Can automatically sandboxing unknown apps as fully virtualized harm computer?

Because the Kiosk isn’t intended as full desktop virtualization. It’s more of a safe internet browsing area that can run Metro style apps.

Some applications will not run in the Kiosk.

No i dont think so, those files are monitored by the firewall i mean the new files only!!
saying so becoz while running a browser sandboxed a downloaded a host file manager and started the same from the browser downloads and when the file tried to connect to the internet the CIS poped up :wink:

Yes it’s active (see above post).

It’s just that in standard IS config, it’s set to no alerts for outbound.

Best wishes


So if I am understanding this correctly automatically-sandboxed applications (including those sandboxed as fully virtualized) are subject to the exact same firewall rules as everything else. Thus, if you have the firewall set to not allow outbound connections you will receive a firewall alert for a keylogger automatically sandboxed as fully virtualized.

Is that correct?

  1. partially limited

2.fully virtualized
no alert (because the iexplore.exe is in the trusted list)

  1. I assume the iexplore.exe is executed by the malware.

4.The design for “no alert” is correct.
Because CIS must automatically allow the browsers(run in VK) for connecting to the internet.

5.I think the restrictions for VK and BB should not be the same.
One is “fully virtualized 1”, and another is “fully virtualized 2”

Then, the firewall popups alerts for autosandboxed (trusted) processes, but does not do that for VKed processes (applications run in VK).

I just tried running the leak test with automatic full virtualization enabled and I did receive a firewall alert for it. The screenshot is attached to this post. I was in proactive security.

However, I received no alert for iexplorer. I wonder if this is a vulnerability or not.

Sorry, I should have tested this myself earlier. It’s just that I was becoming very confused about exactly where the potential issues were. I think I’m finally starting to wrap my mind around it.

[attachment deleted by admin]

if we were able to choose a restriction level for auto full virtualization like we can for the manual sandbox like partially limited, limited etc would it help mitigate leaks in auto full virtualization?

I would like to see the restriction levels such as “partially limited/limited/restricted” etc., being applied to the “Automatically Fully Virtualized” applications as well. As even the Fully Virtualized applications can read everything from system although they can not write.

I would even like to have a different set of Firewall rules for “Auto Virtualized” processes, different from those applied to “Virtual Kiosk” or Manually Virtualized programs. Since, mostly Browsers are used in Manual Sandbox where as “unknown” programs are auto virtualized. We should therefore be able to have “more restrictions” both D+ wise and Firewall on these “auto virtualized” unknown programs.

Applying a set of rules to VTRoot folder does not achieve this, as it contains both “Manual and Auto” virtualized applications, which defeats the purpose.

The potential is there that applications may fail if the settings are Full Virtualization.

then let them fail. auto virtualization isn’t going to be perfect over night. I’d rather it fail instead of do damage through leaks in the sandbox. let’s get the leaks plugged first and then work on it being able to safely run a bunch of unknown programs virtualized. auto virtualization is only for advanced users right now anyway so they will know how to handle it

great points. when creating rules have options to click and choose if it applies to auto virtualization, kiosk, manual and/or non virtualized

I suggested during mods Beta that it should be possible to set specific coms rules (internal and external) for sandboxed processes. It gets quite complex re internal coms, because in theory you have a sort of truth table - sandboxed to sanboxed needs different coms rules than sandboxed to non-sandboxed and maybe the reverse.

It does indeed make sense that these should be different between auto and manually sandboxed processes. Basically this come down to th fact that you should be able to set different rules for files which you know to be unrecognised, to files that could be either.

So that’s a lot of rule sets. And some thought is needed n how to prevent the complexity level exploding.


You guys may be interested in looking systematically at the extent of virtualisation.

If so please see this new sticky: here and post some results.

Procmon is quite a fun tool :slight_smile:

Best wishes


I tested auto full virtualization 2 times.

The first time after restart all the unrecognized files were automatically deleted & MBAM & HitmanPro found nothing.

The second test, after restart unrecognized files were not automatically deleted & MBAM & HitmanPro found nothing?

In both test before restart MBAM & HitmanPro found malware.

Your reply means in auto full virtualization after restart unrecognized files are not automatically deleted, right?

I dont know how the first time unrecognized files were automatically deleted. And second time they were not deleted but MBAM & HitmanPro found nothing whereas before restart they found malware?

I had posted my first test results with secreenshots in the thread ransomware & auto full virtualization.

Actually the auto-virtualization have an issue
i will explain it with an example:

1: i download minecraft and play it using the minecraf.jar file to have it use the 64bit native OS processor (exe is 32bit)
2: the jar is automatically virtualized because is still unknown, so it install, updates, and my saved world in the virtual zone

until now everything is ok

some time passes
minecraft.jar is now a recognized safe applicantion

3: i run minecraft.jar to continue my saved world
4: the game now is not virtualized
then i suddenly lost world and any minecraft saved files
(i can manually recover they from VTRooT folder, but lets suppose i dont know that)

now how im suppose to get back my saved files?

my suggestion here is for CIS to be able to track files and registry modification from an unknown virtualized application, and be able to automatically on demand “install all changes” when the file is trusted by comodo or by the user

This kind of tracking is expected to arrive in CIS v 6.1 or 6.2

[s]Just a heads up that further experiment have revealed my initial results regarding the use of VT root may have been dependent on having two versions of the same program installed in real and virtual.

It appears CIS creates a virtual and non-virtual copy only where these differ, which is reasonable.

However you should be able get the same effect (ir control over rules for the virtual copy) by installing the same program into a different directory in real and virtual, or possibly (to be confirmed) by artificially creating a new version by changing the modification date of the main executable using a ‘touching’ program.

Apols for not noticing this sooner.

Best wishes


Hmm not sure that is correct now either. True situation looks complex, and the VM I was running yesterday may have been corrupt, as I got several crashes and lockups soon after the above results will get back when I have finished experimenting.

Good new is that with a new VM I am getting Ask FW alerts in Kiosk for sandboxed processes. Something funny about the D+ alerts though…

Blast just cannot get consistent results and Kiosk has crashed again.

Initially got good results for firewall with IceDragon installed in real and virtual. Separate rules seemed to be working fine. Unless I was misunderstanding something.

Then they stopped working. Then Kiosk & explorer crashed again.

HIPS did not seem to want to function in the Kiosk properly at all today. I did get HIPS alerts but they seemed to be due to non-sandboxed programs accessing sandboxed ones. That is, possibly, caused by the real environment but displayed in the virtual environment. For example in Kiosk cmdhost (non-sandboxed) displayed an alert asking to access the IceDragon installer (sandboxed) several times during the installation (sandboxed) of IceDragon. Eventually all that crashed too.

Not sure what I’m doing is meant to be done…

For the moment I cannot honestly say whether the idea of using separate FW & HIPS rule for virtual and non-virtual will work. Maybe it’s working sort of accidentally for short periods and the rule conflict between real and virtual is causing the crashes.

What does seem to be consistent is that you can get firewall protection in the Kiosk (though not necessarily separate rules) with appropriate settings. Which is a relief.

Very sorry if I have misinformed you. And sorry I cannot tell you for sure whether I have or not yet. I think I’ll have to wait for a more stable build to find out. I’ve had three or four crashes including one completely corrupt VM today.

Just too time consuming to continue… Apols again…

Best wishes


I really appreciate all the work you have done. :-TU No apologies needed.

Thank you.

Thanks Chiron, much appreciate your post. Feeling pretty fed-up as I just cannot get a clear answer.

Anyway re your other thread, I have today found that the firewall triggers in both real and virtual for IceDragon and a network utility I was using. So hopefully (I’m doubting everything now!) it ought to be possible to set rules so long as you don’t mind them applying to the whole computer. Probably best to avoid the separate rules strategy though, until we see if that is causing the instability I experienced.

(Not sure what ‘R’ means about not being able to block IE with a rule. That is strange.)

BTW I’ve submitted about 5 bug reports today and yesterday, so hopefully C will work out what the stability problem is.

Best wishes and thanks again