Does this thing sandbox EVERYTHING except the file/directory exclusion list (shared space by default)??
I DL a file using the Dragon browser. It appears in the download directory “attached” to the browser. But I can’t see the file if I go directly to the same location with explorer. I understand that the DL’ed file is REALLY in the VTROOT directory… I’ve tried to drag the file from the “browser attached” window to the shared window, but it won’t go.
I guess my question is if everything is virtualized by default, when do the virtualized changes get transferred to the REAL file system (to be kept permanently)? Using Sandboxie this is all quite apparent, but with Comodo not so much.
I also noticed that if my DL directory already has files in it DL’ed thru Chrome (non sandboxed) then the file DL’ed thru Dragon is indeed visible right in the DL directory (not VTRoot).
I can’t seem to get my head wrapped around the relationship of files in VTRoot and their equivalent files in the “native” file system.
If I’ve been the slightest bit coherent in this note, can anyone maybe 'splain it in terms I can understand?? Again, Sandboxie makes perfect sense to me…
That’s lame, IMHO… Sandboxie allows you to indicate what you want permanently saved before the sandbox is emptied. If I could disable the Comodo sandbox completely, I’d do so (if that’s possible, I’ve missed it). But I do like their FW piece of CIS.
You can exclude any files/folders you want from being virtualized. So you could add your bookmarks or whatever else you want to your exclusions.
You just need to keep in mind that the more holes you poke in your sandbox, the less of a sandbox it actually is.
And to answer your comments, it sounds like you’re using the manual sandbox to sandbox your web browser. No need to disable the sandbox if you don’t want to use it in this instance, just don’t sandbox your browser…
However, if you want to disable the automatic sandbox, (which isn’t fully virtualized by default, but instead an access-rights restriction based sandbox) you can disable the behavior blocker. (BB)
Add whatever you want to remain after sandbox deletion to the sandbox exceptions
You could add the entire web browser data folder but as HeffeD has already stated - the more exceptions the more holes to be exploited
I use a portable copy of Dragon with NO exceptions for high security stuff like banking etc
but do use exceptions in my standard browser - I figure a virtual browser with a couple of exceptions is still way more secure than a non virtual browser
Edit I have also created a non virtual download folder on the desktop and pointed dragon to download there
I just checked and my VTRoot has over a gigabyte of data in it. I have no idea of an EASY way to browse thru it and see what’s in there that I may want to keep. Again, my thanks to all, but it STILL seems convoluted to me. Maybe I can go back to an earler version; I’ll check if that’s possible.
OK, I spent more time with it, and it’s now making pretty good sense to me. So much so, that I un-installed Sandboxie (for awhile, at least). I did not previously understand that the Comodo sandbox is NOT reset with each re-boot of the OS.
I also did not understand that when an explorer window is opened from within a sandboxed program (like Chrome for example), that window will be sandboxed, even though you’ve not specifically configured explorer itself to be sandboxed.
For example, within Chrome you can right click on a DL’ed item at the bottom of the window and select “show in folder”. The window that opens will show the file (and the green border), but if you open the exact same location from explorer itself, the file will NOT show up. This was a real source of confusion for me at first.
Basically, it was mostly a matter of “un-learning” a bit of the Sandboxie paradigm.
At this point the biggest negative for me is the lack of an EASY way to analyze/browse through the current sandbox before resetting it. Sandboxie appears to have logic to suggest files it thinks you might want to keep before cleaning. Comodo needs to address this and when they do, they’ll have a Sandboxie “killer”, IMHO. A good, well engineered solution for this might also suggest registry changes that maybe should be saved.
Oh yeah… You should be able to kill sandboxed “hang around” processes that do not end when the program that started them (Chrome for example) ends, without rebooting (or re-setting the ENTIRE sandbox).
If some of this stuff is currently “do-able” and I’m just missing it, please let me know.