i wonder how it works now with the “partially limited” feature…
ex : i run a safe executable that cis doesn’t know. it’s sandboxed as “partially limited” and i can find it in “unrecognized files”…ok
one minute lateer, if i run it again, it’s not sandboxed and it’s not anymore in “unrecognized files” ??? and there no new event in D+ log… why ?
was it online scanned and removed from sandbox ?
please explain me 
Untrusted - The application will not be allowed to access any of the Operating system resources. The application will not be allowed to execute more than 10 processes at a time and will be run with very limited access rights.The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings will be imposed. Note - Some of the applications that require user interaction may not work properly under this setting.
Restricted - The application will be allowed to access very few Operating system resources. The application will not be allowed to execute more than 10 processes at a time and will be run with very limited access rights.The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings will be imposed. Note - Some of the applications like computer games may not work properly under this setting.
Limited - Only selected Operating System resources can be accessed by the application. The application will not be allowed to execute more than 10 processes at a time and will be run with out Administrator account privileges. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings will be imposed.
Unrestricted - No Operating System restrictions will be applied - meaning the application will be allowed to access all the Operating system files and resources like clipboard. Still the restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings will be imposed.
ok but “partially limited” ?
my question was also about the very quick auto-withdraw from the sandbox : cloud scanning or something else ? ???
It may have been the cloud look up. The D+ logs only log blocks; I guess that’s why the move from the sandbox was not logged.
To see if the file is found safe go to Active Process List → select the application → right click → choose Online Lookup and see what it says.