Sandbox alert popup for document started under cmd.exe

Hello,

My configuration: CIS 4.1.150349.920 with Firewall Safe mode, Defense+ Safe mode, Proactive Defense, Sandbox enabled.

Under command prompt (cmd.exe), when I type:
foobar.doc
or
start foobar.doc
(.doc could also be .xls, .html… : same problem).

a sandbox alert pop ups. This is annoying since under explorer.exe (or Total Commander which is set as trusted application), double click on the same foobar.doc does not have Sandbox alert.
And since the .doc filename could be everything, even if I choose the option ‘do not run this application inside the sandbox again’, another filename will trigger another Sandbox alert popup :-(. Since the application is Word, why CIS did not recognize that Word is already safe/trusted?

.doc → Word
.xls → Excel
.html → my default browser
.mp3 → my player application
.jpg → my picture viewer application
etc…

All the above applications are safe or trusted and do not require sandbox.

How can I avoid the Sandbox alert popup when typing foobar.doc under cmd.exe ?

Thank you for your support.

From my user point of view, CIS behaviour is not coherent.

CIS (Defense+) has to sandbox an application (exe, com, pif, scr…) and not a passive document like doc, xls, mp3, html (although these documents are associated with applications).

So when I type foobar.bat under cmd.exe, for me it is normal that Sandbox alert popups
if foobar.bat is seen for the first time.

When I type foobar.doc, that is WinWord.exe (associated application) that is invoked, and since Winword.exe is already known, no Sandbox popup should be seen.

When I double click foobar.doc under explorer.exe, no popup seen: good!

Could you please supply details of your OS and any other security programs you might have running.

Also could you please post screenshots of the Sandbox alert and one of My Safe Files.

Thank you
Dennis

I am running XP SP3, CIS and Avira Antivir 10.
I don’t think the anti-virus has something to do with this subject.
The problem is CIS Sandbox is confused between the passive document and the associated application.

Following is the screen capture of Sandbox alert.

http://img192.imageshack.us/img192/2210/sandboxalertfoobarjpg.jpg

The popup sentence “Comodo Sandbox has just secured your PC by automatically isolating this application” is not correct (from my point of view) since foobar.jpg is not an application, it is a passive document provided to the application irfanview.exe which is known and trusted automatically by CIS Defense+.
It is correct if applied to foobar.bat (or .cmd, .com, .exe, .scr, .pif…).

In My Own Safe files, there are confidential files so I cannot show it. But I can say that irfanview.exe (which is the associated application for .jpg files) is not inside it. Also foobar.jpg is not inside it, until I check the option ‘do not run this application inside the sandbox again’ of the popup.

Thank you for your support.

Let’s try this:
A: application installed correctly? (check at Settings)
B:

  1. new application rule at D+ (Computer Security Policy);
  2. select cmd.exe;
  3. under Access Rights, select the the files you wish to run (irfanview.exe, etc.).

@Arkangyal

Thank you for your input. But I think this is only a bypass that should work
(I did not try yet), and this is not user-oriented but technical-oriented answer.

There are lot of applications associated with documents, it is painful
to manually define the access rights for each file type that have associated applications
(doc, xls, ppt, html, jpg, ico, gif, png, mp3, wma, flac, ogg, htm, html, js, txt, zip, rar, iso…). These applications are also already known and trusted/safe by CIS , so why I have to do something that is error-prone, not exhaustive and should not be mandatory?

So now the only way that is coherent I found is to disable the Sandbox.
Doing this, it works coherently:
1- double click on foobar.ext starts associated application without Sandbox alert.
2- run foobar.ext from command prompt starts associated application without Sandbox alert.
In both cases, if the application is not yet known to CIS Defense+, normal popup is presented.

Your arguing is somewhat curious: doc or jpg or whatever you want is not systematically safe, and you don’t actually call doc, jpg…: you ask cmd or bat to run such a file, and comodo does not have to say it is safe only because the launched extension is known.

I don’t know anything about the sandbox (i stick to cis v3) but i would definitely as a safer procedure write my batch scripts in a dedicated folder, then go to defense+ security strategy.

Assuming you have a custom entry for cmd.exe, you can tell not only what applications are allowed, but what files and folders, using wilcards if needed, are allowed.

For me, this is the path of calling irfanview.exe to “run” foobar.jpg
(totalcmd.exe is Total Commander, a file manager, could be any other shell/file manager like Free Commander, Qdir…):

1- explorer.exe → irfanview.exe → foobar.jpg (double click on foobar.jpg to run)
2- totalcmd.exe → irfanview.exe → foobar.jpg (double click on foobar.jpg to run)
3- cmd.exe → irfanview.exe → foobar.jpg (type foobar.jpg on the commande line of cmd.exe then press Enter).

For me explorer.exe/totalcmd.exe/cmd.exe are all safe/trusted applications, and irfanview.exe too.
The problem (incoherence) is no Sandbox alert popup with 1- and 2-, while with 3- there is a Sandbox alert!

I think I’ve got a similar problem. When I double click on a PIF file to run a DOS program in XP SP3, I get a sandbox alert. Telling it not to run the program in the sandbox next time doesn’t stop the alert appearing.

I’m also running Spybot-SD Resident 1.6.2.0 and Avast 4.8.

I feel this should be considered a problem that needs resolving (whether or not a bug is endlessly debatable :slight_smile: ), so am transferring it back, if that’s OK Ark. Please pm me if not.

Best wishes

Mouse

I am having similar problems (Windows XP Pro S/P 3.) When I use a shortcut to a DOS based accounting program, the PIF file generates a ‘sandboxed’ message. Whether I opt to run it in or out of the sandbox, the program stalls while ‘waiting turn to access data’ (probably the data file that contains the program’s own configuration parameters.) However, when I ran the .EXE file directly using , I needed to run it outside the sandbox when first prompted and from that point on, it worked just fine but only using the approach. I too have ended up turning off the sandbox feature in order to facilitate running the program. I trust that someone is figuring out a fix.