Can anyone explain this?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

CIS Suite With Default Settings

Installed YouTube Downloader, got Unlimited Rights popup, clicked on Sandbox. Installed fine but YouTube Downloader didn’t start & gave error. Six files related to YouTube Downloader were in Unrecognized Files, so moved the six files to Trusted Files & YouTube Downloader started fine. Till here I understand everything. All this was done with internet disconnected.

But, then I again moved all the six files from Trusted Files to Unrecognized Files & restarted the system. After restart I checked those six files were in Unrecognized Files. Internet was disconnected. I started YouTube Downloader & it started fine. Why it started now without error when the things are same as previously i.e all the six files are in Unrecognized Files i.e previouly it didn’t started till the six files were moved from Unrecognized to Trusted Files? Can anyone explain this behaviour?

Thanxx
Naren

2

Did you get the ‘unlimited rights’ pop-up from the installer, or from the app itself? Depending what the default sandbox level is, apps might not run properly in the sandbox, e.g., run as ‘untrusted’ in sandbox is highest level of security for unrecognized apps.

For a trusted app that generates a sandbox alert, clicking ‘dont sandbox this again’ will move it to the Trusted Files’ listing. The components it executes may be unrecognized by CIS on-the-fly on-line lookup and resulting in app crashing (CIS won’t allow 'em to run). These components will be entered into unrecognized files and should be submitted via on-line lookup to CIS (if you don’t explicitely trust the software). If the components are legit, they’ll automatically get entered to the ‘Trusted File’ list when you run the app and auto-look-up is enabled-. If they come back as unknown, then do a manual submit to CIS is necessary to ‘verify’ the files. That could take awhile, but if they aren’t flagged as malicious, they’ll automatcically get moved to ‘Trusted File’ list. If you circumvent that by moving the files manually to Trusted Files, although they’re ‘Trusted’ they’re unverified and will show as ‘unknown’ in ‘View Acitve Processes’ and you’ll get D+ alerts if no D+ rules are configured for the individual components.

It used to be that once in the local safe-file list it didn’t need to be in the Trusted File list any more. With version 5.4 everything gets entered to the Trusted File list if its determined to be safe. Determined to be safe is either found in ‘local safe-files’ or via on-line lookup. If you have auto-check-in-cloud enabled, and you enabled internet connection, CIS probably did a lookup of the unrecognized files and determined the files to be safe and moved them to the local safe-file list. I believe they would move automatically to Trusted Files after being verified as safe and you actually use the app.

FWIW, because of all the configuration and rules that get created over time as you use your system, you should periodically export your configs (so you can restart from where you left off if you ever need to re-install CIS). That will save your AV exclusions, FIrewall and D+ rules. Trusted files and local safe-files are not exported. For that reason you may want to on occasion take a screen shot of your Trusted FIles, so that you can re=enter the essential ones when faced with complete re-install.