CIS defense+/Sandbox question

allo everyone i know this isn´t the right topic to talk about the subdject that im going to talk about , but i dont know whre else to talk , so here it goes: i have cis pro i have a doubt about this i have configure cis in defence plus to treat inrecognise files as untrusted, i have a process in the sandbox (comprovante.exe), when i open process explorer the same process is there , and it is also comunicating through the cis firewall my doubt is can a process be in the sandbox and also apear in memory? ,shouldn´t he only be in sandoxed? or its normal to be in both sides? hope to have feedback from you| also would like to know best way to configure cis for best protection?! have a nice day!

The program is indeed running in memory when in the sandbox. The sandbox adds limitations to what the program can do.

Check out Install & Configure Firewall (5.0 / 2011) for Max Protection & Min Alerts, Setting up Firewall for maximum Security and Setting up Defense+ for maximum Security in the Guides section for inspiration.