Feedback on Help, FAQs and Guides

Please post in this topic any suggestions you may have for improvements to the FAQs or any introductory topics, for example the “Introduction to the Sandbox” topic.

Please do not post requests for help here

Summary of things that may need to be dealt with either in the intro to the sandbox or in the FAQ.

(Short notes only)

Done

  • interaction with D+ (FAQ entry Done)
  • why sandbox is like it is & will work on 64 bit (DONE)
  • OS files being sandboxed (DONE)
  • how sandbox decides something is an installer (DONE)
  • what is virtualised (registry, files) (DONE)
  • What happens if a file is detected as malware after submission by sandbox (DONE)
  • What happens to sandbox on XP 64bit (DONE)

To do

Will the Comodo sandbox work on 64bit systems?

Yes it will (with the exception of 64bit Windows XP).

This is one of the main reasons why it is designed as it is. Most sandboxes will not work on 64 bit systems because they use undocumented calls (which are not supported in 64bit) to intercept program to program communications. The CIS sandbox avoids this by not sandboxing installed executables, which means it does not need to intercept these communications.


https://forums.comodo.com/defense-sandbox-help-cis/introduction-to-the-sandbox-t53268.0.html

I don’t understand the bold part… :-\

And the “undocumented calls” are not supported in Windows 32 bit.

"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because it can greatly reduce system security and reliability. However, though Microsoft does not recommend it, it is technically possible to patch the kernel on x86 editions of Windows. But with the x64 editions of Windows, Microsoft chose to implement technical barriers to kernel patching.
http://en.wikipedia.org/wiki/Kernel_Patch_Protection

Or does “use undocumented calls” not mean patching the kernel? ???

Thanks. :slight_smile:

First comment! Thanks Jowa

You are right about the word ‘supported’, a lazy/vague word. I’ll replace it by ‘Do not work’.

And I’ll replace ‘not sandboxing’ by ‘not making virtual copies’. Hope that will make things clear. I’ll be putting up a virtualisation FAQ entry today too - so any comments will be welcome.

As for kernel patching, I’m afraid I’m not competent to comment. Maybe Egemen will when he gets back from China!

Best wishes

Mouse

Thanks Mouse. :slight_smile:

Now I think I understand… When I sandbox e.g. IE, iexplore.exe is run from C:\Program\Internet Explorer, not copied to C:\Sandbox\iexplore.exe\… and run from there. That folder is only used for files created or modified when running IE. And HKEY_LOCAL_MACHINE\SYSTEM\Sandbox\iexplore.exe\ for registry keys created or modified when running IE.

That’s exactly it!

Glad the FAQ works. All suggestions for improvments welcome

Mouse

Maybe add information about what happens when CIS 4 is installed on XP x64? Is sandbox automatically disabled?

Thanks. :slight_smile:

Good point. I don’t know, but Egemen will. I’ll ask and add this.

Mouse

No response yet I am afraid Jowa. Hopefully will get one post the .828 release.

Intro now updated to reflect what happens in the case of 64bit XP

Mouse

Thanks. :slight_smile:

My pleasure

On the Sandbox Help - Feedback page it says:
"Please post any suggestions you may have for improvements to the “Introduction to the Sandbox” topic.’
AND on the Introduction to the Sandbox page it says:
“Please help us improve this introduction by posting suggestions to the ‘Sandbox help materials - Feedback topic’”

Get it straight, will you?

Here is what prompts me to write: No product that has the potential to lock down functionality of my machine should be rolled out so cavalierly to users with built-out systrems.

The implementation and roll-out of the SANDBOX feature in CIS is probably fantastic for machines with a fresh install – the kind of machines that coders and computer scientists use that have only two or three apps on top of the operating system, and virtually no accumulated data files. However, for an existing system which has an abundance of previously installed applications, and a superabundance of accumulated user files, it sucks!

The Sandbox has grabbed my machine by the you-know-what, and is squeezing it hard. It is interfering with things that constitute routine tasks for me, such as printing the screen to a .pdf-creating printer driver, and then really printing to a real printer Users should be introduced to the Sandbox with some explanation that printer drivers may become dysfunctional, and some examples of the kinds of problems that commonly exhibit themselves when sandboxed apps cannot communicate with non-sandboxed applications.

Tasks which have never given me any problems are suddenly failing to perform, and without any error message or anything to alert me to the failure. Programs which automatically are put into the Sandbox and are supposedly being checked by Comodo for safeness, just sit there in the line to be checked. And this is happening with programs on my machine which have been on the market for years. Clearly, Comodo’s whitlelist was developed by a kindergartner, and the company is using its customers as guinea pigs to build its whitelist for it. If they are actually checking applications to determine their “safeness,” I see no evidence of it.

There should be a knowledge base with KNOWN ISSUES on display. When CIS and Sandbox are installed onto a machine with applications in place, users should be shown a list of applications on their machine with explanatory details such as KNOWN SAFE, UNKNOWN, KNOWN HAZARD, etc., so that users can get some sense of how harshly their computer experience is going to be handled by COMODO’S SANDBOX, and some advisories about how to best manage the transition to having the Sandbox squeeze less harshly.
I could keep on with suggestions, but if this rollout had not been handled by persons who are clearly indifferent to existing customers with mature, fully built-out systems, it would be unnecessary for me to be forced to waste my time holding their hands.

Their management is clearly not up to the task of handling a rollout as complicated as what the Sandbox is.

The same is also true of the Comodo AntiVirus. Simple things – like self-extracting zip files which I have created and stored – are all, each and every one, being identified as potential problems when a scan is done by the Anti-virus checker. Absurd to identify a self-extracting zip file as a virus, without letting the user specify that such a class of files should be skipped and presumed to be desirable, at least when they are located in certain folders. Major things, like invisible system restore points, are being identified as infected with no clue as the crucial significance of those files being cleaned" or “quarantined.”

A user who is doing an upgrade of Comodo needs to be warned that CIS is going to take control of their machine and possible refuse to let it perform productively in ways that have become routine for the user, and safely so.

Thanks, I have added ‘in this topic’ to the feedback topic to clarify matters

Here is what prompts me to write: No product that has the potential to lock down functionality of my machine should be rolled out so cavalierly to users with built-out systrems.

The implementation and roll-out of the SANDBOX feature in CIS is probably fantastic for machines with a fresh install – the kind of machines that coders and computer scientists use that have only two or three apps on top of the operating system, and virtually no accumulated data files. However, for an existing system which has an abundance of previously installed applications, and a superabundance of accumulated user files, it sucks!

The Sandbox has grabbed my machine by the you-know-what, and is squeezing it hard. It is interfering with things that constitute routine tasks for me, such as printing the screen to a .pdf-creating printer driver, and then really printing to a real printer Users should be introduced to the Sandbox with some explanation that printer drivers may become dysfunctional, and some examples of the kinds of problems that commonly exhibit themselves when sandboxed apps cannot communicate with non-sandboxed applications.

Tasks which have never given me any problems are suddenly failing to perform, and without any error message or anything to alert me to the failure. Programs which automatically are put into the Sandbox and are supposedly being checked by Comodo for safeness, just sit there in the line to be checked. And this is happening with programs on my machine which have been on the market for years. Clearly, Comodo’s whitlelist was developed by a kindergartner, and the company is using its customers as guinea pigs to build its whitelist for it. If they are actually checking applications to determine their “safeness,” I see no evidence of it.

There should be a knowledge base with KNOWN ISSUES on display. When CIS and Sandbox are installed onto a machine with applications in place, users should be shown a list of applications on their machine with explanatory details such as KNOWN SAFE, UNKNOWN, KNOWN HAZARD, etc., so that users can get some sense of how harshly their computer experience is going to be handled by COMODO’S SANDBOX, and some advisories about how to best manage the transition to having the Sandbox squeeze less harshly.
I could keep on with suggestions, but if this rollout had not been handled by persons who are clearly indifferent to existing customers with mature, fully built-out systems, it would be unnecessary for me to be forced to waste my time holding their hands.

Their management is clearly not up to the task of handling a rollout as complicated as what the Sandbox is.

The same is also true of the Comodo AntiVirus. Simple things – like self-extracting zip files which I have created and stored – are all, each and every one, being identified as potential problems when a scan is done by the Anti-virus checker. Absurd to identify a self-extracting zip file as a virus, without letting the user specify that such a class of files should be skipped and presumed to be desirable, at least when they are located in certain folders. Major things, like invisible system restore points, are being identified as infected with no clue as the crucial significance of those files being cleaned" or “quarantined.”

A user who is doing an upgrade of Comodo needs to be warned that CIS is going to take control of their machine and possible refuse to let it perform productively in ways that have become routine for the user, and safely so.

Thanks for your suggestion regarding the knowledgebase. I believe there is one on the main Comodo site, but I suspect extra content may be needed. Meanwhile the best source of the information you request may be the application incompatibility topic here or the bug reports forum.

I am sorry you have had so many problems with CIS 4.x - your comments regarding quality control will probably be best addressed if mentioned under Feedback: here - the chief executive of Comodo monitors this forum regularly.

Best wishes

Mouse

What do you mean?
The sandbox seems to be disabled by the system tray icon ???

[attachment deleted by admin]

No, this talks about the Sliders under defense plus ~ settings.

It’s really about their interaction, which people find difficult.

I’ll rename this post to make all that clear.

Thanks for your feedback.

Mouse

Sorry to be a pain, but I did not understand.
Step 1: Sandbox is enabled and Defense+ sandbox setting is enabled. (screenshots 39 and 42).
Step 2: Disable Defense+ sandbox setting. (screenshot 43)
Step 3: All sandbox is disabled. (screenshot 44)

[attachment deleted by admin]

Thanks very much Tech. Not how it is supposed to work according to the latest documentation. I will experiment with a file to see what actually happens.

Mouse

Well program is better than the documentation. You are correct! GUI however does not reflect this - sandbox slider remains fixed!

Just installled CIS 5 for the first time today. I followed the Mouse1 guide to Installation and initial config. and have had a problem free install. It has been working perfectly for the last couple of hours. Thank you Mouse1.

John