Sandbox seems convoluted to me

Does this thing sandbox EVERYTHING except the file/directory exclusion list (shared space by default)??

I DL a file using the Dragon browser. It appears in the download directory “attached” to the browser. But I can’t see the file if I go directly to the same location with explorer. I understand that the DL’ed file is REALLY in the VTROOT directory… I’ve tried to drag the file from the “browser attached” window to the shared window, but it won’t go.

I guess my question is if everything is virtualized by default, when do the virtualized changes get transferred to the REAL file system (to be kept permanently)? Using Sandboxie this is all quite apparent, but with Comodo not so much.

I also noticed that if my DL directory already has files in it DL’ed thru Chrome (non sandboxed) then the file DL’ed thru Dragon is indeed visible right in the DL directory (not VTRoot).

I can’t seem to get my head wrapped around the relationship of files in VTRoot and their equivalent files in the “native” file system.

If I’ve been the slightest bit coherent in this note, can anyone maybe 'splain it in terms I can understand?? Again, Sandboxie makes perfect sense to me…



P.S. I’m using V6 BTW,

The same issue was discussed Here

I hope this helps :slight_smile:

Or even more simple - change the download location to shared space

HI treefrogs:

Thanks for the info… But if everything is sandboxed, what about such things as NEW favorites, email messages, etc?? Wouldn’t I lose all of that info if I reset the sandbox?

Also, I assume then that you can’t MOVE anything from a sandboxed explorer window (drag and drop) to the shared space?

And I notice that the only time (so far) that an explorer window is sandboxed (green border) is when I open it by clicking “view in folder” tab for the DL’ed at the bottom of Dragon.



Anything new will be lost if you reset the sandbox. As I understand it this would include any bookmarks added while in the sandbox.

That’s lame, IMHO… Sandboxie allows you to indicate what you want permanently saved before the sandbox is emptied. If I could disable the Comodo sandbox completely, I’d do so (if that’s possible, I’ve missed it). But I do like their FW piece of CIS.


You can exclude any files/folders you want from being virtualized. So you could add your bookmarks or whatever else you want to your exclusions.

You just need to keep in mind that the more holes you poke in your sandbox, the less of a sandbox it actually is. :wink:

And to answer your comments, it sounds like you’re using the manual sandbox to sandbox your web browser. No need to disable the sandbox if you don’t want to use it in this instance, just don’t sandbox your browser…

However, if you want to disable the automatic sandbox, (which isn’t fully virtualized by default, but instead an access-rights restriction based sandbox) you can disable the behavior blocker. (BB)

Thanks… I think it’s just that I’m so used to Sandboxie, Comodo seems a bit “different”.

I tried adding my DL directory to the exceptions list (don’t virtualize) but it didn’t seem to make any difference. Maybe I just didn’t do it right.

It DOES seem to make a difference if the explorer window is a “child” of a sandboxed browser.


The download location needs to be changed to C:\Program Data\Shared Space. That folder can be accessed from both in and out of the sandbox.

Add whatever you want to remain after sandbox deletion to the sandbox exceptions
You could add the entire web browser data folder but as HeffeD has already stated - the more exceptions the more holes to be exploited
I use a portable copy of Dragon with NO exceptions for high security stuff like banking etc
but do use exceptions in my standard browser - I figure a virtual browser with a couple of exceptions is still way more secure than a non virtual browser

Edit I have also created a non virtual download folder on the desktop and pointed dragon to download there

[attachment deleted by admin]

Thanks to all for the advice/help/opinions

I just checked and my VTRoot has over a gigabyte of data in it. I have no idea of an EASY way to browse thru it and see what’s in there that I may want to keep. Again, my thanks to all, but it STILL seems convoluted to me. Maybe I can go back to an earler version; I’ll check if that’s possible.


OK, I spent more time with it, and it’s now making pretty good sense to me. So much so, that I un-installed Sandboxie (for awhile, at least). I did not previously understand that the Comodo sandbox is NOT reset with each re-boot of the OS.

I also did not understand that when an explorer window is opened from within a sandboxed program (like Chrome for example), that window will be sandboxed, even though you’ve not specifically configured explorer itself to be sandboxed.

For example, within Chrome you can right click on a DL’ed item at the bottom of the window and select “show in folder”. The window that opens will show the file (and the green border), but if you open the exact same location from explorer itself, the file will NOT show up. This was a real source of confusion for me at first.

Basically, it was mostly a matter of “un-learning” a bit of the Sandboxie paradigm.

At this point the biggest negative for me is the lack of an EASY way to analyze/browse through the current sandbox before resetting it. Sandboxie appears to have logic to suggest files it thinks you might want to keep before cleaning. Comodo needs to address this and when they do, they’ll have a Sandboxie “killer”, IMHO. A good, well engineered solution for this might also suggest registry changes that maybe should be saved.

Oh yeah… You should be able to kill sandboxed “hang around” processes that do not end when the program that started them (Chrome for example) ends, without rebooting (or re-setting the ENTIRE sandbox).

If some of this stuff is currently “do-able” and I’m just missing it, please let me know.


You can look at C:\VTroot using explorer if you have reveal hidden files set in the OS. Also you can look at sandboxed keys (take care) using regedit, theses are at HKLM\System\VritualRoot.

A merge tool is planned, meanwhile use shared space to transfer files in and out.

Best wishes


Thanks Mouse… I’m now a fan!!!

I did not know about modified reg keys being in their own location. GREAT info.


That’s great