Hi, I thought about a solution to prevent password-stealer/malware to get access to sensible data (browser password, mail, messengers,…).
If we could install programs into some “always sandboxed” folder that has nothing to do with the standart appdata/browser/your-data folder. When doing so, password stealers will have 2 major problems:
find the location of the sensible data (as it is not the standart location anymore)
get access to that location.
So for example a “comodo-lock” folder where we can make more folders inside like “firefox,chrome,thunderbird,msnmsgr,skype,…” and install the software into those folder. When installing, for example, firefox into this folder, it won’t create folders in “appdata” to store all the password there. Instead they will be stored in the “comodo-lock/firefox” folder and nothing is allowed to access that folder (and as ultimate option, nothing is allowed to get out of that folder as well)… as well as it simply isn’t the standard saving place for firefox passwords.
Normally UAC should prevent any program from accessing the appdata folder. But just in case i still run the setup.exe as admin (because i trust it altough it contains malware), it still won’t be able to get the password from firefox as its not a windows/system related folder + protected.
So basically it would be an extra layer of security to UAC, maybe defense+ as well as prevent malware to get out of the browser/mail/messenger/whatever you “sandbox” with comodo.
Anything on this list will always be sandboxed. Unlike the automatic sandbox, the manual sandbox has a fully virtualized file system. As in your wish, these files are completely separate from the standard Windows file system.
If you installed a program in the sandbox, it will always live in the sandbox. Settings and all.
No, you can’t create a sandbox specific to a single application. You can however, specify a restriction level and some other functions per application, such as maximum memory usage and even application run time. More info here in the help file: Always Sandbox | Comodo Internet Security | Comodo Internet Security Help
well… i actually can’t rly install a program in the sandbox? only choose a process which should run in the sandbox? The link told me that files inside the sandbox cannot harm the real system… but how about the other way? can a password stealer on the real system get data from the browser inside the sandbox?
I would prefer smth like sandboxie… have sandbox folder which actually look like “real” folders… so you can also edited files there just like i would to it with the real files in %appdata%.
[at]edit: just found out that there should be a “sandbox” folder… but where is it? on C:/ i only see the “sandbox” folder from “sandboxie”.
Run the installer in the sandbox. The application will be installed in the sandbox.
The sandbox goes both directions. Anything inside the sandbox isn’t aware of the normal Windows file system and vice versa.
As I already mentioned, the sandbox folder is a hidden folder called VritualRoot. The path is C:\VritualRoot. To view this folder, you’ll need to set windows to view hidden files/folders.
Ahh i was always wondering about where that virtualroot folder came from
Okay that looks really nice… now i would just wish to have folder for each application… so that i can put all my “sensible” programs insode the sandbox… but in case i open a drive-by with the browser, only the browser can get “Infected” but nothing else as the other sensible programs are in some other sandbox.
And some more customization for the access rights would be nice. e.g. “limited” is perfect but 10 process arent enough for some programs?
Also: i think this folder isnt going to get protected by UAC? If this folder would be inside “program files”, UAC would be an extra layer of protection?
Yes, selecting Run in COMODO Sandbox through the context menu is basically a one-shot run with the manual sandbox, so it is fully virtualized. It’s just a quicker way to run an .exe sandboxed temporarily than going through the GUI and selecting Run a Program in the Sandbox.
Yes, the context menu option also follows your automatic sandbox restriction level.
IS it just a bug or can you not install applications to a sandbox? I tried to sandbox Java (removed detection of installers) and it started but then I got a Windows Installer error and it was unable to install to complete the install.
I’m going to assume the Java installer relies on some permissions that the access restrictions won’t allow. Unfortunately there isn’t an option for no restriction.
A possible future option to improve the usability of the sandbox would be to remove restrictions for installers inside the manual sandbox.