CIS 2013 Sandbox - How to access files


I have installed CIS 2013. I setup the Sandbox to automatically sandbox my torrent program (I thought this would add a good layer of protection, especially considering I am using an admin account). I have the program set to be treated as Untrusted. The torrent program seems to run unhindered; however, files downloaded through the program are invisible to me. I downloaded a file to the desktop, but the file is invisible. Instead, the file is located in the following path:

C:\VTRoot\HarddiskVolume1\Documents and Settings\User\Desktop

I am assuming this is the sandbox. I can access this folder and manually move the file out of the folder to the desktop so the file is visible. My question is: Is there an easier way to retrieve files from the sandbox?

That is what the Shared Access folder that CIS has placed on your desktop is for.

Download files to that folder and you’ll be able to access them easily from your un-sandboxed desktop.

Are files in the Shared Access folder considered sandboxed by CIS until they are moved out of the folder?

no the shared space is not sandboxed so use it with caution

I see. If that’s the case, what exactly is Comodo Sandbox doing then? Is it more for testing unknown programs? What kind of protection does it provide me with if I sandbox, for instance, uTorrent, but I have uTorrent download files to the Shared Access folder? What about a browser?

Edit: Actually, in the case of the browser, for example, is the Sandbox protecting me from malware as long as I don’t download the malware to the Shared Access folder? So, if I go to a website and a piece of malware is automatically downloaded without my knowledge, that piece of malware will be sandboxed?

Yes, the sandbox will protect you while you’re browsing if you come across any malware that is automatically downloaded.

If you have questions about the file you’ve downloaded, you can download them from a virtualized browser and save them to the desktop. (A sandboxed torrent client should do the same) The downloads will not actually show up on your normal desktop, but if you then open the virtual kiosk, the file you’ve downloaded will be sitting on the desktop within the kiosk.

You can then do whatever tests you want to do on the file with no concern about becoming infected. If the file passes your tests, you can move it to the shared space folder in the kiosk and retrieve it on your normal desktop.

So, Comodo Sandbox will protect me as long as I don’t manually download an infected file (whether knowingly or unknowingly) and save it to the Shared Access folder then run the file. Basically, I just need to be careful of what I intentionally download and install. Is this right?

All of the usual protection features of CIS still apply to any files you download to the shared folder, the files will just not exist inside the sandbox.

So when you access a file in the shared folder, it will still be scanned by the AV, and if the file is unrecognized, it will still be placed in the automatic sandbox, just like any other file. However, the automatic sandbox is an access rights restriction sandbox, (unless you add a registry key to virtualize the auto-sandbox) whereas the manual sandbox and the kiosk are a fully virtualized environment.

So while downloading to the shared folder places the file outside the sandbox, it’s not like CIS has given up protecting you.

But yes, being careful of what you download and install is always a good practice.

Okay, thanks. I do have one more question for the moment. Does the Restriction level applied to a program in the Sandbox also apply to files downloaded via the program?

Yes, because the restriction level is a global setting. Anything within the sandbox will share the same restrictions.

So if you’ve set your sandbox to Untrusted, as long as the downloaded file remains in the sandbox, it will also have the Untrusted restrictions applied to it.

Okay, cool. I have another question that just occurred to me. When I installed just the Firewall, the Shared Space folder was not created. I had to access the folder via Comodo Firewall in order for the folder to appear. Even though the folder has appeared now, it is not using the Shared Space folder icon. Instead, it is using the normal folder icon. Should I be concerned about this?

If the shared space folder is still listed within CIS as being excluded by the sandbox, I think it should be fine. But I’ve not experienced this myself, so I don’t know for sure.

It seems to be working as intended (I saved a file to the folder to be sure). Do you know if there is an easier way to apply updates and configurations to sandboxed programs? Having to remove each program I want to change from the Sandbox is tedious, and I do not see anyway to temporarily disable the Sandbox (Note: Exiting the program via the Notification area does not seem to work (Programs were still sandboxed)).

Probably the easiest thing to do is to install the application outside the sandbox, but always run it inside the sandbox by creating a virtualized shortcut. This way you can just double click on the shortcut as you would normally do to start the application, but the application will be sandboxed.

Then if you want to update or change the configuration, run the application without using the virtualized shortcut. This way the application will start outside the sandbox so any changes made will be permanent.

In the case of an application like a web browser, you could add folders like history or plugins to the sandbox exclusion list so changes you make to your plugins configuration will always be permanent, or your history will be persistent even if you clear the sandbox. Of course, depending on what you exclude, this could reduce the security effectiveness provided by the sandbox. The more you exclude, less of a reason to run anything inside the sandbox. So if it were me, even with web browsers, I would just run it outside the sandbox to make any changes.

Creating virtual shortcuts for the programs I want to run sandboxed sounds good, but I wonder how it would affect my security config? People have discovered with the right configuration they can run Sandboxie without an anti-virus and still stay comfortably secured. I’m currently experimenting with this same idea but with Comodo Firewall. Anti-viruses make my system less responsive and cause mouse lag. At the moment, I only have Comodo Firewall on my system, and my system is significantly more responsive and has no mouse lag. Would using virtual shortcuts instead of adding programs to the Manual Sandbox somehow make my system less secure?

Edit: This is assuming I always run programs using their virtual shortcuts, and only use their normal shortcuts to apply updates.

I can’t think of any reason using the shortcuts would compromise your systems security.

Whether you start the application from a virtual shortcut or have an application set to open inside the manual sandbox, the end result is exactly the same. They’re just different methods of opening an application inside the sandbox.

Thanks. I’m going to make virtual shortcuts for the programs I want to run sandboxed then.

Edit: Ah, I just remembered something. If I run Firefox using the virtual shortcut, will any process started by Firefox also be sandboxed? For instance, if I open a pdf in Firefox, will Foxit Reader’s process also be sandboxed? Will Firefox’s plugin-container be sandboxed, too?

The plugin container should be sandboxed.

I’ve never tried opening a .pdf plugin from inside the manual sandbox, so I’m not sure what will happen. (I prefer Sandboxie over the manual sandbox) I kind of expect it to fail, because sandboxed applications aren’t supposed to be able to access anything outside the sandbox, but since it’s a plugin, it might be able to call the external application. If that’s the case, I would expect the reader to also be sandboxed.

I found a pdf file online and successfully opened it in sandboxed Firefox. I’m not sure whether Foxit Reader’s process is sandboxed though.

You could open Killswitch to see if the process is sandboxed.

Does Foxit reader actually open inside Firefox, or does it open the Foxit application to show the .pdf? If it’s inside Firefox, then I’m sure it would be sandboxed as it’s within Firefox. If it opens its own window, you could check with Killswitch as I mentioned, or if you’ve enabled the option to show a colored border around sandboxed applications, the Foxit window should have a border if it’s been sandboxed as well.