App cannot be unsandboxed - more examples & some interesting analysis

I was asked to repost this issue as I posted it in the wrong forums section earlier.

I have CIS installed. So far there are three dll’s that keep getting request to run… I approved them and checked the remember my answer, I get the same request fifteen minutes later. The programs that are requesting them are safe.

How do I stop these warnings from poping up for the same request?


I have had similar issues with the Sandbox, and not been able to resolve them. It does not seem as if the user’s choice is being saved/remembered for further use, and the file is constantly being run inside the virtual environment.

This also does not seem to relate to our personal “Safe” file list, so even if we define an app in D+ as Safe or Trusted, Sandbox will still trigger on it.

Wish I had an answer for you, but have not found one yet. At least you know you’re not the only one… :wink:


i tested the sandbox a while ago, so i dont know exact the words in the window.

but theres a trick that the sandbox remembers your answer:

DONT mark “use this for all products of this company” (something like that).

just mark “dont run again in sandbox, remember my answer”.
for me it worked then. but i switched off the sandbox because of security reasons anyway.

if you want a real sandbox without problems and with much more security, use the “sandboxie” for example. you can use it free, and you can buy it (with small plus funktion abillity). but be sure that you made the setting right!!!

Tnx for the tip, clockwork, I’ll check it out.


I had tried that before I even read this thread. It doesn’t work. I keep getting popups for several applications (all are signed and the vendors listed in ‘My Trusted Software Vendors’.
I even regularly get popups saying Explorer.exe has been sandboxed for trying to run an app I desired. All have been marked as Don’t sandbox again, remember my answer. They still continuously get sandboxed and issue a popup.
Very annoying. I disabled Sandbox this evening.

then there is something equivalent to the “for all products of this company”-setting still active in your case.

when i tested it, i disabled everything related to “trust something automatic, or trust digital signs ect”.

with paranoid mode, and all this settings OFF, it worked in the described way. this may be a hint for a structure problem with the comodo sandbox.
it doesnt give a real (i mean “wide and complete”) protection, and it annoys people so they disable it at last.

the user should be able to decide. with defense+, software cant start usually by itself anyway. so, when he wants to start an application which he doesnt know, he can run it in a REAL sandbox. thats the good way. but to take the action out of his hand, and make it automatic, just to reduce defense+ AND (most bad) to reduce firewall questions, then it MUST be perfect. what cis sandbox definitely isnt.

use defense+ and a real sandbox. thats what i can tell. then you have really added security.

Ah, so Sandbox is relying on separate settings from D+, and not just from within its own settings. My “for all products of this company” is grayed-out, so that must be tied in to “Trust Applications Digitally Signed” or “Create Rules for Safe Applications” somehow. That doesn’t make a lot of sense, though, because if the apps were signed or otherwise known safe, Sandbox shouldn’t be flagging it, as it wouldn’t be unknown.

Obviously has some issues…

I have found this repeated alert behaviour under the following conditions:

[ol]- File is continually modified, either file body or just date modified

  • File is OS file but is missing its signature, or the signature is corrupt
  • File with same name added in different versions as say AV program updates[/ol]

One can understand the reasons these generate repeated alerts, but the problem does need to be solved.

Note that files to which the ‘trusted’ predefined policy has been applied are not treated as safe by the sandbox. Also that to free files from sandboxing can need a reboot, as sandboxing is inherited from parent files.

You can find out if CIS thinks a file is signed by attempting to add the vendor from the file. You can use sigverif.exe to perform an independent check, but make sure the advanced tab is filled out correctly, including the extension.

There is a FAQ on unsandboxing individual files which may help you. But as you say this needs to be made less hassle.

Best wishes