CIS will start processes in sandbox for no reason at start-up [I1]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    On my system yes… Semi reliable if that is a thing. 88) (I have seen it happening several times)
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:

[li]Turn off BB/auto-sandbox (to eliminate interference from other unknown applications)

  • Make sure Mozilla Thunderbird is not set to be automatically started on system start-up.
  • Set Mozilla Thunderbird to be sandboxed (in advanced settings, not just running it sandboxed but setting it to always be sandboxed)
  • Start Thunderbird (it should be started in the sandbox)
  • Reboot
  • Sometimes on boot CIS will show cmdvirth.exe > svchost.exe | svchost.exe | svchost.exe

[/li]- If not obvious, what U expected to happen:
I expected no processes in the sandboxed list because I did not have auto-sandbox on (which means CIS didn’t sandbox any unknown processes which needed the svchost.exe etc) and Thunderbird was not set to start up with system start, it has to be launched manually.

  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
    Mozilla Thunderbird 24.4.0 (I don’t think it’s specifically related to this application, it just happens to be the one I’m using)
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Resetting the sandbox doesn’t make any difference.

[ol]- Exact CIS version & configuration:
COMODO Internet Security Premium 7.0.317799.4142 | Configuration file will be attached (It’s based on the proactive configuration)

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    AV - Stateful | HIPS - Safe Mode | BB - Disabled | Firewall - Custom Ruleset
  • Have U made any other changes to the default config? (egs here.):
    Yes, too many to mention, will attach a configuration file.
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    No difference
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 8.1 Update 1 64bit, UAC enabled at level 2/4 (alerts but doesn’t dim desktop), account is Administrator, No virtual machine is being used.
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

[li]Zemana AntiLogger Free


[attachment deleted by admin]

I’m pretty sure this is intended. I think what happens is that if an application is sandboxed as FV it often has to virtualize other needed processes as well, likely started by the sandboxed application.

Can anyone verify whether I am correct about this behavior?


I don’t think you fully understand.

Yes when an application is sandboxed it usually needs to start other services like svchost.exe in order to function correctly, however what I’m talking about is RESTARTING THE SYSTEM, i.e power down and power up… these extra processes sometimes will stay in the sandbox list even after that, this is not intended behavior.

[ol]- Start Thunderbird (should start in FV sandbox is my previous directions were followed)

  • Shut down the system
  • Wait 24 hours for all I care
  • Start the system
  • Even though BB is disabled and Thunderbird is NOT set to auto-start, these additional processes will be listed as sandboxed!!! (There is no way something was auto-sandboxed because BB WAS OFF and there is no way it needed them to sandbox Thunderbird because Thunderbird DOESN’T START WITH SYSTEM!)[/ol]

Do you understand what I mean?

Edit: It doesn’t happen every time, but it does happen a lot of times.

Edit 2: I apologize if my reply was “over the top” or something like that, I just want to make sure that you realize that it’s not the fact that they’re there, but the fact that they are there at system start-up when nothing is supposed to be sandboxed.

That was my mistake. I did misread your first post. My apologies.

In that case can you please also create a Full Dump with KillSwitch during a time just after startup, but when those processes have started on their own?

Also, has this occurred with previous builds, or does it seem specific to this one? If so, does a clean install show the same behavior.


This IS the clean install, I do not want to re-install yet again because this is the only issue I’ve faced so far and it is not worth spending the time to uninstall, clean up files and re-install (and possibly have to do it again because that created some issues itself) If I face any other issues then sure I can do that but I will not do it only for this little thing.

I will however do the full dump whenever it occurs again.

No problem. Let me know when you’ve been able to get the Full Dump.

Has this occurred again yet?

I agree with this. For me these process are still running even after I close the sandboxed program. It will only go away after I reset the sandbox.

Check this video of my bugs, have to bear with the video quality, i reduced it to reduce the video size on my test laptop.

It shows the no green border around Dragon as well.

That is normal and expected behavior, you could create a wish if you want it to change.

Edit: By that I mean that the cmdvirth.exe and svchost.exe being left behind is normal and expected behavior. The other issue with no green border for Dragon is not normal.

Um, not sure if I have seen that in earlier versions. Would be great if they shut down these not wanted process as well.

I can’t remember it ever not being the case, at least it has been that way since CIS 6.

I believe it has always been this way. It is intended behavior.

Sanya, have you experienced this since the last update?

Experienced what and after what update?

Update as in last time I made an update on this bug or update as in new update for CIS?

If the issue is processes left behind after exiting a program that was sandboxed, yes because that’s intended behavior…

If the issue is processes still in sandbox on start-up & the update being since I last made an update on this bug - Then no… I had it several times before making the bug report but never after…

If the issue is processes still in sandbox on start-up & the update being a new update for CIS - Then… well… there hasn’t been any new updates… So… I… I don’t… No?

Sorry, you’re correct that I was not very clear. Essentially, I was asking if you had experienced the processes starting with Windows since the last CIS update. I should have been much more clear about that.

As you haven’t experienced this in a while, I will wait two more days. Then, if you have still not experienced this I will move this bug report to the Incomplete Issue Reports section of the forum, where it can stay until the issue occurs again.


You can move it to Incomplete now, I’ll notify you when (if) it happens again.

Okay, as it seems this is currently not happening I will move this to the Incomplete Issue Reports board.

Topics in this board are rarely looked at by the devs, and even if they are it is unlikely the devs can fix the bugs reported. The reason is that putting bug reports in the required format, with the required files, ensures that the devs have enough information to understand and identify the bug. Thus, without this it becomes very difficult to replicate a bug such as yours.

If this does happen again, to get your report forwarded to the devs please attach the Full Dump file I requested.

If you have any questions please do not hesitate to ask.

Thank you.

Can you please check and see if this is fixed with the newest version ( Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are mainly not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments), so I can forward this to the devs and get this problem fixed.

Thank you.

I still haven’t had this issue happen again, can be moved to resolved I guess, if it ever happens again I’ll just respond and say it’s back.

Okay, in that case I’ll move this to Resolve. If it does reoccur, please create a new entry for it in the tracker.