How Does Sandbox Work...exactly?

I am still trying to understand how to properly utilize Comodo with it’s containment feature. What I want to know exactly is once something activates containment, what am I supposed to do at that point to evaluate the situation. Is Comodo smart enough to run the program in containment, then analyze, then tell me if it’s malware? Or…is the responsibility then on the user to somehow figure out what is going on, such as looking at task manager or Killswitch and having the experience to determine if something looks wrong?

The containment seems to be a major part of the Comodo strategy. What I’ve seen and heard so far is sometimes a program seems to not run properly in containment and when they do, there is no feedback from Comodo to inform the user as to the safety of the program. So I’m probably missing something, and for someone who does not know how to utilize containment properly, it can get pretty annoying having programs open in containment and then not know what to do about it.

If virusscope is enabled and the executable triggers a virusscope recognizer then you will get an alert indication suspicious activity detected. If you have HIPS enabled you can monitor the HIPS event log to see what was being blocked, e.g. access memory of another process, direct disk access, process termination, etc. And finally you can use show activities from the active process list of the application that is running, also if website filter is enabled you can check the website filtering log to see if it was blocked from accessing a blocked website.

it is unfortunately the problem of relying on confinement. Some programs can work well and some can not. So hard to know if the program is healthy!
Especially that the analysis by COMODO can be more or less long (see very long), and once the program is isolated, it is the user of the kidnapped confinement.
The idea of confining unknown programs is not a bad idea in itself, but it has these limitations.

I’ve been running a cruelsister type setup. Would like as much protection as possible with minimum annoyance. Hips off, virus scope and web filter on. I like the idea of CIS, unfortunately don’t have the energy I once had to knuckle down and master something. I’m probable not the typical Comodo CIS user for that reason.


So after containment, no verdict by CIS is possible? I would need to investigate what you mentioned and make a call?

Only if you don’t get a virusscope alert.