Defense+ sandbox + trusted file list

Win 7 x64
Force 3 120gb ssd
gtx560 ti

Latest comodo suite .2253 with D+/AV installed configured for optimal usage and no extra other junk. AV is disabled and used only on demand.

Clean install of windows 7 and no other forms of software that would possibly interfere. Also no the pc is not infected. This also reproducible at will., If a dev wants remote access or a dump to clarify whats going on i can provide that.

Hi, currently i purged all trusted files and custom rules other then the predefined ones greyed out by comodo along with disabling/removing all forms of trusted vendor or online lists. Restoring firewall and D+ rules worked out quite fine.

However when it comes to trusted files and sandboxing apps it seems that certain applications are not being detected on boot. Example would be Thunderbird.exe was not being sandboxed on boot and had to manually re-load the app to successfully isolate it in sandbox.

I would assume that the app is loaded prior to comodo which is quite weird… what good is the software going to do if not loaded first thing prior to system files.

Next onto the sandboxing, after various popups on reboot for things such as dllhost.exe and some intel software for the IGP get sandboxed for the first time. After selecting “do not isolate next time” and ensure the file is added to the trusted files, i proceed to reboot and it decided to sandbox the same files despite they are both in the D+ rules and on the trusted file listing.

Also AIMP 3 was not detected and sandboxed despite there was no trusted listing of the software… even if these files are not being sandboxed they still should be showing in the “unrecognized files” section of which they do not.

Mod edit: I made a basic paragraph structure and put capitals at the beginning of each sentence for an easier read. Eric

added a copy of my current configuration.

[attachment deleted by admin]

Sorry you are experiencing this problem.

Using CIS in the way you describe (as a pure HIPS) is a bit of a ‘black art’, so without further investigation I am not clear whether you have identified a bug.

For the moment I will transfer you to help so you can work through this issue with users and mods used to the approach and hopefully resolve it. I hope that is OK.

Please ask any mod to move this report back to the bugs forum if it becomes clear that it is a bug/issue.

As a hint probably the best thing to do first is to post your Active Processes List and Defence Plus logs. With this information people should be able to help you.

Regarding you difficulty with trusted files the Removal techniques FAQ may help.

Best wishes


Do you have all cloud look up facility disabled?

How to disable all cloud functions of CIS?

In the AV:

In Defense +

all of the above are disabled, one under schedule scans was enabled but i doubt that would be causing this. also it had zero impact on the issue disabling it.

Even with removing the D+ rule just allowing the app to run it still is not procing sanboxing or listing the “untrusted file” for AIMP3. The trusted software list is purely empty and should be notifying of every action/file that is introduced correct?

heres a hijackfree log of active processes/services.

[attachment deleted by admin]

hi, i partitioned and reinstalled win 7 x64 to a different HD.

I installed comodo security suite + AV only with disabling the options suppress alerts and the cloud feature.

then i removed all trusted vendors and disabled any form of cloud scanning/automatic safelisting or anything else that would possibly take over instead of the human.

I installed AIMP3 of which showed it was being sandboxed PRIOR to be run. if you check the sandbox it shows no such .exe and AIMP3.exe is shown under unknown files. If you run AIMP3.exe then it should still be sandboxed with “Isolation” which i defined in the D+ settings corrent? If i am wrong here then there is a misconfiguration. If i am not wrong here please move this back to bug reports as i took the time to isolate the issue in a fresh environment. In this scenario i did not remove and trusted files that were already predefined and the scenario was the same.

this can be replicated 100% and i would assume the expected behavior is suppose to be sandboxing the unknown file until moved to trusted files “aka Do not sandbox again” option or manually doing so. Would be nice for someone to actually take the time to reproduce this issue instead of making the assumption that its a user error when its described quite well.

hi, i withdraw my last statement as it appears your software “thinks” the exe is already trusted yet no .exe is listed within the trusted files. i tried to add the file manually out of curiosity and it will not let me. i also reinstalled the software prior to doing this which changed nothing. the .exes are sorted by name and i see no path to AIMP3 in x86 program files…

[attachment deleted by admin]

THanks if you wuld be kind enough to post your active process list (edit: while AMP is running) then we can probably work out what is happening. Defence plus ~ View Active processes and take screen shot.

Best wishes


I have been through some rounds of testing. I disabled all the cloud lookup stuff as I posted in the above. “Disabled Automatically detect the installers / updaters and run them outside the Sandbox” and “Automatically trust the files from the trusted installers”.

Switched to Paranoid mode and rebooted after making changes so CIS wouldn’t remember answers (it will for the Windows session when not telling it to remember forever). And still it seemed to slip through the cracks. It kept on being seen as safe.

It had me puzzled for wee while and then it hit me. CIS still has the internal whitelist that comes with installing and cannot be disabled. We are so used to the cloud that we forget there is also a local database. That also explains why AIMP.exe does not show in the Trusted Files list where two dll’s and AIMP’s uninstaller do show up.

Best thing to do is to manually sandbox AIMP to your likings.

Good thought, but I wonder why AIMP would be on it. I’d think it would be reserved for early loading OS files?

I’m wonderingf if it is being run as a service, some such appear to be run verdict=unknown, sandbox=disabled in the active process list.

Best wishes


Good thought, but I wonder why AIMP would be on it.
Lobby from Russian or Ukrain office? ;)
I'd think it would be reserved for early loading OS files?
The list is traditionally a database for whitelisted programs. I don't recall notification that it changed to only serve early starting applications.

It runs under Explorer. When using Comodo and Sysinternals Autoruns there is no sign of file(s) from AIMP starting with Windows. Also no signs sandbox disabled and verdict unknown.

so what did you change exactly?

The list is traditionally a database for whitelisted programs. I don't recall notification that it changed to only serve early starting applications.
I guess I don't u/s why it would still exist then given the trusted files list. A dev once said to me that it was used as a sort of buffer for when quick access was needed.
It runs under Explorer. When using Comodo and Sysinternals Autoruns there is no sign of file(s) from AIMP starting with Windows. Also no signs sandbox disabled and verdict unknown.
Not that then. :) Just had a Vmware file that was consitently showing that behavior on the Active Process List (sandbox=disabled, verdict=unknown). I changed something apparently unrelated in CIS. CIS then finally saw it as trusted, and its been trusted since. No record of cloud lookup.

Best wishes


think ur confusing the two a tad… my issue is that AIMP3 is not listed under trusted files and is trusted regardless of if its at boot or not.

the others as you say are not sandboxed nor trusted and those are ones that were loaded on boot. for those if i restart the process they are detect fine and then sandboxed. if [at] boot though they will not be sandboxed, another example was realvncaddressbook, it was unknown in the active process list but still running normally.

as long the issue is acknowledged ill be happy since thats usually the hardest part to getting something fixed in the long run. the actual effects of this issue are not dramatic nor impairing the functionality of anything. though the security is questioned a tad. if AIMP3 can bypass being sandboxed then what else can?

Don’t worry that was just a possibility to explore.

Eric I think believes that AIMP is on CIS’s internal (invisible) whitelist. If true the behaviour you describe does not indictae a security riisk, just that AIMP is deliberately trusted.

Best wishes


I have confirmed this, in so far as one can, by changing a byte in the AIMP program. It is then sandboxed, if in D+ ~ D+ settings ~ Execution settings you have set ‘treat unrecognised files as’ partially limited. (Incidentally on a new VM install, selecting do not suppress alerts in the installer, ‘treat unrecognised files as’ was unticked when I came to it - maybe I clicked in the wrong place while doimg these checks. I’ll try to confirm whether thre is a problem in the installer tomorrow)

Without this change of a byte it is treated as trusted although not on the trusted file list, and there is no logged FLS lookup in D+ events.

Incidentally the original program is unknown to the Basic and FLS lists in CCE. It is also unsigned.

So internal whitelist it must be…

Best wishes


well another one i run ran into is dexpot which follows the same scenario.

also another bug is that if you have no rules defined for plugin-container for firefox then your systems desktop will lock up. also occurred on some other rules trying to be created. the 64bit enhanced defense is enabled for these.

also if there is a beta addressing the issue i would be more then happy to test it in the future if a link is pmed. ty