise the non-sandboxed files or registry keys
[/li]
Redirects all file views from the program, eg Windows Explorer or application file open dialogs, so you view:
[li] the sandboxed version of a file if it exists
otherwise the non-sandboxed files
[/li][/ol]
When you install a program in the sandbox, CIS:
[ol]- Creates a complete program installation including all files and registry information in the sandbox
According to the logic of sandboxes, should redirect all requests to run the program sandboxed to the sandboxed installation, but does not appear to do this at present[/ol]
When you run a non-sandboxed program:
[ol]- Creation, updates and deletions by a non-sandboxed program have no effect on files or registry keys in the sandbox.
In file views you see just the non-sandboxed files unless you choose to unhide and view the sandbox directory itself.
In registry views you see just the non-sandboxed keys unless you choose to visit the sandbox root key, which is not hidden. [/ol]
How do you run programs in the sandbox?
Here are the options:
[ol]- You can sandbox (virtualize) a single web page by typing ‘safe://’ in address bar of your browser
You can run a single program in the sandbox using any of the following methods:
[li]Use the right-click context menu- right click on a file and chose ‘Run in Sandbox’
Use ‘Sandbox Tasks ~ Run Virtual ~ Choose and Run’
Use ‘Sandbox Tasks ~ Open Advanced Settings ~ Sandbox ~ Add’ to create a rule that always runs a specified application in the sandbox. You will be offered the option to create a shortcut to the sandboxed program on the desktop
[/li]
Run the program from the shortcut you may have created under (d) above.
You can enter a desktop environment (the Kiosk) where every program you launch is run inside the Sandbox by default. Programs are usually run from Kiosk desktop shortcuts, which, by default echo those on you normal desktop. You can invoke Kiosk by using either of the following methods:
[li]Use the ‘Virtual Kiosk’ shortcut in the main CIS GUI
Type ‘Kiosk://’ in the address bar of your browser - this will open the kiosk, run dragon inside the kiosk (so dragon is sandboxed), and then open the url in Dragon.[/li][/ol]
Hints and tips
How to get data files to and from programs running in the Sandbox is explained: here.
More information regarding how to create shortcuts (or even a full start menu) to help you run programs in the Kiosk is given here. Note that shortcuts for some common programs eg browsers, are already set up for you.
Installed and non-installed programs
Most programs which you run in the sandbox will probably be installed in the normal manner, ie installed non-virtulaised, outside the sandbox even though you may run them virtualised inside the sandbox. That’s why, in the Kiosk, you tend to run programs from Kiosk desktop shortcuts - they are shortcuts to the non-virtualised world, sort of like shortcuts to programs installed on another networked machine. But you also have the option of installing programs in the sandbox, so it’s files are stored there.
How do you install programs into the Sandbox
Installation will probably work for simple installations but not for complex ones and should be seen as a facility for the advanced user. There may be unpredictable results in some cases. For further information please see this FAQ here.
Safe use of the sandbox - avoiding conflicting purposes
The CIS 6.0 sandbox can be used for purposes which assume that what is to be protected lies within the sandbox (eg Secure Banking), AND for purposes which assume what is to be protected lies outside the sandbox (eg Protecting the OS when browsing sites that could have malware infections).
You could be exposed to risk if you use the sandbox for purposes which assume one, and then for purposes that assume the other without a reset in between. For example if you browse an unsafe site in Kiosk, get infected by a browser exploit that steals logons, then subsequently access a financial site using the same sandbox.
I would suggest that users either:
reset between such conflicting purposes using Sandbox Tasks ~ Reset or
use the browser and tool segregation techniques I suggest in the Guide to using the sandbox for different purposes. If you are using Kiosk, exiting from Kiosk instead of switching to Windows provides some protection, but would not guard against malware which starts with the browser.
Please note that there are limits to the level of protection the recommendations in my Guide can provide. For example using different browsers for different purposes makes cross-infection more difficult but not impossible. Also that it may be difficult to remember to reset the sandbox between conflicting uses. Accordingly the most cautious users may wish to await further developments from Comodo before using the sandbox for purposes that conflict in the way I describe.
We understand that Comodo is considering the introduction of support for multiple sandboxes, which would be one solution, at a relatively early point in the 6.x series.
In what environment can I see and retrieve what files?
A program, including Windows Explorer running in the sandbox (whether in Kiosk or otherwise) can see all files virtualised or non-virtualised, in the location to which you saved them. Your normal set of computer directories will be visible, and in each directory both the sandboxed and unsandboxed files will be visible. If there are two copies of the same file sandboxed and non-sandboxed, you see the sandboxed one. (If you are using Kiosk you will need to create a shortcut to a folder or to Windows explorer on your normal desktop if you are to use explorer - it is not available from the Kiosk menu).
A program including Windows Explorer, not running in the sandbox can only see non-virtualised files and files in the Sandbox’s ‘Shared Space’ folder at least when it looks at your normal set of directories. Explorer can look at the hidden sandbox directory (C:\VTRoot), and see the sandboxed files in their own (replicated) directory structure, but only if you choose to allow it to see hidden files & folders.
How can I get stuff in and out of the sandbox most simply?
You use the Shared Space, a shared folder accessed via a link on the Kiosk, the Normal desktop, and the CIS main interface (task bar) to do this.
You can make any other folder you like shared using Sandbox Settings ~ Exclude folder from virtualisation. But you would be wise to give any folder you designate a name that suggests it’s shared status eg ‘Docs - shared with virtual’
Anything you put in a shared space will not be deleted on reset.
Because shared space is shared between the sandbox and the unsandboxed world, and sandbox security works by segregation, files in shared space could be at greater than average risk, so it may be best to use this for transfer only, not permanent storage.
You can run programs stored in the shared space by double clicking on them as usual. Please see here for details of the policies used.
What about the green/red border on program windows?
The red/green border is designed to warn you that the program is running with an unusual Sandbox (virtualisation) status.
The boder shows:
green (for safe) when I file is running sandboxed in your normal desktop environment
red (for danger) when file is running non-sandboxed in the Kiosk
You can get the green border by running a file sandboxed using for example Sandbox Tasks ~ Run Virtual in the main CIS interface.
You can get the red border by running an program requiring elevated privs from the Shared Space folder when using the Kiosk, and saying ‘run out of the sandbox’ when asked on the elevated privs alert. (Programs running with normal privs from shared space are sandboxed).
Kiosk and sandboxing via the main CIS interface - how do these relate?
When in Kiosk all programs are run sandboxed (virtualised) except those you decide should not be by running them from a Shared Area. When in using the normal Windows Desktop and the main CIS interface all programs are run normally according to CIS rules except those you decide should be sandboxed.
Programs run sandboxed from Kiosk and the CIS interface put information in the same sandbox.
Programs run from Kiosk always run under the Fully Virtualised sandbox restrictions unless you use a hack to change this.
Programs run from the CIS interface ~ Sandbox Tasks ~ Run Virtual run with the same restrictions - the ‘Fully Virtualised’ restrictions - as programs run from the Kiosk.
Programs run using the CIS interface facility to always run programs in the sandbox may have whatever restriction level you please, including ‘Fully Virtualised’. (This facility is access via: ~ Advanced settings ~ Security settings ~ D+ ~ Sandbox ~ Add).
[ol]- System damage/disruption prevention. The CIS sandbox and related facilities on default settings provide good enough but not yet excellent protection against system damage/disruption by malware. Protection against malicious remote users (eg hackers) not using malware for access is strong. Protection against damage by inexpert or malicious local users - who you may have allowed to use say the Kiosk, not your main machine or vice-versa - is however weak. (This verdict discounts the effect of new release bugs, which hopefully will be resolved soon, and assumes you avoid using the sandbox for conflicting purposes). Details of strengths and weaknesses with some fixes here. Technical analysis and method here.
Privacy protection. The CIS sandbox, or virtual store, provides some privacy protection. But, if using default settings, protection of privacy from malware or local users is rather weak at present. Protection from remote users not using malware for access is however strong. Details of strengths and weaknesses with some fixes here. Technical analysis and method here.
Protection when changing purposes.This is important when you want use the sandbox for risky purposes which may result in malware installations and then want to use it to store things that need to be protected (or vice versa). There is no automatic protection against such risks, so you need to remember to reset the sandbox between such uses or use the other approaches described here.[/ol]