Sandboxing browsers: how do I do it & what are the benefits? [v4/5]

[ol]- How do I do it?

Please help us improve this FAQ entry by posting suggestions to the ‘Sandbox help materials - Feedback’ topic here. This topic has been prepared by a volunteer moderator – with input from many other moderators and Comodo staff members (Thanks everyone, especially Ronny, and Egemen). It has been produced on a best endeavours basis - it will be added to and corrected as we find out more about the sandbox. Please note that I am not a member of staff and therefore cannot speak on behalf of Comodo.

Updated: 6 July 2010. Reflects CIS version
Updated: 13 September 2010. Reflects CIS version 5.0

This FAQ assumes that the browser is sandboxed at the default level with virtualisation enabled.

To set this up add your browser via ‘Add programs to the sandbox’ under Defense+ ~ Sandbox, leave the slider at its default level, and ensure both file and registry virtualisation are ticked.

Browsers which I have experimented with and work reasonably well are:

  • Firefox 3.6.2
  • Internet explorer v8.0
  • K-Meleon 1.5.4 (and runs just as fast as ever)
  • Opera 10.5
  • Chrome and Dragon. (In CIS 4.x, Chrome version 5.0.342 and Dragon version run with -no-sandbox & optionally* -single-process command line** options. Other versions may or may not run with these switches).

In the current version of CIS it is best to install updates and add-ins with the browser NOT virtualised. If you install them with the browser virtualised they may themselves be virtualised and may not work, and if things get sufficiently confused your browser may stop working.

Please note that all downloads from virtualised browsers will be virtualised. That is they willl go into the virtual version of the browser’s downloads folder. See ‘What are the benefits’ below for its location.


  • You may find a limit on the number of tabs you can open without the -single-process option. But I have found that it can increase the likelihood of browser crashes.
    **To make it easy to run Chrome or Dragon with these options try the following. First copy your start menu shortcut for Chrome or Dragon and paste it, say to the Desktop, then rename it appropriately. Then right click on it, navigate to Properties ~ Shortcut ~ Target, and add the parameter -no-sandbox beyond the double inverted commas, with a gap of at least one space. Then, if you wish, make a gap of another space and add -single-process. Then save the new shortcut. In future, whenever you use this shortcut, Chrome or Dragon will run with these settings.

The benefits are:

[ol]- The browser, and any software run by the browser, is prevented from damaging your machine in specific ways. This protection is stronger than the protection normally offered by Defense plus or automatic sandboxing. For the precise protection involved see below.

  • All usage traces, including browser downloads, are localised in two places*, and so are easier to manually delete.
  • The sandbox runs on all 64bit Windows operating systems (except XP 64bit, on which platform registry (but not file) virtualisation is disabled).[/ol]

Please note: because the introduction of sandboxing has required deep additions to CIS you should not rely on everything working as planned until more users have used it for longer in more environments.


  • The places are: C:\vritualroot<app name> (for files) and HKEY_LOCAL_MACHINE\SYSTEM \VritualRoot<app name> (for registry entries). Regarding deletion of registry entries, the normal cautions apply - don’t edit the registry unless you know what you are doing, and please ensure you make a system restore point first. ‘Vritual’ is the correct spelling - chosen, I understand, because it’s unlikely to be used by another sandbox.

Comodo is working hard to improve the sandbox and its virtualisation facilities.

Currently known limitations include:

[ol]- Browser updates and add-ins may not work if they are installed when the browser is virtualised

  • There is as yet no tool in CIS to delete usage traces, and Comodo has not yet committed itself to introducing one.
  • Browsers may not remember some settings changes made while virtualised. While this is improved in version 5, Dragon still does not remember bookmark bar links on my machine.
  • The Windows clipboard may not function when running a browser sandboxed at limited level or above, and may be somewhat unreliable at the partially limited level (try using mouse rt click menu not keyboard)
  • Sound on videos may not work in some browsers when manually sandboxed at all sandbox levels
  • Various other bugs - please see CIS bug reports here. [/ol]

Software run by the browser from which you are protected includes: all BHO’s .dlls, scripts, Active X objects, and installers etc. etc.

You get the following protection, in the main without alerts. The software cannot:

[ol]- write to (ie infect) any existing files or registry keys.

  • Carry out operations that require administrative privileges.
    [li]In CIS 4.x the browser cannot carry out any actions that require administrator privileges. Most actions that can permanently damage your operating system require administrator privileges. When sandboxed at the limited level privileges are restricted to those of a standard user account.
  • In CIS 5.x the browser cannot carry out some high risk actions that require administrative privileges, for example debugging or running drivers[/li]
  • In CIS 4.x only, consume too many PC resources. Process limit is 10 processes, additionally memory and processing time limits can be set. (Set as Windows Job restrictions)
  • key log or screen grab (by most know methods), set windows hooks**, access protected COM interfaces** or access non-sandboxed applications in memory. (Set as Defence + restrictions)
  • access the internet without asking you first. In CIS 5.x this restriction is applied only when the browser is run by unrecognised software[/ol]

** Alerts are not supressed for these events