Hello at all,
I am really satisfied user of the latest CIS version and recommend it to everyone I meet. However, I have a question: I like the sandbox feature, but I don’t like that it sandboxes programs by itself. Is it possible to activate it, so that I have the option to run a program within the sandbox by rightclicking it and choosing “Run in sandbox” but that it does not sandbox programs by itself? Sandbox should only work when I really choose it in the context menu.
Thank you very much.
Start with disabling the automatic sandboxing by unticking Treat unrecognized files as.
That should do the trick.
The auto sandbox feature isn’t really sandboxing in the typical sense… it just runs programs at a lower security level - no registry or file system virtualization.
Note that the setting in the drop down menu will detirmine what security level your manually sandboxed apps will run at. I wish that a) Comodo would point that out in the help documentation and/or separate the controls for auto and manually sandboxed apps and b) the context menu would have an extended menu where you could choose what security level you want to run the program at (Limited, isolated, etc).
Which dropdown are you referring to? If you are referring to the dropdown in Defense+ Settings → Execution Control Settings → Treat unrecognized files as, then this is indeed determining the state of the automatic sandbox.
It’s true that the differences can be confusing, but the controls are separate. Control for manually sandboxed applications must be made in Computer Security Policy → Always Sandbox, while the automatic sandbox controls are in Defense+ Settings.
The dropdown menu detirmines the state of manually sandboxed programs as well. By “manual” I mean programs sandboxed with the right-click menu - the “real” sandbox with virtualization. There is no separate settings control to set the security level of manually sandboxed apps and I don’t think it is noted anywhere in the help files that it is controlled by the control in Execution Control Settings. It should be on the Sandbox Settings tab.
The “Always Sandbox” section can set security levels for individual apps but has no effect on the apps run through the sandbox context menu.