Sandboxing of Firefox

I’m tested the last RC of CIS 5 as shown in my signature.
The main goal I was trying to achieve was a sandbox level that allows me to save Excel files of my network application, that I access through the browser.
I’ve tested all the 4 options (Untrusted, Restricted, Limited and Unrestricted), trying to run Firefox sandboxed. All of it failed to load my profile. I can’t work this way.

I was using avast sandbox and my profile is loaded, with all addons etc. But I can’t save a file to the temporary folder (i.e., open/run an Excel file that come through the browser). I’ve read that Comodo sandbox will allow to save temporary files and my hope was that…

What am I configurating wrong?

Defense+ and Firewall are on Safe Mode.

would be useful to have a button in the browser sandbox to run well in the browser sandbox, and a warning if you want to save your favorite download folder, not folder virtualroot.

Excuse me if I was not clear,
are an Italian user,
I do not speak English very well.

This is how I see Comodo running Firefox out of the sandbox.

[attachment deleted by admin]

This is the lowest level of sandboxing (partially limited): no addons, no themes, the homepage… no settings at all…

[attachment deleted by admin]

How difficult is to receive help…
You can help the others, but when the problem is with you, well, silence…

Is anybody facing problems with sandboxed Firefox? Am I the only one?
What am I doing wrong or setting wrong?

OK, I’ve tried FX sandboxed as Partially limited and Limited. Everything looks OK (in attachment a picture with Limited) and I’ve downloaded GPU-Z and I found it in VritualRoot (but AV flagged it as malware ;D).

Seven x64, Proactive, AV stateful, Fw/D+ Safe Mode, Sandbox enabled.

[attachment deleted by admin]

I’m using the RC of the firewall and defense+ version 5.
Can somebody guide me, step by step, how to set Firefox to run into the sandbox?

I’m about to give up on testing CIS 5.
I just go there to test the sandbox.
Posted 1 bug (crash) report and this thread.
No specific help on them.
I can’t continue with lack of support. Sorry.

I’ve tried Firefox 3.6.8 sandboxed as both partially limited and limited, and was able to successfully download both a 10MB binary file and .mp3 music files without obvious problems. There were some blocked DNS resolver events in the Defence+ event log, but it didn’t prevent operation. The files were sent to the virtual root folder substitution of the path I had chosen (I’d saved to the desktop). I’m on Win7 32 bit.

I left the advanced sandbox settingsat their defaults, I.e. only the virtualise settings checked.

I an writing this in Firefox sandboxed as Limited.

How to get there, I mean, to that settings? I’m on CIS 5.

Go to Defence+ → Computer Security Policy and select the tab “Always Sandbox”.

Press the Add button. You have a screen with 2 tabs. The Restriction Settings tab allows you to select the application (e.g. Firefox) and to set its restriction level. The Advanced Settings tab gives the virtualisation and other settings.

Hope this helps.

Well… I’m a hard head…
I’ve restored a CTM snapshot previous of CIS installation.
Installed version 4. Trained with it.
I can only use “partially limited” option. All others broke my Firefox profile.
There is a “sandbox” option into Defense+.
Restored the CTM snapshot again.
Now on version 5, the “partially limited” works.

But only by the Summary window I have access to the sandboxed processes.
Even there, I can’t change the status of the sandboxing.
Where can I do the sandbox operations of version 4 into version 5?

[attachment deleted by admin]

Not sure I understand your problem, but if you go to Defence+ → Computer Security Policy and select the tab “Always Sandbox”, you can select and then edit the sandbox settings for Firefox.

Edit: You can also make similar adjustments in the Sandbox Settings tab of Defence+ Settings but as far as I know these apply only to automatically sandboxed processes.

Thanks pipistrello.
I’ve found they there. I just could not figure out (yet) how can I remove a process from the sandbox…

[attachment deleted by admin]

If you mean remove a process that was automatically sandboxed by CIS, you can go to Defence+ → Unrecognised files and move the file to either trusted or blocked files, depending whether you feel it is safe.( I think you might also be able to right click on the file in the active process list for this option, but cannot remember for sure if this is so.) Only unrecognised files are automatically sandboxed.

A manually sandboxed file like Firefox can be removed from the Always Sandbox list.

No, it does NOT work. Firefox.exe is a trusted file. It’s set to be always “partially limited” sandboxed.
It does NOT appear into the sandboxed process.
If I change the level of sandboxing, I lost the profile.

Is there any difficulty to use a personalized folder for the profile? Mine is on drive D: (not the default one of firefox).

The running processes does not give the option to un-sandbox or to run once un-sandboxed.

No, I have trusted files that are running sandboxed…

Sure, but I want it sandboxed and can’t set it up for that (and simultaneously use my personalized firefox profile).

[attachment deleted by admin]

It allows you to add the process to Trusted Files, so removing it from the sandbox when it is next run.

Trusted files should not be running sandboxed unless you manually added them to the sandbox. Maybe you inadvertently have “Block all unknown requests if the application is closed” checked. Otherwise this sounds like a bug.

I have tested Firefox with a personalised profile in a custom location. For me it works even with Firefox sandboxed as Limited. I can open Firefox via the Profile Manager and select either this or my default profile: both work. Of course any changes are saved to the Virtual Root folder so are not reflected in the actual profiles unless you copy them there. If I were to sandbox Firefox for real, I think I’d uncheck virtualisation to avoid this inconvenience.

Looking at your Firefox screen, you appear to have a new empty profile. Is your problem that for some reason, the Profile Manager is failing to see your profile list? Have you set the Profile manager to appear every time you start Firefox (there is an option for this on the profile Manager window)?

When I run Firefox sandboxed, it does not appear as such in the Active Process list (Sandbox is marked Disabled): I view this as a bug. It appears in the Defence+ events as sandboxed, and clearly is as it is writing to the Virtual Root folder.

I wish someone more experienced would jump in here as I feel to be getting out of my depth!

But I did nothing… Firefox is a trusted file since from the beginning, by Mozilla be a trusted vendor.

Exactly what I’ve done.

I did not change any default settings. But need to install CIS again to test.

Will try again… for me, didn’t work.

Well, avast sandbox has an option for that. Very convenient.

I’ll uncheck virtualization and test.

Exactly. Seems that when I run Firefox. Of course, my profile is in a custom folder and is not being loaded for some reason.

The profile manager gives me only my customized profile as the only one available.
Clicking it, it’s not loaded but, instead, a “new” one. This new one is not saved.
If I start Firefox again, there is only the first one profile, mine, customized. The new is gone (not saved).

Well… it should be shown in the virtualized processes…
avast sandbox gives the user the possibility of using a red border in the sandboxed processes, so you can “see” it’s sandboxed.

[attachment deleted by admin]

I’m not alone.
Seems that this is happening exactly with other users.;msg422811#msg422811;msg423783#msg423783

Wouldn’t Comodo fix these issues?
I’m back to avast sandbox until then.

Your new profile won’t be saved if you have virtualisation enabled, as Firefox isn’t expecting it to be in the virtual Root folder. But do you need virtualisation? Is limited rights not sufficient?

Are you by any chance on a domain? I just wondered if you sometimes used the Roaming and sometimes the Local profile. As far as I know, the profiles.ini file in your Roaming profile defines your profile list, so it may be worth your having a look at it. Anyway, it sounds to me that something is preventing the profile manager seeing your profile list or the latter is somehow corrupt.

I agree that Avast has some features that would be nice in CIS. This is early days for CIS, though, and it is still in beta, so why not put your suggestions in the wish list if you haven’t already done so. I also agree that there are some bugs in this area, though I haven’t personally encountered any particularly serious ones. CIS has come a long way in a remarkably short time and I’m sure it will be a great product.

I don’t normally sandbox Firefox and see little reason to do so. CIS is generally working well for me and I feel adequately protected by it, though I don’t seek out trouble.