Sandbox won't work if file & registry virtualization don't match

I just downloaded Comodo and installed (firewall only) on Windows XP Pro SP-3. Currently I use Software Restriction Policies (SRPs) that can be defined using the group policy editor (gpedit.msc) or security policy editor (secpol.msc) regarding Windows security settings. Because of programming and testing requirements, I must log under an admin-level account which means the web browser would normally also have all the same process privileges as for my admin account. To restrict the web browser, I add a path rule to run iexplore.exe under a LUA (limited user account) token:

  • Under Software Restriction Policies, define a new Path rules that point at:
    “%programfiles%\Internet Explorer\iexplore.exe”
    “%programfiles%\ie8\iexplore.exe” (not typically used; a “just in case” rule)
  • Set these Path rules to run under “Basic” security level. This runs them under a LUA token.
    o Normally there are only the Allow and Block security levels.
    o Basic gets added through a registry edit to add that security level so it is available in a Path rule.
  • Create a subfolder under that path called “_NoSRP”.
  • Copy iexplore.exe to the _NoSRP subfolder.
    o IE doesn’t like its executable filename to be changed.
    o Cannot simply put a renamed copy of iexplore.exe the same path (e.g., iexplore2.exe).
    o Will run iexplore.exe from a different path.
    o Create a shortcut to this alternatively pathed copy of iexplore.exe.
    o Gives me a shortcut to load an unrestricted copy of IE.

Having SRPs force a process to run under a LUA token eliminates trying to use something like DropMyRights or SysInternals psexec (with its /l parameter) which only works on the program that it called. It won’t affect the privileges for a child process, like when IE gets started by clicking on a URL link in an e-mail in your e-mail client. Using an SRP does force all instances of that program to run under a LUA token. This is what the Limited sandbox setting does in Comodo’s Sandbox (along with limiting the number of process instances).

Basically, I do a registry edit to add the Basic security level and that’s done for the lifetime of that Windows installation. That security level will always be there whenever I want to define another Path rule under SRPs. So later it’s just a matter of adding another Path rule to lower privileges on a program to those that would be present if you had logged in under a limited user account. This is not sandboxing but privilege restriction - and which seems to be what the Limited setting does for Comodo’s Sandbox feature EXCEPT for the virtualization of registry and file changes.

So I figure Comodo’s sandbox would be a better solution. Not only would it reduce privileges on the process (i.e., run the process under a LUA token) but it would also eliminate any changes to my host. Alas, Comodo hasn’t yet implemented some of the features of Sandboxie, like letting file downloads to exist outside the sandbox or survive its cleanup. Instead users have to know about wandering into the VirtualRoot folder to file where their download disappeared. This is a big nuisance. Instead I figured to use the Advanced settings for a sandboxed app to remove the file virtualization.

I added iexplore.exe to the Always Sandbox setup under the Defense+ settings. I set the sandbox mode to Limited. I went under the Advanced tab and disabled file virtualization (registry virtualization was left intact). Well, when I run IE, nothing happens. That means no process for iexplore.exe shows up and there is no window for IE. Comodo has refused to let it load. If I keep the file and registry virtualization setting matched (both on or both off) then IE will load. It is when their settings are mismatched that the web browser won’t load.

Comodo has a ways to go before their sandbox is usable in other than its default configuration. First, a means should be made available for downloads to exist outside the sandbox either by configuring a save or prompt when the app exits or the sandbox is unloaded for saving downloads. Or, like GeSwall, maintain a blanket around the downloaded files but offer an option to run them outside of that blanket. Web browsing isn’t just about viewing pages. It’s about retrieving content, too. Think about it: how would you ever had managed to even get Comodo’s products unless they were accessible outside the sandbox?

Yes, there is an option to disable Sandboxing by right-clicking the tray icon. That disables ALL sandboxing, not just for the web browser where for this particular situation you need to disable sandboxing on just that particular process. Or, more accurately, you want to just disable file virtualization on a particular app. With the sandbox settings of file virtualization = off and registry virtualization = on, the web browser won’t load. I’m not going to waste time on being nuisanced to wandering through the VirtualRoot folder. I tried not closing the download dialog when it completed and then clicking on the Open button figuring that maybe the subfolder under VirtualRoot would get opened but that didn’t happen. Like with GeSwall, the Open function is a message function between processes (from inside the sandbox to the OS outside the sandbox) which gets blocked. So I have no convenient means of accessing any downloads. If I keep the virtualization settings in sync (so the app actually loads) then I’m nuisanced with having to find the download. If I try to disable just the file virtualization while using Limited for sandboxing (so the process runs under a LUA token) then the app won’t load. If I disable both file and registry virtualization settings then I might as revert to using a Path rule under the SRPs.

So, for now, I won’t be using Comodo’s sandboxing. It is an incomplete solution. Sandboxie devolves into nagware and I never waste time on nagware no matter how inconsequential you believe is the requirement to hit a button to get past the nag. My choice is “no nagware”. It’s unfettered freeware or it’s not on my host. That’s one of the reasons I like Comodo’s stuff. My antivirus, Avast, has just devolved into nagging me with popups that I cannot disable (Info, Update, and Alert categories) so I’m starting to look around for alternatives (and Avira isn’t doable since the 4-year old floppy disk/SMART bug has returned even worse than before plus the freeware version of Avast has features that are only available in the payware version of Avira). I may have to abandon Avast and go with Comodo’s antivirus (CAV) although it is very weak on disinfecting a host (Comodo’s motto is to keep the host clean in the first place). I liked Avast and would have much preferred it over Avira or CAV but Avast now wants to push popups in my face. Not adware popups but program popups to show informational, update, or alert messages. The alert popups are wanted since they show an infection or malicious site. It’s the update and info popups that I never want to see but can’t until Avast changes the behavior of the new program update. Avast also has sandbox but only in the payware version. So when users reply to those complaining about nags with Sandboxie to go use something else, there really isn’t anything else quite like the freeware version of Sandboxie but without the nags. To stay away from nags pretty much meant using payware Avast with its sandboxing or use free Comodo with its sandboxing. Alas, I really can’t use all the configurable options for Comodo’s sandboxing. Argh!


Got a bit further. Uninstalled CIS (firewall only). Installed CIS (firewall+antivirus). Now when I add iexplore.exe to the Always Sandbox config with files virtualized = disabled and registry virtualized = enabled, I get the window to appear for iexplore.exe (so its process gets loaded); however, I cannot connect to any site.

IE sucks when showing the standard error code pages. If I watch its status bar when trying to visit a site, like, I see it is loading the dnserror.htm file (which shows Microsoft’s useless “friendly” error page). So when I disable the file virtualization for iexplore.exe, I can’t connect anywhere. If I reenable file virtualization then I can connect. Oh joy. Figuring the dnserror.htm page load had maybe something to do with a blocking of the DNS lookup, I used (IP address for but that resulted in the same dnserror.htm page load.

Side note: For some reason after doing the 2nd install (firewall+antivirus) and seeing that Defense+ was enabled, I noticed that file virtualized = enabled wasn’t getting honored. Files were getting saved outside of VirtualRoot. Eventually I found Defense+ was disabled. How I don’t know since I did nothing that should have disabled it. This is a clean install of Windows Pro with SP-3 with all updates but no apps installed (other than CIS). I was surprised to find Defense+ had been disabled. I was also surprised that CIS lied to me about the Sandbox usability. As I recall, if Defense+ is disabled then so, too, is Sandbox (because it is a sub-feature of Defense+). Yet when I use the active process viewer in CIS, it showed iexplore.exe with Sandbox = Limited. That tells the user that the process has been sandboxed - but it was NOT sandboxed as evidenced by both Defense+ somehow getting disabled plus downloads were not going under VirtualRoot despite file virtualized = enabled for this process listed under Always Sandbox. If Defense+ is disabled then it should be very clearly expressed everywhere inside of CIS that the sandbox is also disabled. Showing “Limited” may be correct (since I didn’t happen to use SysInternals’ Process Explorer to check if privileges had been reduced) but it misleads the user into thinking the file & registry virtualization were in effect.

So Comodo needs more work to better communicate that some of the sandbox features are disabled when Defense+ is disabled. Personally I would like a reminder popup with a user-configurable duration when Defense+, AntiVirus, or Firewall have been disabled. Finding Defense+ was disabled took awhile to discover and happened without a cause that I could ascertain. The sandbox needs fixing so when file virtualization is disabled that it doesn’t somehow kill the application from functioning properly, like preventing either virtual or real disk access.

Why don’t you run IE as an untrusted app with the auto “sandbox” feature? It doesn’t virtualize file/registry writes, and merely lowers the security level to whatever you set in the Execution Control tab.

Got a bit further. Uninstalled CIS (firewall only). Installed CIS (firewall+antivirus). Now when I add iexplore.exe to the Always Sandbox config with files virtualized = disabled and registry virtualized = enabled, I get the window to appear for iexplore.exe (so its process gets loaded); however, I cannot connect to any site.

The first time I tried to sandbox IE as limited, it would only flash for a second and then quit. I tried it a while later and it worked, not sure why (I didn’t re-install). It runs with any combination of file and registry virtualization, but won’t connect to a website unless file virtualization is enabled.

Do you have your IE cache and Temp folder in the standard location in the user folder? This could potentially be an issue but I don’t have time to check it (I have them both on a different drive).

Edit: IE won’t function properly if you open it from another app while in Limited mode. I have to drop it to Partially Limited.

The problem with Partially Limited is that the iexplore.exe process runs under your Windows accounts that you logged in with so it has the same privileges. I always have to log under an admin-level account.

It’s odd that IE won’t work with the Limited sandbox setting in CIS. The Limited setting is the one that runs IE under a non-admin account - which I have to assume means a limited account. I already know how to run IE under a LUA token using SRPs. I was hoping CIS with its sandbox would do a bit more than just run the process under a LUA token with its reduced set of privileges. For one, it mentions a max instance count of 10 for the process so it would prevent a runaway program that kept spawning more child processes of itself (but doesn’t protect against runaway thread counts). I would like the registry to be virtualized for IE to prevent accidental or malicious change. I actually only want specific paths to be unprotected so I can download and save files (rather than dig for them in the VirtualRoot folder - which, by the way, constitutes a leak since the files are dumped into the real file system - a leak that should only be permitted by configuring away from the defaults) but have all the other mass storage accesses get virtualized. Yes, all other paths are in standard locations. Guess that was wishing for too much, like hoping CIS’s sandbox would give me something akin to Sandboxie.

Guess I’ll have to re-review GeSwall to isolate the web browser since CIS’s sandbox seems incapable. And, yes, GeSwall allows leaks, too, by saving files to the real file system. It has its policy protection on the file but I did discover a means of leaving remants behind not under the control of GeSwall. I was looking for something more than just running IE under a LUA token. I already do that long before I started looking at CIS.

With IE sometimes not even loading if sandboxed (as Limited since I don’t see the value of Partially Limited because Limited runs the process under a non-admin account) and problems in connectivity when file and registry virtualization settings don’t match, I have to wonder how badly this sandbox behaves with other applications. I’ll check it for awhile but suspect that I’ll be eventually disabling the pseudo-sandbox feature.