Sandbox Question

On a different forum, a developer of sandboxie plus is saying that he bypassed comodo sandbox. He created a program to “unhook” while inside said sandbox.

Has this happened before?

Interesting article . . .

The question arises, does current version CIS V12 sandbox run in user mode or in kernel mode?

Is Comodo on the kernel level?

Yes the sandbox and HIPS can be bypassed easily when the user-mode hooks are removed, and both HIPS and sandbox is implemented in combination of both user-mode and kernel-mode. However this only applies to the fully virtualized setting of containment, if you set a restriction level like limited, restricted, untrusted, then the restrictions are using windows own restrictions and the use of user-mode hooks does not matter. So if you want the most protection when using comodo auto-containment, then enable the restriction option and use any restriction level higher than partially-limited.

Like this? This is the way that I’ve always had it.

Yes in this way you won’t have to worry about malware removing CIS user-mode hooks and trying to bypass the sandbox, it wont happen.

Thank you for your replies. This helped me out. I’ve used CFW for many years now.

Hi futuretech,

Thank you so much for supporting.


Yeah, I guess the developer of Sandboxie Plus didn’t try very hard to harden Comodo as he is trying to promote his own product.

I think that CIS Sandbox and Sandboxie Plus differ in use case, CIS Sandbox has to set restriction level on the sandboxed apps to have strongest protection against altering the real system whereas Sandboxie Plus tries to run as much as possible sandboxed apps with less restrictions and without allowing the sandboxed apps to alter the real system of course.

Yes, this is what I was thinking also…

Regarding these CIS restriction level settings, is there a difference in protection level / mechanism across OS’s (Windows 7/8/10/11) regarding using windows own restrictions when setting restriction level to Restricted for instance? Or do these restriction level settings all provide the same level of protection across all Windows versions?

Yes they should be the same.

Sandbox related, how does Virtual Desktop fit into this?
Do apps run fully virtualized (based on and using the user mode hooks) or with a restriction level set in VD or does VD use a different protection approach?

VD is the same as running fully virtualized and with the same limitiations.

Thanks, good to know.