Sandboxed Ransomeware

Hi , what happens to the malicious file if Comodo sandboxed it? Does it remain in thes andbox even after restart or shutdown? Or do I have to Erase the sandbox?
Can it escape from the sandbox if I do not Erase/Reset the sandbox?


By default, services installed in Sandbox can be automatically started. You can disable such feature in Advanced Settings > Containment > Containment Settings.

Let’s say that some unwanted application installed a service in Sandbox.
Sandboxed apps are pretty much governed by ‘cmdvirth.exe’ process. When you restart your system, for example, processes running in Sandbox are terminated.
If you try to sandbox another process, governing process is initiated. Installed service is started.

The usual concern is that sandboxed apps might present screen locker characteristics. Screen access is permitted to sandboxed apps by default. Sandboxed apps are allowed to set on-top of other apps trough various techniques. Of course, sandboxed apps are not allowed to tamper with your files on “real” system.

Hope it helps.

In fact, when discussing apps capable of escaping/bypassing Sandbox, it is not relevant if you erase/reset Sandbox contents.

Thanks I understand.

There is a fantastic video from cruelsister1 :P0l on youtube showing the settings in the sandbox, HIPS and Firewall but the Sandbox is being erased manually.

I always think if you install this for your grandma how would she know to manually erase the sandbox, the old bird wouldn’t even know where to find that sandbox.
But in the same token the malicious file or .exe will just again be automatically sandboxed if it tries to spawn and execute again.
Thanks :P0l

Such suggestion was submitted: Bug 1476.