FW Alerts re Sandboxie


I’m compelled to inquire about your alert:

Sandboxie has modified the user interface of Firefox by sending special Windows messages… may be a sign of trojan activity…

I just recently added this program to my ****nal & received this alert. The only thing I’ve run in Sandboxie is FF. I thought it was its mechanism of action that was prompting the alert.

Sandboxie’s author stated he thought it might be caused by the hash marks it puts on the brower window.

This doesn’t explain the second alert I recieved:

Sandboxie has modified the user interface of TCPView by sending special Windows messages…

I never ran TCPView in Sandboxie.

There must be a lot of people running these apps. What explanation(s) does Comodo have for this? Have there been other inquiries? Do sanboxing programs trigger this alert?

Perhaps my d/l was somehow compromised.


edit: I see the filter doesn’t like arsenal! Too funny!

By looking at SandBoxie’s homepage what i can gather is that it works by intercepting “Windows Messages” which is how everything running on the Windows OS communicates with each other and the Windows OS itself. In most cases it seems that a programmer only ever needs to worry about “Windows Messages” when trying to do something with another program in typically higher level programming languages, and Comodo knows this so when a program tries to send or intercept Windows Messages to other programs it tells the user which it most likely should because it is “unusual behavior” or “Special Behavior” LOL.

Anyway, depending on how technical you want to get the following link explains it better:


If you do not want to know allot of useless stuff (:TNG) , but you want to make sure that the copy you downloaded is legitimate (Which is the main worry) then download and install:

Check sandboxies install file MD5 hash with filealyzer (Above), that you downloaded and compare that to the MD5 for the version you downloaded on the vendors website if they match then the install file is legitimate and has not been modified in transit:


TCPView may work in a similar way, when it tries to query another programs process to see what connections it has open… Depends on how it works, if you are worried that this file is infected do the same procedure as above with filealyzer and checking the MD5 hash that filealyzer calculates with the MD5 hash that is on the vendors website for that version of TCPView.

Edit: Changed from System file to “Programs Process”, thinking from the wrong perspective here. Users would get really annoyed if they were warned each time the Windows OS was accessed by a program…


Thank you very much for your time and expertise.