I’ve looked through all the advice on this and ended up being a little more confused than normal!
cmdvirth is always auto sandboxed on startup (CIS 10 in Windows 10 Pro). It causes no problems at all and is the only program shown there. Previous advice from some time ago in the forum suggested:
It’s normal and to leave it alone
To uncheck the setting ‘enable automatic startup for services installed in the sandbox’ which would enhance security also
I decided on option 2 and tried that which turned out to be a bad idea! Everything went haywire . . . nothing would work on startup, background vanished and no applications would run, with all giving a ‘no permission’ message, so I eventually managed to get the option re-checked and all back to working normally again
So what is the answer? If I leave the autorun option checked, in theory that gives permission to anything sandboxed to be auto run, which would be a rather bad idea I’d have thought!
Everything I tried to open on the first start; Firefox, Opus, Outlook etc. but nothing unusual at all. I don’t run anything different or dramatic and there’s nothing special about my system or OS
Then I managed to recheck the option, reset the sandboxand reboot. All that’s there now, quietly doing its thing is cmdvirth.exe once again!
I should add that I’ve submitted it, marked it as trusted and everything else I could think of, but it still runs there - Partially Limited and Trusted
Could be a configuration problem, you should try importing the active default configuration form the CIS install directory and name it default then activate it and reboot. E.g. if you’re using say the proactive configuration, import the default proactive and when it ask to import it as, name it default - proactive, then activate it and reboot to see if the issue persists. Also check the file list for anything that is listed as unrecognized, do a purge too.
As for the logs you should specifically check the sandbox events, and at the sandboxed by column to see why a given process was sandboxed.
Did everything you suggested and what showed up in the log was the Logitech software: C:\Program Files\Logitech\SetPoint\Setpoint.exe . . . which I thought I’d got rid of with its notifications by your previous as below
Once I do this again, should I just leave cmdvarth.exe alone? It doesn’t seem to do anything and its virtualizations shows as disabled in Killswitch. It doesn’t have permission to run an executable; it just bugs me that it shows there every time
cmdvirth.exe is the “COMODO Virtual Service Manager” it is launched every time something is going to be run in the sandbox and it in turn executes two virtualized instances of svchost.exe. cmdvirth should be running virutalized when either an application is run in the sandbox or if you launch virtual desktop, if it is running without virtualization, then something is wrong. Also you shouldn’t have any custom HIPS rules under access rights for any of CIS processes other than the default rules that are set.
Can you switch to Admin mode for killswitch by clicking the UAC icon at the bottom right next to the version number, then when it restarts press ctrl+s to save the current view and attach it here? You may need to change the file extension to .txt to attach to your post.
Right - I’ve completely uninstalled and re-installed. so I’m back to the start. Proactive with nothing now showing in the Sandbox and no cmdvirth.exe running. My only ‘problem’ is the original one of Setpoint.exe filiing up the Blocked Intrusions (now at 28 and rising)
Can I follow your original advice on stopping that?
That’s good to know that a re-install fixed it, must have been a corrupted install somehow. Yes edit the HIPS rule for CIS to allow setpoint access and prevent the log spam.
Great - that’s all done and fixed. I’ve unchecked the Sandbox setting, ‘enable automatic startup for services installed in the sandbox’ and everything is working fine