It isn’t thats why it’s found under defense+ in configuration.
If the programs under comodo sandbox are making permanent changes to trusted files then yes it is a bug.
Is a very good example of what application sandbox is.
I would of linked a Comodo page but when I made the suggestion to create a nice FAQ Melih brushed it aside in a PM.
OK moving this now
Mouse
Please add system details guys as suggested here.
Lets see if we can get this investigated to see f it is a bug.
I have renamed it. Hope that is OK
Best wishes
Mouse
It’s not a bug… Sandboxie doesn’t prevent keylogging or screen capture either. It’s meant for virtualization…
This is why I think it may be:
Help extract (with my emphasis):
Automatically sandboxed applications are run with ‘Limited’ restrictions. (More info - Sandboxed applications are allowed to run under a specific set of conditions or privileges. In CIS, these are known as ‘Restriction Levels’. There are four levels – Unrestricted, Limited, Restricted and Untrusted (‘Limited’ is the default level for applications that are automatically placed in the sandbox). In part, sandbox restriction levels are implemented by enforcing or relaxing the native access rights that Windows can grant to an application. For example, the ‘Limited’ setting applies some of the supported operating system restrictions and grants it access rights similar to if the application was run under a non-admin user account. These restriction levels are fortified with certain Defense + restrictions that apply to all sandboxed applications (for example, they cannot key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory. If the user disables virtualization, then sandboxed apps. can’t modify registry keys or modify existing protected files either.)
Up to the developers I guess to indicate what the design intent is?
Best wishes
Mouse
I also like to have some formal reply from the developers.
I’m providing more information about the methodology I used for this test.
I performed this test using Windows 7 x64
UAC is disabled.
According to the Task Manager the only security programs with running processes are a2service.exe, cfp.exe, cmdagent.exe, and ComodoSE.exe (Comodo Secure Email). I am using the Free version of a-squared, so there is no real-time scanner.
Steps To Reproduce Results
I set CIS V4.0.141842.828 to ‘internet security’ and then back to ‘proactive security’ so any settings would be reset. I make sure there are no files in ‘My Blocked Files’, ‘My Pending Files’, ‘My Own Safe Files’, or under ‘Add Program to the Sandbox’. I also remove the old rules for AntiTest.exe from ‘Computer Security Policy’. I wanted to make sure there was nothing to interfere with the test.
Make sure Sandbox is set to Enabled with ‘Automatically detect installers/updaters and run them outside the Sandbox’ unchecked.
The system was never restarted during these configuration changes.
Download ‘SpyShelter - Security TestTool 1.2’ and double click on the file.
The Sandbox popups saying it was sandboxed. (See pic below)
I perform the tests individually.
a) [Keylogging] Fails saying ‘Cannot set keyboard hook’. Comodo passes.
b) [Webcam Capture] Cannot check this as I don’t have a webcam
c) [Screenshot]
1) [Test1] Fails saying ‘Cannot draw desktop screenshot’. Comodo passes.
2) [Test2] Fails saying same thing. Comodo passes.
3) [Test3] Fails saying same thing. Comodo passes.
4) [Test4] I receive no popup at all and it is able to display what is on my screen.
d) [Clipboard monitoring] I type and it is not able to record anything. Comodo passes.
e) [System protection] Here is the text that it displays. “Test has just started. Cannot change critical registry entry. It was blocked by the protection or you don’t have administrator rights.” Comodo passes.
f) [Sound record] I do not have a microphone for my computer thus I cannot test this.
I’m not sure why when I test it this time the keylogger is blocked and I receive no alert. Maybe it was a different version of the test or CIS has been updated. That is strange to me. I received no popups besides the original one saying it has been sandboxed.
After running this test I noted that AntiTest.exe is in ‘My Pending Files’ and has been submitted. There are still no files in ‘My Own Safe Files’, and AntiTest.exe has been added to ‘Computer Security Policy’ with a custom policy. Under this its access rights are all set to ‘ask’ and its protection settings are all set to no.
Well, these are the results I get. I can’t explain the fact that I got no firewall alert this time, but maybe it’s just that CIS is getting smarter. Maybe we should stop it before it evolves into Skynet >:-D and destroys the world.88) I’m just sayin’.
[attachment deleted by admin]
OK, thanks for all the careful and useful info Chiron.
I’ll wait a while to see if anyone else (or you) are able to replicate your ‘keylogging with no D+ alert while sandboxed’ experience, but for the moment I guess we should conclude that the confirmed problem is with screen grab.
Best wishes and many thanks
Mouse
Chiron’s post is quite detail. Anyway, here’s my information per your request
*E6300 (1.86G old version)
*Windows 7 Ultimate 32bit (UAC disabled)
*Avast 5, CIS version 4.0.141842.828 Firewall with D+ in pro-active security mode, D+ in Safe Mode, Firewall in Custom Mode.
*Tested with AntiTest.exe version 1.2 for keylogging and screenshot
http://www.spyshelter.com/download/AntiTest.exe
*Right click to run antitest in CIS sandbox, allow all alert(s) untill I saw the AntiText UI and then ran the tests.
(a)It failed keylogging test if the D+ (Hook) alert is allowed
(b)It passed screenshot test 1-3 but failed test 4 without any alert
Would like to know if (a) is the designed beheaviour. It seems that it is conflicting with the descriptions in your sandbox introduction post.
If (a) is the designed beheaviour, then, the following wording much be changed to avoid confusion to CIS users.
“Technically, automatically sandboxed software can write to the disk but it cannot cannot a) write to (ie infect) existing protected files or registry keys b) take admin privileges c) consume too many resources d) key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory.”
By the way, if (a) is not a bug. Then I think this post should be renamed back to its original title and be replaced to the previous forum.
Thanks.
Jonathan
About my last post, what I forgot to mention that there was also no programs listed under the manual sandboxing tab either. Just thought I’d mention that in case it was useful.
I’m going to edit the post to include this information also.
Thanks Chiron and hkjoj, that’s really useful information which will help the devs.
I was wondering Chiron, whether you would be willing to retry the keylogging test with cmdagent very busy.
One way to do this would be to run an AV scan, and wait until the scan was processing a large file and thus was using a high % of cpu. But you can probably think of more imaginative ways!
I have observed that sandbox jobs can take 4-5 mins to put into place under these circumstances, easily enough time for a keylogger to capture and try to send info.
This might explain why you are getting inconsistent results?
Best wishes
Mouse
Oh I will pm a dev when we have nailed Chiron’ issue.
Mouse
Hi Chiron
RE keylogging bug
I wonder if you would be kind enough to try what I suggest here, as I have myself had some difficulties with delayed hence possibly ineffective protection, which I am trying to track down.
Best wishes
Mouse
Still no clarification if (a) is a bug or not ???
We appear to have lost Chiron. So I will try to test this today if I have time.
Best wishes
Mouse
same for me with sandbox on, my webcam is captured.
and screen capture : 4a,4b,5a,5b is capturing.
without sandbox, webcam is not catpured 
with clt in sandbox i got 330/340 only impersonation : ExplorerAsParent wasnt detected, it opened IE.
Also real keylogger still not working in w7 64b, what else, it crash hiself.
Sorry, missed those posts.
I’ll try it once I have some free time.
Thanks a lot Chiron, I’ll await your feedback then.
Best wishes
Mouse
I ran the test again. I had a scan running with CIS, CCS, and a-squared as I was hoping for some interference to spike the CPU, but it seemed to remain around 20% for cmdagent.
I did receive a popup from Defense+ telling me the program was trying to install a Global Hook. I blocked this and passed.
I think the reason I got no popups on the second try is likely that I already had rules saved from the last time I ran the test. I renamed the file this time and then ran it and therefore there could not have been any rules.
Of course I still fail Screenshots 4a, 4b, 5a, and 5b. Having the scans running didn’t seem to affect anything for me. Let me know if there’s anything else you’d like me to try.
I have attached the alert I received to this post.
[attachment deleted by admin]