what is the best way to handle it when an app is trying to update, and the updater files get autosandboxed?
… a trusted one? Sorry. It’s not clear.
Version 10 solved this one quite well by tracking and storing info. You will see. 
my question is about a file with a trusted sig, and it wants to update, but in the process of updating, it creates an unknown file, before it actually downloads and installs the new file with the trusted sig.
With version 10, unknown file will not be virtualized by default as it knows how that file originated (created by a trusted process and so on).
thanks
for COMODO 8, what is recommended way to deal with this issue?
You can create an ignore sandbox rule which tells the auto-sandbox to ignore/don’t sandbox the application.