Help with unknown files

I am confused on the best way to limit an unknown files usage if you are unsure if the file is good or bad.

I set my CIS up wtih Chiron’s guide. I have BB set to “untrusted”.

When I go to load an program that is unknown, it auto-sandoxes the program as untrusted. This level of restriction keeps it from running. So I go into “Sandbox” settings and manually add the file as “Restricted” or “Limited” to allow it to run and still have some protection with the sandbox.

My question is:

  1. Is this the right way to limit a program you are 95% sure is good?

Other questions:

  1. What is BB exceptions used for? This seems like the same thing as adding an exception to the Sandbox.

  2. When you add a program to the trusted list, can you also force the program to load as Restricted or Limited with the Sandbox exceptions?

  3. Lastly, back to the original problem…tell me if I am doing this right. To limit access to a exe file, I add it to the Sandbox as Restricted or Limited. I then block internet access to the program in the firewall. If I add the program in the Sandbox, do I need to block internet access in the Firewall also, or does the Sandbox block internet access?

  1. I personally use “limited” BB setting, since limited and above blocks ransomeware (partially limited - does not). I think anything above is overkill for a home user.

  2. Files in BB exceptions are handled by HIPS instead of BB (if it is checked)…I think.

  3. As far as I lnow - you can’t, unless you manually move it from trusted list. You can run it full virtual though from right-click menu - run in comodo sandbox

  4. Sandbox doesn’t limit internet activity - that’s firewall’s job, so if you want to cut the internet access for a program - add it as blocked in firewall.

I’m trying to figure out a way to get the same level of protection with increased usability. However, as I’m sure you can understand, this is a very difficult task.

What I would recommend is that you use the methods I suggest in this article to find out if the file is dangerous. Then, if it is not, you can add it to your trusted files. That way it will never be sandboxed again, and thus will work correctly.

I suppose you could also do this. What this will do is run the file in a Fully Virtualized environment with whichever restriction level you choose. If you like you can certainly choose Limited. That should be safe enough. However, if you would like the program to run on your actual computer please follow the advice I give above.

To explain this please read this page of the online help file.

I don’t think so. I believe that if you define it as trusted it will not be restricted by either Defense+ or the Firewall component. I don’t believe there is a way around that, but I’m sure someone will correct me if I’m wrong.

Please see the first comment I made. However, if you do decide to add the file to the sandbox internet access is not automatically blocked. However, you should still receive an alert if it tries to access the internet, which you could just choose to block. Thus, no extra rules are required.

Please let me know if you have any other questions.


I think I am understanding better now.

So BB exceptions is used to keep BB from scanning and auto-sand boxing files.

Sandbox exceptions overrides BB (I think) and manually chooses the sandbox mode you selected instead of being auto-chosen by BB.

Trusted files allows the file to bypass all protection, so should only be used on 100% trusted applications.

Thanks both of you!

Edit: And BTW Chiron, the link you posted above did say this about Trusted files:

To exclude a file from monitoring by all the components of CIS including Antivirus, Firewall, HIPS and Behavior Blocker, add it to Trusted Files list.