Precedence of Autosandbox & Computer Security Policy (CSP) policies & rules [v4]

This is a relatively technical FAQ designed for people who want to fine tune the way the Defence+ Computer Security Policy and the Sandbox work together.

With CIS 4.0 Comodo added two autosandbox-related policies to CIS. These comprise: the autosandbox ‘Limited’ policy, and the ‘Safe’ Files policy. Comodo also modified the ‘installer/updater’ policy to cause exemption from operating system job and security restrictions. None of these ‘fixed’ policies can be modified by the user.

The Computer Security Policy (CSP) remains, with its predefined policies and custom rules. These include: Trusted, Windows System, Protected, Installer/Updater, Limited and Isolated. The predefined CSP policies are in general alterable by users. Although the CSP ‘installer/updater’ policy is still there, it now is as much a sandbox-related as a CSP policy and it t can no longer be altered by users. Please note that the Trusted Files Policy is similar to, but NOT the same as, the new autosandbox-related ‘Safe Files’ policy.

Both the CSP and the autosandbox rules and policies address similar aspects of program behaviour - internal program actions not external communication. So there is a big overlap. The autosandbox has extended this range somewhat to include including OS Security and Job restrictions (see the Introduction to the Sandbox) hence the need for modifications to the installer/updater policy.

So the question arises, how do these two difference sources of application rules and policies interact? Which has priority and under what circumstances? I summarise my findings on this below.


[ol]- Autosandbox Defense plus, Job and Security rules have precedence except:

[li]COM interface and global hooks access attempts are passed through to the CSP and may be over-ridden by custom rules or the application of pre-defined policies there.

  • Installer/updater policies which always have precedence over autosandbox Job and Security rules, and have precedence over autosandbox Defense+ rules when and only when ‘automatically detect installer/updaters’ is ticked. (This setting is effective even when the sandbox is disabled).
  • The autosandbox-related Safe Files policy appears to over-ride all permissive CSP policies - Trusted, Windows System, and Installer/Updater. The Installer/Updater policy is over-ridden even when ‘autodetect installers’ ticked. The ‘Safe Files’ policy also over-rides ‘allow’ and ‘ask’ custom settings. However restrictive CSP policies (eg Limited and Isolated), and custom ‘block’ settings over-ride the ‘Safe Files’ policy
  • I have not fully checked manual sandboxing policy (eg ‘Untrusted’, ‘Restricted’ and ‘Unrestricted’) precedence, but indications are that the same situation prevails. Of course one can be pretty sure that manual sandboxing ‘Limited’ policies work in exactly the sane way as autosandboxing ‘Limited’ policies.[/ol]

Other important conclusions:

  • Making something an installer/updater in the CSP will not be fully effective unless ‘autodetect installers’ is ticked
  • Making something an installer/updater in the CSP will not be fully effective if it is also present in My Safe Files

[i]Please help us improve this introduction by posting suggestions to the ‘Sandbox help materials - Feedback topic’ here.

This introduction has been prepared by a volunteer moderator – with input from many other moderators (Thanks everyone, especially: Ronny). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.[/i]

[Updated: 07 July 2010. Reflects changes up to CIS version]