Under Defense+ → Sandbox, there’s the following option:
Automatically detect installers/updaters and run them outside the Sandbox
I’m hoping there was an omission of a word here: “recognized”. If any installer/updater were to run outside the sandbox then what’s the point of the sandbox? Malware might not require an “installation” and just run but many do run an installer. It might not be malware but a installer for a program that you don’t want. If the installer/updater isn’t in Comodo’s whitelist then I do want it [initially] sandboxed (actually I would prefer if CIS asked me if I want it sandboxed before sandboxing it).
For recognized installers, I’d like them not to be automatically sandboxed (since I’m then going to have to abort it and run it again).
For unrecognized installers, I’d like them to start sandboxed and get prompted about it. Then if it is something that I really want, I can trust it and rerun it to install the unrecognized installer.
So it seems the option should read:
Automatically detect recognized installers/updaters and run them outside the Sandbox
The function of “Automatically detect installers/updaters and run them outside the Sandbox” setting is for usability. It will provide the user with an alert when an unknown installer gets run that it requires Unlimited Access rights.
The user can then decide to allow or to deny it. Reason to allow it could be that the users trusts the maker and the site it was downloaded from.
Recognised installers will be allowed to run without notification. So it is only the unrecognised programs that will be either alerted or sandboxed (depending on whether this setting is enabled or disabled).
If you want an unknown installer initially sandboxed then disable this setting.
It would help to clarify what the option does if “recognized” had been used as an modifier to “installers/updaters”. With that modifier, the phrase means ALL installers/updaters (because there is no restriction on what types of them) get run outside the sandbox and that’s not good because that could be for malware.
Yep, I do want recognized ones run outside the sandbox. For the unrecognized ones, yep, I want an alert that asks me to choose an action. So enabling this option eliminates the alerts on recognized installers/updaters but alerts on the unrecognized ones.
Thanks for your help.
When an unrecognised file asks for unlimited access to your computer you will get:
- An alert where you get to choice to Sandbox, Allow or Block when the sandbox is enabled
- A D+ alert, when sandbox is disabled, where you can choose to run following a policy (Installer/Updater being one of them) or to block it
I hope this answers your question.