Am I better protected with the sandbox enabled or disabled?

tested CIS 5.0 with sandbox on and when I allowed COMODO leak test to run outside the sandbox I got a poor test result.

before version 5 I always disabled the sandbox and always got perfect score 330/330

When COMODO leak test was run in sandbox however I did get a perfect score of 330/330.

Now the confusion is why when enabling sandbox and allowing a program to run outside it result in a degraded security provided by the same defense+?

Set to proactive with max security setting for defense +

If you are highly technically competent user with a detailed understanding of CIS and lots of time, then you may wish to tailor all your settings yourself, allowing only the apps you want to allow do only what you want them to do. In doing so you can achieve a higher level of security than the sandbox.

But or average users who can get ‘alert fatigue’ (Ie a tendency to automatically allow alerts) if configuring CIS to their needs, the sandbox will probably work out more secure.

Best wishes

Mike

It really depends on what you want to use the sandbox for. If you want to try to use it as an actual sandbox then technically you are not as well protected from leaks, but the computer is completely protected from infection. Note that you still get the firewall alerts, so information can’t be sent from your computer without your ok.

If you wanted you can switch the sandbox to treat the files as blocked and it will essentially quarantine any unknown files in it until you examine them and decide they’re safe to allow access to your computer. It’s really up to you how you set it up.

Here’s my guide on how I Install & Configure Firewall (5.0 / 2011) for Max Protection & Min Alerts in case you’re interested.

If my main concern is hacker attack or exploit am I better off disabling sandbox altogether since with it on the defense+ is less potent than if it was off.

After some time using the sandbox I rather doubt its capability.

For one a game which I purposely let to run sandboxed is recorded to have made changes to system files.
When looking for the related system folders in C:\Sandbox I couldn’t find any system folder aside from firefox.exe and iexplore.exe.

Where’s the system virtualization and registry virtualization in the hidden folder C:\Sandbox?

If I’m right the game set to limited sandboxed still made changes to the real system files.

Am I missing something here because I thought sandboxing would prevent any changes to system files?

When sandboxing the browsers

I noticed that when opening them there are always 2 processes that are sandboxed instead of just the browser executable. I can’t terminate and block these nor can I submit them to COMODO. Are they part of the sandboxing thing or are they not?

For one a game which I purposely let to run sandboxed is recorded to have made changes to system files. When looking for the related system folders in C:\Sandbox I couldn't find any system folder aside from firefox.exe and iexplore.exe.
Bascially there are two ways of sandboxing. Automatic sandboxing which does not virtualise and manual sandboxing which does virtualise. You probably had the game run under the automatic sandboxing.
Where's the system virtualization and registry virtualization in the hidden folder C:\Sandbox?
The virtualised folders and registry are in the VritualRoot folder (typo in the name is intentional).
If I'm right the game set to limited sandboxed still made changes to the real system files.

Am I missing something here because I thought sandboxing would prevent any changes to system files?

It depends on whether you ran the game manually or automatically sandboxed. Read The Sandbox - An Introduction and Unknown Files: The Sand-boxing and Scanning Processes for reference.

Thanks Eric.

But that raises some other question why is is like that?

Why automatic sandboxing doesn’t result in virtualization?

*Does it mean automatic sandboxing is less secure than manual sandboxing? What’s the benefit of automatic sandboxing than UAC in Vista or Windows 7?

The majority if not all of sandboxing is done by the automatic sandboxing, if the answer to the preceeding question* is yes then why not virtualize automatic sandboxing? If the answer is no why virtualize at all?

The given help file failed to mentioned this and according to it all unknown or unrecognized files that are submitted would only need 15 minutes for them to be analyzed and the result presented back to user CIS installation. I have 2 files that remain unrecognized for about 2 days now that is how long CIS 5 has been on my machine. :slight_smile:

I don’t mean to be cruel to COMODO I just want to understand what my primary and favorite security app is actually doing isntead of guessing what they are actually doing to protect me.

Thank you :wink:

https://forums.comodo.com/news-announcements-feedback-cis/thought-files-would-get-analysed-and-marked-safemalicious-within-15min-not-24h-t61892.0.html;msg436117#msg436117

In Comodo, sandbox is not about adding an extra layer of security that D+ cannot achieve, it is about reaching an acceptable compromise between security and usability.

I do not run sandbox, but I am willing to spend some serious time tailoring CIS for my use and also I am willing to get many alerts for anything that has not yet been configured.

If I were less savvy or if I could not be bothered with all the configuration, I would keep the sandbox enabled.

Cheers

Egemen told us mods during the alpha stages of CIS v5 that they tested the new default settings for automatic sandboxing and threw 15,000 malwares at it. None of them were able to do to harm to the system; read it did not survive a reboot. It would run but could not do harm.

This brings carefree and hasslefree security for the people who are not interested in every not and bolt of security (read: most users of computers). That’s no mean achievement.

Manually sandboxing brings the possibility to sandbox safe files, like browsers, that operate in challenging situations.

Both automatically and manually sandboxed files can be run at several layers of protection. The default setting of automatically sandboxing is the least secure, partially limited, and even that brings a great level of protection; remember egemen’s findings.

I don’t know whether manually sandboxing with virtualisation brings more security or more convenience.

@Thanks Eric for trying to explain it :-TU

Umm I never enabled sandbox in ver 4 too. Thank you for putting it bluntly according to your opinion and with the added explanation from Eric I think I know what sandbox is for though I no where understand it :smiley:

Using a Sandbox should be adding an extra layer of Security, so what are we saying, manually adding like Firefox to the sandbox, ‘Partially Limited’ is not adding extra security?

My education and understanding about using SandBox technology was to add an additional layer of security and not cause any degradation…

Even the The Sandbox - An Introduction, says this is to complement and strengthen the Firewall.

Even by the way Comodo wrote this and from what I think users are understanding here, they are all missing a very important point of sandboxing especially your browser, so when you are surfing, you can’t be infected by what might be getting load into the Temporary Internet Cache. This is a way in which infections come into the system, simply by surfing the internet.

You should always surf with a browser manually added into the sandbox…

THANKS

The idea of the sandbox is to make CIS easier to use less alerts, without compromising your security.

You can also use it to run programs for testing purposes.

As far as running Firefox in the sandbox you can, but as there are no usability features for now this can cause problems, this may change in the future.

Dennis

Sandboxing firefox or IE would result in no audio feedback though everything else seems to be working fine.

What do you mean ‘no usability features’?

Also what if a piece of malware is brought in through the Temporary Internet Cache is it going to be contained/quarantined in this sandbox as well as if you were to accidentally download malware too?

THANKS

The sandbox will only contain a running file. A malicious file that is sitting on your hd is just sitting and not running; it does not get sandboxed.

Usability features.
The main one is Quick recovery download a file that you want to keep, one click it is moved from the sandbox to a folder on your computer.

There are numerous other settings to fine tune what access each program is allow.

If you sandbox your browser with CIS all temp files should be kept there, I cannot confirm as I have not tried it, but I should think this is the case.

[attachment deleted by admin]