Can automatically sandboxing unknown apps as fully virtualized harm computer?

Can advanced users, who are testing this on a non-production system, please try to run/install as many applications as automatically sandboxed (with full virtualization checked) to see what dangers there may be for ordinary users to accidentally select this option?

What I think is going to be very important for this Beta testing period is testing out this new automatic full-sandboxing. Please do whatever you can to break it and find out if installing applications in it can damage the system in some way. I’d really like to find out how suitable it really is for everyday use.

Please test it against all sorts of applications, including those which will automatically start when the system starts up. This is where we expect the majority of problems to come from, so I’d love to see whether it can actually hurt a system when those types of applications (although we need to make sure it works well with all other sorts as well).

Please test it and let me know what sort of problems you run into. I’d really appreciate any feedback anyone has.



It’s very important that we ascertain what kind of negative consequences might arise from enabling automatic full virtualization for unknown applications.

i have it enabled on my machine but i dont go around installing a lot of apps. I will test it out more when i get a chance in a VM

indeed its going to the best feature and the most problematic area, really looking forward to this
Reply #7

Thanks, I’m just wondering whether it’s intended behavior or whether it’s a bug that the firewall did not intercept it.

Is full virtualization planned for final version of CIS 6 or is it just a side test and will not end up in final CIS 6 ?

depends on the results of the testing. I doubt it will be in the final but maybe in a future version. egemen wants to see how testing goes with the advanced users.

In auto full virtualization anything autosandboxed & sandboxed through elevated rights popup will be automatically deleted, right?

i.e autosandbox - suppose I have a file on the desktop. I run it & it is autosandboxed & will be there in the unrecognized files lists. After restart unrecognized files lists will be automatically deleted & the file will not be there on the desktop, m I right?

Elevated Rights popup - Suppose I have an installer on the desktop. I run it & get elevated rights popup & I hit sandbox. After restart stuffs installed by the installer will not be there but the installer on the desktop will be there, m I right?

Fully virtualized will be without any restriction, i think so isn’t this behavior normal ???

RE virtualised programs accessing the internet and comms between virtual and non-virtualised programs

You can use HIPS & FW to restrict this for virtualised programs if you wish. Please see the new FAQ in stickies.

If you install a program in the sandbox, that installed instance can have distinct HIPS and FW rules from the non-virtualised instance. Just remember to use the VTroot path to the executable in the rule.

  • So you can control internet comms using FW
  • And COM and interprocess coms using HIPS rules
  • Probably sockets coms using firewall via port restrictions
  • execution using HIPS rules

So you can I think prevent most coms-based leaks from virtuals to non-virtual and from virtual to the intern et.

AFAIK unfortunately no ability to make pairwise* rules yet, rules that depend on whether coms is from progs running virtual to progs running non-virtual, or virtual to virtual. Also rules have to be on an installed instance not a virtualisation run status basis. (*Well access and protection division and execution control might give you some abilities here). Also no specific virtual NW zone yet (because sandbox has no separate IP), and you need to remember not to use HIPS rules that go against the idea of virtualisation.

But it’s a start… and means that you can stop leaks from the CIS sandbox, if not with as fine a grained and convenient control as you would like.

Helps CIS compete with sandboxie, which does have options to cotrol such leaks.

Best wishes


■■■ and JohnDoe install and function well allowing you to anonymise internet comms for all apps that can take a port setting.

Trustconnect does not install, and I can find no way of automatically using an external TrustConnect connection in KIosk (ie switching it on only while you are in the Kiosk). Of course you could maually switch your home network to public in CIS while you use the Kiosk, that would invoke TrustConnect I think.

Please also see this topic, which is relevant:

One possible area is sandboxed virtualised malware reading data from the rest of the machine and sending it over the internet.

Risk reduced if using secure DNS, but still could send to IP


Is this intended behavior?

I like the way it works in terms of protecting the actual computer from changes, but if it is not monitored by the firewall at all, and can copy data from the actual computer, I believe it is a very dangerous setting after all.

If only it was monitored by the firewall I wouldn’t be too worried.

Is my understanding of this correct?


Why doesn’t CIS v6 set VK start with the system?

Then, the auto virtualization is no longer needed.

No AFAIK by default all outbound connections are allowed

And virtualised processes can read any data in the normal computer

But, you can use the firewall to control this. Seems to be active.

It’s the normal IS config settings that are allowing outbound access

You appear to be a able to set separate FW and HIPS (if enabled) rules for apps stored in VTRoot. Not experimented much with this so don’t know how far it goes.

So you could set a fairly generic rule I suppose for paths starting C:\VTroot. A sort of all virtualised executables rule.

Interestingly in general it appears that virtual apps defaults are controlled by HIPS rules not BB - remember I could not screen snip. With the new BB I could have done!

Best wishes


Currently I’m using sandboxie (the best in my opinion), and I’m very interested in this sobject, cause before replacing it the basical thing to know is how much effective is CIS 6 virtual environment (autosandbox fully virtualized, manual sandbox, Kiosk)…only if tests will confirm that CIS sandbox = sandboxie (i.e. NO files dropped into the system, malwares can’t bypass it), I will evaluate this change… 8)

Processes running in the sandbox will be terminated on a restart, but you’d need to clear the sandbox to get rid of things.