Introduction to the 5.x sandbox

INTRODUCTION TO THE 5.x SANDBOX

[ol]- What is it for?

• How does it work?
• What is it not for?
• How does CIS judge the trustworthiness of a file?.
• Something wants ‘unlimited access’, what should I do?
• How do I know what has been sandboxed?
• How can I prevent software being sandboxed?
• So… is the sandbox really secure?
• Will the sandbox work on 64 bit systems?
• What if I want to know more? [/ol]

[i]Please help us improve this introduction by posting suggestions to the ‘Sandbox help materials - Feedback topic’ here.

This introduction has been prepared by a volunteer moderator – with input from many other moderators (Thanks everyone, especially: Ronny, Omletguy, Dennis2, Arkangyal, Egemen). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.[/i]

Updated: 31 January 2012, to reflect changes up to CIS version 5.9.xxx

The CIS sandbox helps CIS provide ‘good enough security’ with minimum inconvenience.

It does this by buying the time needed to make a well-founded judgement on the safety of an unrecognised file instead of demanding an instant decision from users via alerts. The time ‘bought’ in this way can be used by Comodo to look up or analyse the files or by the user to research them.

The sandbox buys time for careful judgement on unrecognised software by placing temporary restrictions on unknown software. The vast majority of programs are still able to run while restricted in this manner and generate few alerts [1].

Software unrecognised by CIS has these restrictions automatically imposed. Such files are said to be automatically sandboxed. Software that the user regards as suspicious can be sandboxed by the user. Such software is said to be manually sandboxed. Manual sandboxng facilities are still at an early stage of development, and are not dealt with further in this Introduction. Please refer to the program help text, and the virtualisation FAQs here.

Both manual and automatic sandboxing are switched on by default and may be turned off together using the Sandbox Security Level slider.

Automatic sandboxing
Software unrecognised by CIS is, by default, automatically sandboxed using the ‘partially limited’ policy when run. So is all software run by such software. Software recognised by CIS as trusted is not sandboxed. If recognised as an installer it is run as a trusted installer with unlimited access to your computer. If not recognised as an installer it is run as a normal trusted file with a lower level of access. (Software immediately recognised by CIS as malicious is not run sandboxed - instead it is immediately alerted to the user via the AV system).

Most unrecognised software gets sandboxed immediately - the user is notified but retrospectively. Installers are held in limbo, giving users the opportunity to sandbox or not, but sandboxing occurs automatically if no answer is given.

Software cannot be removed from the sandbox until it is deemed trusted by Comodo or the user. Restrictions on unrecognised software which is subsequently deemed trusted are not removed until the software is next fully restarted. In some cases this may require the computer to be rebooted. Unfortunately the user is not told that this is required.

Sandboxed software may also be subsequently deemed suspicious or malicious by Comodo or the user. If recognised by Comodo as malicious it is added to Comodo’s blacklist and your computer is notified. When the software is next run the AV will give you the option of deleting or quarantining the software. If recognised by the user as malicious it can be transferred to my blocked files and/or AV quarantine, and/or deleted manually, and can thus be prevented from running. (Alternatively, if only suspicious, it can be manually sandboxed at a higher restriction level).

The restrictions placed on automatically sandboxed software are documented here.

Automatic sandboxing does not virtualise software Files and registry keys created by the software are NOT stored in a separate place on your hard disk. (Instead, to protect system integrity, the sandboxed program is prevented from writing to protected folders, pre-existing files, and registry keys - see link above for details).

Footnotes
[1] By default, CIS is now set to supress almost all alerts (see Alert reduction settings) . If these settings are set to ‘off’ Internet, Global hook, and certain COM interface alerts will still occur for some programs, though the frequency of these is being reduced.

Although you can choose to sandbox software yourself, the current version of the CIS sandbox is not intended to be an alternative to a traditional sandbox like Sandboxie.

The CIS sandbox does not intercept all actions by sandboxed software. So it cannot successfully sandbox installed program files and so cannot wipe all traces of installed software from your system if you decide to uninstall it. However it does provide good protection in other ways (see how the sandbox works) and these facilities are being constantly improved.

You get ‘unlimited access’ alerts when CIS is faced with unknown installation software or other software that requires unlimited access to your computer, and so cannot be run sandboxed. If the setting ‘Automatically recognise installer…’ is checked, CIS grants installation software almost total freedom and suppresses all alerts (though it still makes log entries). You should say yes if you fully trust the vendor of the software, no or ‘sandbox’ otherwise.

If you say ‘no’ you can uncheck '‘Automatically recognise’ and re-run the installer with all Defense+ alerts enabled. If you say ‘sandbox’ the installer software will be sandboxed, and thus unable to damage your system, but the files that it installs, and registry keys it creates will be created in their normal locations (ie virtual copies will not be created in the sandbox), unless these are protected directories (eg your OS directory). The installed files will not be able to harm your system unless you run the software from the installer - so it’s best not to do this.

CIS will normally alert you the first time, it automatically sandboxes software, using an ‘Application Isolated’ alert. It will normally make a log entry every time it automatically sandboxes software. If you miss the alert you’ll find the file in ‘Unrecognised Files’. If the file is still running you’ll also be able to see it’s sandboxed in the Active Processes List. However CIS will not generate an alert when files are automatically sandboxed just because they are run by other files which are sandboxed. Nor will such files appear in ‘Unrecognised Files’. Instead a log entry will be made.

Automatically sandboxed files do not show up in ‘Always sandbox’, which shows only manually sandboxed files added via ‘Always sandbox’.

You should never take software out of the sandbox unless you are sure you can trust it.

When CIS tells you it wants to sandbox software using a standard sandbox or ‘application isolation’ alert, you can decline this, but you will have to re-start the software concerned to take it out of the sandbox. Alternatively you can unsandbox software by adding it to Trusted Files, either by using ‘Move to’ in ‘Unrecognised Files’, by using ‘Add’ in ‘Trusted Files’, or by using the right click menu in the Active Processes List. Then, if the software is running, you must restart the software and perhaps reboot the computer.

If it asks using an ‘Unlimited Access Alert’, you can tell CIS to run the software outside the sandbox simply by saying ‘Allow’. No restart of the software is required. But if you want it to run outside the sandbox permanently, you need to tell CIS to always trust the file/package. You can now do this on the alert.

Sometimes it can be difficult to remove files from the sandbox – though this problem is now improved. Information on how to get over this is here.

Please note:
Defining a file as a trusted application in the Computer Security Policy does not remove it from the sandbox.

It is designed to provide very good security with a minimum of alerts, which should be sufficient for the majority of users. It’s not designed to provide the highest possible level of security.

Unrecognised software is automatically sandboxed using the partially limited policy by default is restricted as follows. It cannot:

[ol]- write to (ie infect) existing protected files or registry keys

• drop files in protected directories
• take some admin privileges (e.g. Debugging and driver loading)
• key log or screen grab by most known techniques
• set windows hooks without asking
• access protected COM interfaces without asking
• access non-sandboxed applications in memory
• access the internet without asking.[/ol]

You can increase these restrictions by changing the default restriction level using ‘Treat unrecognised files as’ on the Image Execution Settings tab in Defense plus settings. However unrecognised files will not always run successfully under higher settings. (Files which run OK under a standard user - i.e. non-admin - account should normally run OK up to the ‘limited’ level).

Yes it will. Except that registry virtualisation is disabled in 64bit Windows XP. The user is not currently informed about this - Comodo is considering adding an alert.

This is one of the main reasons why it is designed as it is. Most sandboxes will not work on 64 bit systems because they use undocumented OS facilities (which do not work in 64bit) to intercept program to program communications. The CIS sandbox avoids this by not creating virtual copies of installed programs, which means it does not need to intercept these communications.

As I find out more I’ll edit this topic. A detailed screen by screen guide to all the settings is available in CIS help text, under ‘Defense+ Tasks’ and ‘Introduction ~ Understanding alerts’. A faq is being developed here.

Software may be recognised as trusted by CIS by being:

[ol]- on the users trusted file list ie in ‘Trusted Files’ list

• on Comodo’s trusted file list (local or online) which is compiled from files subject to detailed manual analysis. (Automatically analysed files are never placed on this list).
• signed by a vendor on CIS’s Trusted Vendor list
• defined as a ‘trusted installer’ in the computer security policy
• dropped by a trusted installer.[/ol]

Note that any trusted file that requests installer privs from the OS is regarded as a trusted installer by CIS.

Software may be deemed suspicious or malicious by CIS by being:

[ol]- on the Comodo blacklist, which is compiled from files [li]automatically analysed online (which takes 15 minutes) and/or- subject to detailed manual analysis (which takes a long time)[/li]

• observed exhibiting suspicious behaviour on your machine [li]by Defence plus heuristics, and/or- by buffer overflow attack detection[/li][/ol]

Users may also in effect define files as suspicious or malicious by restricting them in certain ways. For example by making them blocked files, quarantining them, or subjecting them to higher levels of manual sandbox restriction.

All such lists & processes, or the checks made on them, are visible to the user in some way apart from CIS’s own local trusted files list, which is in part a cache from past online lookups, in part a list supplied at installation time.

You can request that file be checked online and added to the appropriate lists by submitting a file for detailed analysis. This partially manual process may take some time. Further info here.

BUMP