How to remove *individual* applications/files from the sandbox? [v4]

This FAQ is about removing individual programs from the sandbox (ie ‘unsandboxing’ them). If you have a lot of programs which have been sandboxed please try the quick approach for bulk unsandboxing here - use bulk unsandboxing only for files you know to be safe.

Before you start
Please confirm the program is being automatically sandboxed. If you get a sandbox (not an unlimited access) alert, then it is. If you don’t, look for a sandboxing log entry timed when you start the software. Please note - files can be present in My Pending Files for reasons other than sandboxing.

1. If you trust the vendor/program
2. If you are not sure you trust the vendor/program

Please help us improve this Mini FAQ by posting suggestions to the ‘Sandbox help materials - Feedback’ topic here. This topic has been prepared by a volunteer moderator – with input from many other moderators and Comodo staff members (Thanks everyone, especially Ronny, EricJH, Arkangyal and Egemen). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.

Updated: 22 July 2010. Reflects CIS version

Please try the following ‘quick and easy’ methods, in the order below:

[ol]- Add the program vendor via Defense+ ~ ‘My Trusted Vendors’, and reboot.

  • If this fails, and you are sure there is no malware in the program’s directory, add all the executable files in the program directory by going to ‘My Safe Files’ ~ Add, then selecting the directory, ticking ‘and subdirectories’, and rebooting. You can check the directory for malware using a right click Antivirus scan
  • If 2 fails then select all the file that you trust in ‘My Pending Files’, whether or not they relate to the program you are trying to unsandbox, move them to ‘My Safe Files’ and reboot.
  • If 3 fails then look in the Scheduled Tasks (Task Scheduler in Win 7) folder in Control Panel to see if you have an update task for software you have uninstalled, if so disable it[/ol]

Note: Beyond this point you are granting the program higher privileges than ‘safe’ files get, and there is a greater likelihood that the file is malware.

  • If 1-4 fail and you are absolutely sure the program is safe, try applying the ‘Installer/Updater’ predefined policy to the main program executable file, launcher file, and any program-related services using the Computer Security Policy, after removing it from ‘My Safe Files’, and rebooting. (You should also do this to any other program executable you run directly - eg from a shortcut). If you are not absolutely sure the program is safe it is advisable to check the file using CIMA . If still not sure the program is safe continue here, missing out the first action.

These four approaches should deal with the vast majority of cases, including some cases where files will not enter or stay in ‘My Safe Files’ because they are continually modified but if they fail you can try further measures.

Please try the following, in the order below:

[ol]- Check the program via CIMA, then, if willing to accept it is safe continue here. Otherwise continue below.

  • Check if any program files are being sandboxed because they are being run by another sandboxed file (a). If so try running the affected file directly, or unsandboxing the file that is running it, then rebooting. (Assuming that you trust that file).
  • If you think it’s a Windows program try creating a Windows restore point, then running ‘sfc /scannow’ at the DOS prompt with your Windows installation disk in your CD drive, then rebooting. This ensures all Windows files are code signed and correct versions.
  • Try manually sandboxing the program at the ‘Limited’ level with virtualisation on, and manually submit the program for analysis by Comodo via ‘My Pending Files’ ~ Add, then ~ Submit… Wait till pronounced safe or otherwise.[/ol]

(a) Do this by looking for its parent program under 'View Active Processes’in CIS, then checking if this program is sandboxed by checking the Defense plus logs or (less reliably) ‘My Pending Files’

If the problem persists after trying all the above, you can try the techniques below, which take more time. At this stage please report an application incompatibility here.

[ol]- If CIS won’t allow you to add the file to ‘My Safe Files’, or it won’t stay there, it may be defined as trusted or ‘windows system’ elsewhere in CIS. So look for such rules in the ‘Computer Security Policy’ (NOT trusted vendor entries in ‘My Trusted Vendors’), delete them and then add the program to ‘My Safe Files’ and reboot.

  • If you think the file might be a Windows program try creating a restore point, and running ‘sfc /scannow’ at the DOS prompt with Windows installation disk in your CD drive, then rebooting This ensures all Windows files are code signed and correct versions. You can also try using Microsoft Update to bring your system files right up to date. Re-installing your service packs can also help if installation may have been incomplete, but is not for the faint hearted!
  • Otherwise check if the program is being run by another sandboxed program (a). If it is, try running it directly, or unsandboxing the program that is running it, assuming that you trust that program, and rebooting
  • Try manually sandboxing the file at the ‘unrestricted’ level using ‘Add a Program to the Sandbox’ with or without virtualisation and rebooting. (This does not unsandbox it but may help it run properly).
  • If the program file has an unusual extension try adding it to the executables group. (‘My Protected Files’ ~ Groups ~Add) then seeing if adding the program to ‘My Safe Files’, and rebooting, will work.
  • If the file cannot be found anywhere on the disk (try a Windows Explorer search, explicitly including hidden and system files), you can try creating a dummy file using the guidance here , then adding the dummy file to ‘My Safe Files’ and rebooting. (With thanks to Piet2468, Languy99 and Don Clarke who helped discover this)
  • If all else fails you can try unticking, if ticked, ‘Block all unknown requests if the application (ie CIS) is closed’ under defense plus settings. This resolves some very thorny issues that occur very early in the startup process. [/ol]

(a) Do this by looking for its parent file under 'View Active Processes’in CIS, then checking if this file is sandboxed by checking the Defense plus logs or (less reliably) ‘My Pending Files’.

Making a fake executable file

[ol]- Make a restore pt. Do Start ~ Run ~ CMD . Then type in exactly:

[li]Copy CON “”

  • Z


  • This creates a dummy .exe file consisting only of the end of file (EOF) character[/ol]