run programs as "always sandboxed"

Hi, I thought about a solution to prevent password-stealer/malware to get access to sensible data (browser password, mail, messengers,…).

If we could install programs into some “always sandboxed” folder that has nothing to do with the standart appdata/browser/your-data folder. When doing so, password stealers will have 2 major problems:

find the location of the sensible data (as it is not the standart location anymore)
get access to that location.

So for example a “comodo-lock” folder where we can make more folders inside like “firefox,chrome,thunderbird,msnmsgr,skype,…” and install the software into those folder. When installing, for example, firefox into this folder, it won’t create folders in “appdata” to store all the password there. Instead they will be stored in the “comodo-lock/firefox” folder and nothing is allowed to access that folder (and as ultimate option, nothing is allowed to get out of that folder as well)… as well as it simply isn’t the standard saving place for firefox passwords.

Normally UAC should prevent any program from accessing the appdata folder. But just in case i still run the setup.exe as admin (because i trust it altough it contains malware), it still won’t be able to get the password from firefox as its not a windows/system related folder + protected.

So basically it would be an extra layer of security to UAC, maybe defense+ as well as prevent malware to get out of the browser/mail/messenger/whatever you “sandbox” with comodo.

Have you checked out the manual sandbox at all?

Defense+ → Computer Security Policy → Always Sandbox

Anything on this list will always be sandboxed. Unlike the automatic sandbox, the manual sandbox has a fully virtualized file system. As in your wish, these files are completely separate from the standard Windows file system.

Oh… no i only read about the automatic sandbox.

Well programs always get started in a sandbox… but their settings arent in a sandbox (as well as the password) ?

also i cant make an own sandbox for each program ?


If you installed a program in the sandbox, it will always live in the sandbox. Settings and all.

No, you can’t create a sandbox specific to a single application. You can however, specify a restriction level and some other functions per application, such as maximum memory usage and even application run time. More info here in the help file:
Always Sandbox | Comodo Internet Security | Comodo Internet Security Help

well… i actually can’t rly install a program in the sandbox? only choose a process which should run in the sandbox? The link told me that files inside the sandbox cannot harm the real system… but how about the other way? can a password stealer on the real system get data from the browser inside the sandbox?

I would prefer smth like sandboxie… have sandbox folder which actually look like “real” folders… so you can also edited files there just like i would to it with the real files in %appdata%.
[at]edit: just found out that there should be a “sandbox” folder… but where is it? on C:/ i only see the “sandbox” folder from “sandboxie”.


Run the installer in the sandbox. The application will be installed in the sandbox.

The sandbox goes both directions. Anything inside the sandbox isn’t aware of the normal Windows file system and vice versa.

As I already mentioned, the sandbox folder is a hidden folder called VritualRoot. The path is C:\VritualRoot. To view this folder, you’ll need to set windows to view hidden files/folders.

Microsoft Windows XP - Display hidden files and folders
Show hidden files - Windows 7

Ahh i was always wondering about where that virtualroot folder came from :stuck_out_tongue:

Okay that looks really nice… now i would just wish to have folder for each application… so that i can put all my “sensible” programs insode the sandbox… but in case i open a drive-by with the browser, only the browser can get “Infected” but nothing else as the other sensible programs are in some other sandbox.

And some more customization for the access rights would be nice. e.g. “limited” is perfect but 10 process arent enough for some programs?

Also: i think this folder isnt going to get protected by UAC? If this folder would be inside “program files”, UAC would be an extra layer of protection?

thanks for the help !

Hopefully version 6 will bring more usability options to the sandbox.

I don’t use UAC, so I don’t know if VritualRoot will be protected by it.

Somewhat related question: Does right clicking and “Sandbox this application” autosandbox with virtualization?

And if I have my autosandbox set to Limited will right clicking and sandboxing it also sandbox it as limited?

Yes, selecting Run in COMODO Sandbox through the context menu is basically a one-shot run with the manual sandbox, so it is fully virtualized. It’s just a quicker way to run an .exe sandboxed temporarily than going through the GUI and selecting Run a Program in the Sandbox.

Yes, the context menu option also follows your automatic sandbox restriction level.

If i use sandboxie, can comodo protect the files inside the sandbox folder (when adding it to the protected files & folders) ?

Since the contents of a sandbox are usually temporary, it doesn’t make a lot of sense to protect the files in there from being modified.

You can do it if you want though. You’d need to give Sandboxie permissions to modify files there, otherwise it would probably not work as intended. You’ll find details on how to do this, here:
PC Files / Folders Protection From Malicious Software | Internet Security Help

IS it just a bug or can you not install applications to a sandbox? I tried to sandbox Java (removed detection of installers) and it started but then I got a Windows Installer error and it was unable to install to complete the install.

Java issue or…?

I’m going to assume the Java installer relies on some permissions that the access restrictions won’t allow. Unfortunately there isn’t an option for no restriction.

A possible future option to improve the usability of the sandbox would be to remove restrictions for installers inside the manual sandbox.

You can’t install applications in the Comodo sandbox.

Who knows what v6 will bring in this respect though.

what files would I need to add to Comodo for running java always sandboxed (win7 x64) ?