Containment - Some windows applications do not run or not correctly.

V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)

As pointed out by the subject, several standard windows applications do not start in containment or have troubles (throwing errors or warnings) when running them in containment.

My general question is: Do you like me to bug-report these failing windows applications or leave this behavior as is (so no further action from my side regarding this)?

Hi CISfan,

Kindly let us know the applications that have trouble running in containment. We will check them.

Ok, thanks.

I will add new posts for each application here in this thread.
Meanwhile you can check them.

C:\Windows\System32\msinfo32.exe

The application starts and runs in containment, however the application reports “Can’t Collect Information” for all items selected in the left panel.
Please see attached image which shows contained msinfo32 in the upper window and normal msinfo32 in the lower window. The IRQs item has been selected in both windows and the “Can’t Collect Information” occurs on all items for contained msinfo32.

C:\Windows\System32\osk.exe

The application (On Screen Keyboard) does not start in containment at all (no on screen keyboard shows up).

C:\Windows\System32\Utilman.exe

The application (Utility Manager) does not start in containment at all (no window shows up).

C:\Windows\System32\StikyNot.exe

The application (Sticky Notes) starts and runs in containment, however the application shows two windows each framed with a green border, please see attached image.
The leftmost darkened window shows up in the top left corner of the screen and cannot be grabbed or dragged away with the mouse, it closes when exiting Sticky Notes.

C:\Windows\System32\SnippingTool.exe

The application (Snipping Tool) does not start in containment and throws an error window on the screen, please see attached image.

C:\Windows\System32\Narrator.exe

The application (Narrator) has troubles running in containment and throws an error window on the screen when starting it, please see attached image.

C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe

The application (Math Input Panel) has trouble running in containment as it cannot capture mouse movements nor any mouse clicks in the math writing area. However the mouse does work normally in the window menu area (above the math writing area).

None of these applications have any business being able to run in containment there is no use case to use them in the container, there is a reason they won’t run or run correctly as they make use of certain WinAPI functions and or COM interfaces that are restricted or blocked off in containment. And making these applications work in containment is going to introduce containment bypasses and weaken the containment than it already is. As it is now it is possible to modify local user account and user groups from within the container when before it was properly prevented.

A good designed containment should have the following concept:

All applications should be able to run in a sandbox as if they were running normally. The Sandboxed application should not know or not detect that it runs Sandboxed and of course it should not be allowed to make any permanent changes to the underlying file system or any other system resource.

Why spending precious time on designing and on building a containment that cripples applications from running correctly?
Why not just discard containment completely and prevent and block all malware and viruses and unknowns from running instead. That is much easier to build and to maintain.

Sorry, but you miss the concept of a good containment here.

100% Accurate and Perfectly Explained ! Thanks futuretech

CISfan please :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X :-X

All applications should be able to run in a sandbox as if they were running normally. The Sandboxed application should not know or not detect that it runs Sandboxed and of course it should not be allowed to make any permanent changes to the underlying file system or any other system resource.

And when the user resets or clears out the container (the sandbox) then all virtual changes that were being made to the virtual system are being undone completely and the real system continues to run like nothing has ever happened before.

I really don’t understand why there is so much fuss about this.

CISfan repeating yourself doesn’t make a good impression and more that doesn’t make you look right either but rather suspicious and intrusive !

You have been explained that:

a. apps are not allowed to run in containment as “by your definition normal” and they must never be allowed to do that.
If you know basic programming you will understand that allowing apps to run as “by your definition of normal” or at the same level of privileges in the containment aka sandbox it will tap & hook api(s) that are OS/SYSTEM CRITICAL and therefor it will make the containment aka sandbox VULNERABLE and so it will be the beginning of EVASIVE form(s) of exploiting yours/his/hers/theirs/all millions of us the users of the CiS and our OS/SYSTEMS period

CISfan you wrote “sometimes you have to waken up people so that they open their eyes for things they don’t notice, not see or not willing to see.”

NOTE:
Continuing this discussion any further is pointless and reckless and i must ask for the well preserved security of COMODO Internet Security Suite to not consider some of the “users” appointments about tampering with the SandBox principle as this will lead to millions of flock migration to other AV security suites or alternatives !

I’ll leave it up to Comodo Staff and/or the mods how this matter has to be solved, they can decide in which direction CIS development has or needs to go.
And, as long as Comodo Staff and/or the mods permit me to report things I will continue doing so.

You really want the containment of CIS to run and act like a full emulation software that can seamlessly run all applications as if it was a full fledged virtual machine, that is not going to happen with any security software suite that utilizes a sandbox. The concept of security vs. usability/compatibility needs to be taken into consideration when designing a sandbox, CIS puts focus on security while another sandbox that I know of focuses on usability which in turn makes it insecure. If you want to have both then you must use a VM which emulates an entire OS and hardware, whereas a sandbox is just an isolated environment that runs on the existing host environment without doing full emulation of the host system.

From windows 7 eye candy interface to the windows 8 abomination or from hardened sandbox cis older version to the weakened cis newer versions…
never happen futuretech ?..you can never be sure what is lurking in people minds !

innovation is closer to degradation…

sometime a trojan like cisfan is what it takes to take a good PROduct down !

Without creative minds we wouldn’t these days be able to walk on the Moon, exploring Mars with robots, looking to galaxies at light-years distance.
People will always be eager and curious to learn to innovate and explore new things.
William Shatner once spoke the famous words: Boldly go where no man has gone before.