The sandbox buys time for careful judgement on unrecognised software by placing temporary restrictions on unknown software. The vast majority of programs are still able to run while restricted in this manner and generate few alerts .
Software unrecognised by CIS has these restrictions automatically imposed. Such files are said to be automatically sandboxed. Software that the user regards as suspicious can be sandboxed by the user. Such software is said to be manually sandboxed. Manual sandboxng facilities are still at an early stage of development, and are not dealt with further in this Introduction. Please refer to the program help text, and the virtualisation FAQs here.
Both manual and automatic sandboxing are switched on by default and may be turned off together using the Sandbox Security Level slider.
Software unrecognised by CIS is, by default, automatically sandboxed using the ‘partially limited’ policy when run. So is all software run by such software. Software recognised by CIS as trusted is not sandboxed. If recognised as an installer it is run as a trusted installer with unlimited access to your computer. If not recognised as an installer it is run as a normal trusted file with a lower level of access. (Software immediately recognised by CIS as malicious is not run sandboxed - instead it is immediately alerted to the user via the AV system).
Most unrecognised software gets sandboxed immediately - the user is notified but retrospectively. Installers are held in limbo, giving users the opportunity to sandbox or not, but sandboxing occurs automatically if no answer is given.
Software cannot be removed from the sandbox until it is deemed trusted by Comodo or the user. Restrictions on unrecognised software which is subsequently deemed trusted are not removed until the software is next fully restarted. In some cases this may require the computer to be rebooted. Unfortunately the user is not told that this is required.
Sandboxed software may also be subsequently deemed suspicious or malicious by Comodo or the user. If recognised by Comodo as malicious it is added to Comodo’s blacklist and your computer is notified. When the software is next run the AV will give you the option of deleting or quarantining the software. If recognised by the user as malicious it can be transferred to my blocked files and/or AV quarantine, and/or deleted manually, and can thus be prevented from running. (Alternatively, if only suspicious, it can be manually sandboxed at a higher restriction level).
The restrictions placed on automatically sandboxed software are documented here.
Automatic sandboxing does not virtualise software Files and registry keys created by the software are NOT stored in a separate place on your hard disk. (Instead, to protect system integrity, the sandboxed program is prevented from writing to protected folders, pre-existing files, and registry keys - see link above for details).
 By default, CIS is now set to supress almost all alerts (see Alert reduction settings) . If these settings are set to ‘off’ Internet, Global hook, and certain COM interface alerts will still occur for some programs, though the frequency of these is being reduced.