How the Comodo Sandbox works - technical discussion

I recently answered some questions over at Wilders Security Forums on how the sandbox works (See here) - decided to put the overall answer also here so you guys can understand the sandbox better.

Credit: Ronny (Comodo forum moderator) & Egemen (Lead developer and project manager of CIS). 3xist (myself) did some editing.

How It works at the moment (Sandbox)

PLEASE REMEMBER… These details on how the Sandbox works are FOR THE FIRST BETA OF CIS V4 and MAY CHANGE… (Example: Virtualization will be default) As soon as this version goes final, Help file will able to explain how it works when this is released.

  • CIS makes sure the installers/updaters run outside the sandbox. Here users receive a ELEVATION alert, which very simply means: I am installing something, and make sure it is installed PROPERLY and do not bother me with it again. This design is made to avoid incompatible issues to avoid sandboxing such programs. This really is alot similar to how UAC works in Windows Vista and Windows 7 when you see a elevation Alert like UAC. ELEVATION Alert will only alert you once and only once. Allowing it for example will make that installer/updater fully trusted and its files that it drops. Blocking it blocks it totally.

  • Virtualization is not yet activated/enabled by default.

The sandboxed programs only start with limited rights and Defense+ handles these specifically. Defense+ automatically blocks file system and registry access to critical keys/files. These critical keys/files are the same ones used in Defense+ groups.

  • Unknown applications are run in the “non admin” restriction level - equal to using a non-admin account… which alone results in 80% less virus damage. If you are running Windows XP, You can use Process Explorer to identify restrictions added to a sandboxed process, you can see the Job limits of the sandboxed process. So CIS4 assigns restricted tokens to processes according to the level in sandbox and puts them into a job object. It really is exploiting the full support from the operating system at this stage.

  • So off course OS provides alot of security as a starting point. Remember Comodo Sandbox is a default-deny sandbox where unknown apps are run in it by default. it is NOT a on-demand sandbox just to sandbox some applications, even though you can do it.

Hope this gives a better understanding of how the sandbox works.


When you say:

Are you basically saying that currently the visualization isn’t (active) working despite having the boxes for this functionality checked under sandbox settings?

Yes, even though those settings are checked. This was the case in the pre-beta too. And off course Egemen said in the BETA release notes.

Not sure HOW it’s disabled though. Code changes perhaps. :slight_smile:


I see, cool future, 2 check-boxes that adds very little to the functionality… (At least right now)… I like clicking them already… 88) :smiley:

I must admit I was to quick to download the beta that I forgot to read it all… 88) Also, before it was easier… It was just eggman to keep track on… These days we have a omelet guy as well, lots of egg related stuff… very confusing… :smiley:

LOL do you know how long I have been waiting for some one to make a pun about me and Egemen? ;D ;D

Thanks Josh…that helps some. :stuck_out_tongue:

So if you ALLOW the elevation alert, even unknown programs won’t be sandboxed?

And let me get this straight - you can’t tell what is run sandboxed (but you can in Process Explorer?).

What is the “Visualization”? Is that something that shows if a program is sandboxed?

A CIS setting says an installer won’t be run sandboxed - how does CIS tell if a file is an installer, and will unknown installers be run limited?


Could some one give me a detailed explanation of the differences between the options when choosing to run an application in the sandbox please?




Also, why are these options not available when selecting an application from the context menu?

If you allow the elevation alert, it will be fully trusted and installed.

You can via Defense+ logs. But better sandboxing usability is coming to see how it works better in CIS4.

Virtualization. :slight_smile: I’ll fix that up.

ALL unknown installers/updaters will be run elevated alerted - Unless it’s in the trusted vendors list or whielisted and you will get no alerts. So CIS has an Antivirus (Installer: Eg Rouge AV) and a massive whitelist to really minimize such alerts. Sandbox technology is able to differentiate what program is a installer, and what is a malware simply sending instructions to your CPU to do bad stuff. No other Vendor has such great default-deny and default-allow technologies!

When CIS 4 goes final, I am sure these will be explained. :slight_smile:


Is is “Visualization” or should it be virtualisation?

When CIS 4 goes final, I am sure these will be explained. Smiley

No one knows now :slight_smile:

Virtualization. :slight_smile:

i think this should be said now… it’s “virtuilization”, not “visualation”.

so, you’ve been saying on Wilders that the sandbox would be cleared after a reboot…nope, at least not here. As I mentioned in the other thread I’m back on CIS 3 for the moment, which means that I had to uninstall CIS 4obviously, and guess what, after the reboot the “hidden” Comodo sandbox folder was still there and not cleared at all, full of Firefox and Google Chrome data. I even had to modify the access rights to be able to delete it completely, because other wise some data had, even after the uninstall, access denied, probably part of the sanboxing abilities.

edit: could actually be that the sandbox would have been cleared after a simple reboot, without uninstall, but I didn’t have the opportunity to check that, I’ll be back on CIS 4 testing when a more stable build comes out. As mentioned in the bug reporting thread, I had big issues with FF sandboxed (profile partially reset) and blank windows with Google Chrome).

What happens when you block the elevation alert?

Will the program be run, but sandboxed? Or blocked totally?

Because if allowing lets it run unsandboxed, and blocking stops it, what is the point of a sandbox?

How? Do you know this yet? :stuck_out_tongue:

I’m always suspicious of something that can “automatically” tell what is an installer or not (if it is a .msi, easy, but what about the .exe installers?).

I’m just writing an article and want to get it right. :wink:

Tomato, tomato, either, either let’s call the whole thing off…Ella Fitzgerald and Louis Armstrong - Let’s Call the Whole Thing Off. :wink:

Ah, but that would imply the two things are the same word, simply different pronunciations. However, visualization and virtualization are completely different things.

Monty Python has the best version of that song, but I couldn’t find it on YouTube in a quick search or I’d link it.

Thanks. I missed that. I thought it was about virtualisation versue virtualization. 88)

I’m not aware of the detailed technology how CIS can say: “this is a malware” put in the sandbox. Or “this is a installer”. Make sure user gets permission first.

But really, it’s as simple as: Unknown - inside, Known - outside. And in your article off course you can do a bit more details such as:

  • Installers/Updaters are run outside the Sandbox and here users receive a ELEVATION alert.
  • Malware/unknown applications run inside the sandbox.

Let’s not forget CIS 4 has whitelisting, Antivirus (Blacklisting), bufferoverflow and D+ Malware heuristics to minimize this etc etc and these components helps USABILITY wise.

Whitelisting: Less chance of elevation alert for GOOD applications and they will install and launch with zero pop ups.
Antivrus (Blacklisting), Buffer overflow, Defense+ Malware heuristics: Less chance of a malware being sandboxed.

Then in the next versions of CIS 4, Behavior Blocker will improve all this further.

It’s hard to understand at first. :slight_smile: It took me a while too!


dont you mean tomato, tomoddo? lol

thank you…you got my point! big difference…but anyway…

no reason we cant have some fun too here is there

edit: i had to say it cuz visualization was being used a lot