File sandboxed, found malicious, made safe [Renamed]

So i have had my CIS4 set up with sandbox on and automatically detect installer… off, so everything is sandboxed.

I tested this set up on my VM, and it sandboxed a fake av (rogue) then immediately scanned it and released it from the sandbox… how does that happen! they scanned it and found a rogue as safe? i know technically they are not malicious, but they should be deleted from your sandbox not let free!!

Luckily, firewall found it to have malware behavior so i blocked it, but i really wish the sandbox was more secure.

can you provide me a link in my PM to test this? Or maybe the original install file?

yeah sure

also what the heck does this mean in defense+ events:

Application: Run_av.exe sandboxed, scanned online found safe, scanned online found malicious,safe.

… Does that mean it was scanned and came back safe or was malicious?

Wow what? ??? ???

Sandboxed; scanned online → safe; scanned online [again] → bad; “but let’s call it safe anyway”?


I just tried to do what you did and I could not get it to do it. It was sandboxed but never let out. It totally killed it in sandbox and when I restated it was gone. Upon reboot it was even gone from pending files.

I retested it on a different machine and it wasnt let out of the sandbdox, so i guess im not worried but languy do you know why comodo says that?

Scanned online found safe, scanned online found malicious,safe

I don’t know I have never seen that, I would suspect it was a hiccup in the program or that you are using CIS on a virtual machine, it has been known to cause weird things to happen especially in security programs.

Sounds like a sandbox file submission system bug to me. Should be reported anyway?

If you and languy agree could you add details as described here please.

Maybe move this thread and give it title like ‘File sandboxed, found malicious, made safe’ to draw devs attention.

Best wishes


this is the picture, sorry its in word

[attachment deleted by admin]