autosandbox is not doing the job

Hi, I have CF installed w/autosandbox w/o HIPS
I see a whole bunch of unrecognized files in the file list
but when I execute them, they are not sandboxed and I get no prompt, except sometimes prompt from firewall.

Because most likely you are using the internet configuration which only sandboxes applications that originate from the internet downloaded through web browsers.

which config is recommended in my case?

Proactive configuration, it will change the auto-sandbox rules to virtualize all unrecognized applications regardless of origin.

btw, I also wonder if I disable hips, will auto-sandboxing of applications not work anymore?

Good Day,

HIPS and Auto-Sandboxing are two different components. If you disable HIPS, Auto-sandboxing will still continue to work as intended.

If you would like, You can go to CIS > Tasks > Advance Tasks > Advance Settings > Security Settings > Defense+ > Sandbox > Auto-Sandbox
To make sure that it is in-fact still enabled.

If I again may ask, is HiPS so important to have enabled? I just don’t see its practical side very useful, I mean that I just almost always allow programs processes while installing, so how will HiPS protect me in such case? I’ve of course read comodo faq but still have no clear vision about this.

I would suggest going the other way. Disable the sandbox and enable HIPS (if you don’t want to use both). I find the sandbox inferior to HIPS. Example: I disable SB to update Firefox. After updating, I re-enable SB. SB doesn’t recognize the new firefox.exe file for about an hour after re-enabled. Eventually, it sees it and alerts. HIPS recognizes it immediately.

but hips can’t protect from online threats. am I wrong?

As a rather Paranoid User myself, I would have to say yes. It is rather important to have HIPS enabled. I’ll give two different summaries on the differences between HIPS and Sandboxing.


Auto-sandboxing describes the process whereby applications and processes which are unknown to Comodo Internet Security will be automatically run in a isolated operating environment. Sandboxed applications are run under a set of access restrictions so they cannot cause damage the underlying file structure or operating system. The access restriction level applied to sandboxed applications can be set by the user and includes 'Limited', 'Partially Limited', 'Restricted', 'Untrusted', 'Blocked' and 'Fully Virtualized'.

Conceptually, the auto-sandbox is designed to securely handle ‘unknown’ executables – those which are not present on Comodo’s black-list (definitely malicious) or white-list (definitely safe). If the unknown file turns out to be malicious then it cannot cause any harm because the sand-boxing process denied it access to critical system resources. On the other hand, programs that are unknown but perfectly harmless will run just as well in the sandbox. This allows safe applications the freedom to run as intended while denying malicious applications the ability to cause damage.

The auto-sandbox process is further enhanced if it is married to a system that can subsequently classify these unknown files as either ‘safe’ or ‘malicious’. In Comodo Internet Security, sandboxed files can be submitted to Comodo servers* for automated behavior analysis. If this analysis discovers the file is behaving in a malicious manner, then it is manually analyzed by Comodo technicians to confirm and added to the black-list which is distributed to all CIS users.

The way sandboxing works, is that a file is able to execute or do whatever it wants basically in a secured setting that mimics your files and system files, until you or Comodo deems it a safe file and allows it to be outside the sandbox. With CIS, You can choose which folder/files can the sandboxed app modify/create. While the file is sandboxed, VirusScope analyzes the behavior while the file is uploaded to Comodo(Valkyrie) for review.

HIPS (Host Intrusion Protection System)

A Host Intrusion Protection System (HIPS) is designed to identify and block zero malware by monitoring the behavior of all applications and processes. It is designed to prevent actions that could cause damage to your operating system, system-memory, registry keys or personal data.

Security software using a HIPS system will generally enforce rules prescribing the permitted activities of processes and executables at the point of execution. Examples of such activities can include changes to files or directories, accessing protected COM interfaces, modifications to the registry, starting up another application or writing to the memory space of another application. The precise nature of these rules can be set by the user or pre-configured by the vendor.

If an executable or process attempts to perform an action that transgresses these rules then the HIPS system will block the attempt and generate an alert notifying the user of that action. Most HIPS alerts will also include security advice.

The way HIPS works is that, If a file wants to pick its nose, it has to ask permission. A file wants to modify anything on your computer it needs permission. (Paranoid Mode, This will prompt a ton of alert notifications from CIS) (Safe Mode, If File is not on the white-list than it will prompt an alert) (Training Mode, File will be able to execute whatever it wants and CIS will learn from it, and write the actions down on a OK to Do List)

The Difference?

If a Man(file) came into your house(Computer), and started to throw things on the ground in your living room(C: Drive)

HIPS: Would stop the man before he even got into the room(Memory/Hard Disk) until you or Comodo allows him to do so, and continuously make him ask permission to do the next thing he wanted to do (Unless on The White-list+Safe Mode Setting)

Sandbox: Would allow him to do whatever he wants because he would be virtualized, thus not being able to do any physical/actual harm. He would think that he is throwing things and making a big mess, but in-fact he wouldn’t be at all.

Why Use them together?
To Sandbox a File and then force the file to ask you, if it is ok to do something is the clear definition of prevention.

If you choose to allow a file to run outside the sandbox, HIPS will prevent any major catastrophes from happening by asking you if it is ok.

If you choose to allow a sandboxed file to do anything via HIPS, Sandbox will prevent it from actually having any affect on the system or your files.

HIPS is apart of the Local Security Component(versus Web Security), It gives you the authority to allow or not to allow an action to take place on your system.

I hope this helps.


thank you Jacob.

If you choose to allow a file to run outside the sandbox, HIPS will prevent any major catastrophes from happening by asking you if it is ok.

this is what mostly confuses me, using hips without sandbox. Hips will prevent major catastrophes until I don’t allow any process from a particular program, BUT, how could I decide myself which process might be malicious? I mean depending only on hips, say I have no antivirus or antivirus just couldn’t discover malware in the program and I don’t have auto-sandbox enabled, in this case, how far can hips protect me if I’m just pressing all process to allow modifications?

Great Point! If you have it set to ‘Safe Mode’, and You get an alert that File is trying to do something. How can you know what it should not or should be doing?

Two Answers:

  1. Do you ‘TRUST’ the source of that file? If so, Allow it.
  2. If no, deny it. Submit it to Comodo for review OR Research that file your self via Online Search.

This is where Sand-boxing comes in handy. As there was a time that we didn’t have Sand-boxing Technology in CIS a few years ago. The way we did it, was the above. There are nearly millions of files being submitted every week for review, and Comodo is continuously adding the safe ones to their white-list, and/or safe vendor list’s

Ultimately, It comes down to the user. CIS by Default uses Sand-boxing/Virus Scope/Behavior Blocking/File Rating/HIPS/Anti-Virus to minimize user interaction.

Hope this helps


ok, clear, it should work at least with auto-sandboxing to be effective/automated.

just when you say this:

VirusScope analyzes the behavior while the file is uploaded to Comodo(Valkyrie) for review.

you mean virus scope uploads a file? and if-yes, then does file uploading to be enabled from settings? or these two things are not dependent on each other?
also, behavior blocker means antivirus heuristics, right?!

Provided it works correctly. Remember the point I made earlier how it lacks in detecting a Firefox update at realtime interval. If a file is a baddie, it may not recognize it straight away and let it run. Later, it may recognize it, but then it’s too late, it has already damaged your system. That’s why I run both SB and HIPS together (so I’m covered).

Virus Scope:

Viruscope monitors the activities of processes running on your computer and alerts you if they take actions that could potentially threaten your privacy and/or security. Apart from forming yet another layer of malware detection and prevention, the sub-system represents a valuable addition to the core process-monitoring functionality of the Defense+ by introducing the ability to reverse potentially undesirable actions of software without necessarily blocking the software entirely. This feature can provide you with more granular control over otherwise legitimate software which requires certain actions to be implemented in order to run correctly.

Antivirus Heuristics:

Heuristic techniques identify previously unknown viruses and Trojans. 'Heuristics' describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. If it is found to do so then the application deletes the file or recommends it for quarantine. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.

Antivirus Heuristics, analyzes the code structure of a file, and detects if it resembles a known virus than it will throw up a warning.

VirusScope, analyzes the actions of a file(or what a file does) and if it resembles anything malicious. It will trigger a warning.

File Rating component uploads the file for review.

Hope this helps.


Good Day LAR,

I am trying to reproduce this issue, What are the basic steps that you have taken to make this occur?

Firefox is typically signed and thus should not sandboxed unless you have configured it to be sandboxed.
Could you provide Defense+ and Sandbox and Virus Scope also Alert Event Logs would be helpful.


This has been happening since v6.0. I believe that I even filed a bug report on it a couple of years ago. This also happens when I update Thunderbird. It doesn’t happen when I update SeaMonkey.

I’m using Proactive configuration. SB set to Untrusted. I don’t use the Trusted Files List. HIPS is set on Safe Mode. Viruscope is active.

  1. I disable SB for 15 minutes.
  2. I let FX or TB update, answering the HIPS alerts to treat as updater.
  3. After the update is complete, I re-enable SB.
  4. I open FX or TB and no alert from SB occurs.

I can open and close the program(s) multiple times without a SB alert. After about an hour, if I close and reopen FX or TB, the SB picks it up and asks me what I want to do. I then tell it to trust firefox.exe (or thunderbird.exe). Then it’s happy.

I don’t have this happen with any other program update (Adobe Reader, Adobe Flash, uTorrent, mIRC, Malwarebytes, SuperAntiSpyware, etc.). The SB always picks them up right after re-enabling. I only have this problem with FX and TB.

I recently updated TB and had the “problem”. I’ve attached my log files.


Note that I’m using CIS 7.0. I remember the same problem when I was briefly using CIS 8.0, but switched back to v7.0 because of its incompatibility with my 32 bit machines.

Thank You LAR, I will review your files and try to reproduce the issue.

It may be til’ tomorrow as it is almost bed time here in Idaho.

I will try my best to investigate this issue for you.

As for now, Could you export your configuration file and upload it.
(Advance Settings > Configuration > Right Click ‘Active’ > Export)


I know that the problem probably can’t be rectified in v7.0, but maybe it will help with the upcoming v10. I’ve attached my config file.

how to protect from fileless exploits?