Automatic Sandboxing not working as expected

Okay, reading recent posts, I come to the conclusion that the automatic sandbox is not working as expected. Rouges and trojans, if run with manual sandboxing, are kept in c:/Sandbox, and thus dont do any harm.
As for automatic sandboxing, rouges and trojans are allowed to write outside the C:/Sandbox, thus making it difficult to remove the infection. It also gives the impression they are run outside of the sandbox.
Shouldn´t automatic sandboxing keep every sandboxed app in c:/Sandbox? Or how to remove infections that are sandboxed but are permited to write to anywhere on the system?


Its explained here . I think there is a confusion as to how it should work, so far from what we can see it works as intended.


Hi Melih,
thank you for the link and thanks to Egemen for the explanation.

You’re right, there’s a big confusion about how the sandbox works and if this is intended or buggy.

But I think the problem is homemade for various reasons:

1st: The terminology: “Sandbox” means in first place virtualization of system resources, so that there’s no impact on the real system or other processes. Additionally you can add privilege control.

2nd: The development cycle of CIS4 viewed from the public: Sorry, but

  • we got a beta with the hint “virtualization doesn’t work” at the moment
  • we got an RC with no notification about sandboxing. So, you couldn’t be sure, if an application was sandboxed or not. It wasn’t possible to test it (but the confusion grew)
  • finally we got the final with a practically untested Sandbox (by the public)

3rd: If I have a look into the help file of CIS4, it states [Defense+ Tasks Overview → The Sandbox]:

Comodo Internet Security's new sandbox is an isolated operating environment for unknown and untrusted applications. [b]Running an application in the sandbox means that it cannot make permanent changes to other processes, programs or data on your 'real' system.[/b]

So, please understand the confusion and frustration, when users report about a non working sandbox.
The link you gave was the first clear explanation of a COMODO staff member, that virtualization is not intended for auto sandboxed processes. At least the first I found here at the forum.

By the way I know, the sandbox is aimed to reduce alerts. But I see this the other way round. I’m especially interested in the sandboxed applications and what they are trying to do on my system. I’d like to know if the new software I just downloaded from the Internet tries to harm my system or if it’s as good as it promised to be.
So please consider to make the alerts optional for sandboxed applications.

Thank you BigMike.


if it’s true that automatic sandboxed apps do not run virtualised i will be very dissapointed. very dissapointed.

Automatic Sandbox Virtualization is not enabled by default. Defense+ handles sandboxed applications specifically (As Egemen stated in the link Melih provided) D+ protects the protected files and registry keys and makes sure Sandbox apps don’t touch these, as well as preventing them doing admin stuff.

As always, even now the Sandbox does still need improvements - See the link provided by Melih above and how a Rogue passed CIS 4 and did cause System Malfunction (It wasn’t just a Rogue throwing a GUI in your face) - So hopefully these type of applications will be handled a little better. It’s not to say ALL Rogues bypass CIS and cause such malicious behaviour to the point where you have to reinstall the AV. Defense+ Heuristic Alert and Elevation Privilege Alert also Alert you when other Rogues install. However, certain Rogues are tricky, And when a Rogue bypasses security checks such as Antivirus, Buffer Overflow, Defense+ Heuristic and the Sandbox is left to handle the Rogue (It may be handling it, But obviously, in my case and MisterMooth’s case for example, were forced or almost forced to reinstall windows because things like, for example, CIS 4 GUI would not open up) and the Rogue would START it self every time on startup.

It does need to be looked into. On-demand sandbox works fine, But Automatic sandboxing needs to be improved in certain areas. If you go to the Sandbox GUI and change the level from “unrestricted” to “untrusted”, and try running ANY Rogue in the Sandbox on-demand “Programs in Sandbox”, The rogue will not run at all which is a good thing. However, I can again understand why Comodo would not want UNTRUSTED to be the default for automatic sandboxing. Legit files that are not on Comodo’s Safe list, Trusted Vendor List, etc are still sandboxed. Obviously if untrusted was the restriction, these good apps would not run at all. However, I just think Virtualization for automatic sandboxing might need to be enabled so some ROGUES are only temp there.

The Comodo Sandbox works great however with other threats, As well as CIS as a suite. Comodo are new born babies to Sandboxing (In terms of, this is the first release, obviously they have Sandbox developers who are experts), So the only thing from now to future releases is: Fixes and improvements in the Sandbox and COMODO are listening, based on Melih’s responses and they are utilizing the feedback we are giving them here, So I am excited to see the future releases of CIS (Let alone, not just Sandbox improvements, But CIMA based Heuristics, Behaviour Blocker, etc).