So, how should new auto-sandbox work?

From Advanced settings>>Security Settings>>Defence+ >> Sandbox>>Auto-Sandbox it appears that CIS will run every unrecognized program in “fully virtualized” sandbox (Run virtually)… Or does that mean something else now?

Cuz when I run Zoom player Free 9.2 (currently unrecognized), I don’t see a popup “This application is unrecognized and was sandboxed as partially limited” like in V7, is this a bug, or this popup was dropped? Anyway while Zplayer.exe is present in “Unrecognized files” list, if I look at it via Killswitch it says: Rating - Unknown, Restriction - none, Virtualization - disabled, and I don’t get any errors like I used to in V7 when it was “partially limited”.

I know it’s beta, but I don’t know what’s a bug and what’s by design at this point, so Could someone explain how it’s supposed to work?


Policy based automatic-sandboxing

  • Ability to create automatic sandboxing rule based on various parameters such as file reputation, file origin, file source etc
  • New default auto-sandboxing policy which is fine-tuned to isolate risky unknown applications

It is helpfull, I think and it makes CIS more useable for basic/novice users :-TU

product help

Ok, so by default CIS will run in fully virtual inviroment all unrecognized files that were downloaded from the internet, downloaded by browsers, downloaders, email clients or pseudo downloaders, as well as unrecognized files located on removable and network drives. And will block any file with “Malware” reputation or that run from recycle bin, any other file won’t be restricted in any way.

If CIS will use full virtualization (VtRoot folder) it would be nice to be able to move it off drive C…if you happen to have SSD for system drive.

Also, wouldn’t it mean that basically most programs \ (free) games you download from the internet…or have on USB HDD will be installed in full virtual sandbox…unless they’re digitally signed? That may be fine up untill you deside to reset sandbox for whatever reason.

If anyone finds a way in which malware could bypass these rules, and therefore run unrestricted, please create a bug report for it. Even if it is technically following the rules which were put in intentionally, I am considering it a bug if a user, in a real-world scenario, could infect their computer by using the internet in a normal fashion. One such bug report can be seen here.


The problem I’m referring to is not that user will get infected, but rather loosing legitimate (unsigned \ unrecognized) programs due to (eventual) sandbox reset.

That’s a good point. With the default now to sandbox unknown downloaded files many more users will be experiencing this full virtualization without fully understanding what would happen to their information if they reset the sandbox. It does warn the user (in that the description below the Reset Sandbox button says it will erase all the content) but not all users will read that carefully. Perhaps an extra warning box when that option is clicked should pop up explaining the danger in greater detail (of course with a checkbox to never show this warning again) would be a good way to mitigate this risk?

What do you think?


I’ll say that if you got a bunch of programs fully virtualized (due to current auto-sandbox settings) programs \ games, and you get a virus later (also fully virtualized), you don’t have much choice. If you want to get rid of the virus, you’ll have to reset the sandbox, deleting the virus along with all virtualized installed programs. Understanding the fact that reseting the sandbox will remove everything that’s in it doesn’t do much about the fact that if you want to get rid of the virus, everything else must go with it.

That makes sense. There are certainly times when the sandbox has to be reset, regardless of what is lost. The only way I can think to fix this then would be if this wish for multiple sandboxes were to be implemented. However, as it has not been added for this Beta, I do not hold out much hope it will be implemented in the near future.

Does anyone have another idea?


I can suggest slightly modified wish \ solution.

If CIS will create seperate sandbox for each fully virtualized file, then we can reset \ delete “harmful” sandboxes while leaving “good ones” intact. I don’t know how taxing this will be on the system, and there might be problems if one virtualized program needs to access another virtualized program (since they will be in different sandboxes). But on the other hand, this will probably make integrating sandbox content with real system easier.

Or CIS could track changes made by each virtualized program, and let users delete certain programs (and changes made by it) instead of entire sandbox. But this could be even more taxing on the system.

Anyway, shouldn’t this sandbox \ virtualization thing supposed to be a TEMPORARY place to test unknown programs, before letting them on real system in the first place? With things as they currently are, sandbox looks like more of a permanent place… that you have to reset sooner or later anyway.

No problem. It would be your wish. :smiley:

This wish has essentially already been made. It is a subset of the multiple sandboxes wish.

This sounds similar to Viruscope. Do you know whether Viruscope operates inside the FV sandbox or not? I’m not sure.

The idea is that most downloaded apps will be trusted. Those which are not will be run virtualized. I believe it’s essentially the same approach as has been taken by the previous versions of CIS. However, the main difficulty, which you are noting as well, is that these downloaded programs will be run fully virtualized instead of restricted and on the real system. That said, for most apps is this really a critical problem, or just more of a nuisance. Unless I’m wrong they will still be downloaded to the same folder. Thus, they can always be rerun without most users having to wonder about where the information is stored. They will work correctly most of the time. I think the big problem comes if the user ever chooses to reset the sandbox. Except for that I think it’s a pretty good setup. You do still get the Auto-Sandbox popup, unless I’m wrong about that, and thus can always choose to add it to the trusted files list.

Am I misunderstanding this?


This wish has essentially already been made. It is a subset of the multiple sandboxes wish.

Yes, the only difference is that Andreww suggest that users will choose in what sandbox the program will run, while I suggest that new sandbox to be created automatically for each file…But I’m not sure what method is better… Maybe just flat out ask the user how (s)he wants to run this unrecognized program downloaded from internet (fully virtualized, restricted or trusted)?

The idea is that most downloaded apps will be trusted. Those which are not will be run virtualized…

That might be true for programs developed by big companies, who sign their files, but there are tons and tons of programs released by lesser companies or small groups or individual people released every day…or so, that people use. Those programs while legitamate, might not be signed, and it may take quite a while for CIS to recognize. And that leads to program being installed virtualized, and in turn add to the “What to do when you’ll have to reset sandbox” problem. By the time you will have to do it, you might already forget what installed there in the first place.

Of course if we change the settings from run virtual to run restricted, that will basically revert to V7 autosandbox, but a bit more flexible. But not all users (especially new ones) will want to dig in settings. They’re most like to install and forget it.

Is this auto-sandboxing optional? I would prefer the old method. I have my sandbox set to Untrusted (in v7.0) and I like to have the prompt to decide whether to add to Trusted Files or not. I’m not going to be a big fan of auto-sandboxing. If it isn’t optional, I will disable the Sandbox completely and just use D+.

@ L.A.R. Grizzly

Yes, you can disable it completly, same as in V7, and you reconfigure it to run programs with restriction level instead of fully virtualized.

It’s that by default (for now) it’s set to fully virtualize.

Whew! I was afraid I was going to lose choice. I’m glad to hear it’s optional. Thanks, Maniak2000.

It seems to me the new auto-sandbox is more difficult to be understanded and configured even for experienced CIS users.
The new features enhancement is more flexible but it become more complicated.
I think basic/novice users should never touch the setting.

I have another suggestion for this.
Instead of an extra warning box for explaining the danger in greater detail, an option to view a file list that will be deleted can be added when clicking the Reset Sandbox button. And in the list, user can select which file not to be deleled or be allowed to move to other folder.

this video review may help…

I was wondering… If current auto-sandbox settings will be kept in V8 realese, than users wil have some of their programs installed in full virtual (FV) sandbox, right?

And viruses \ malware (if user will happen to download and run any) will be in FV sandbox too, right? Wouldn’t that mean that virus could mess with programs installed in FV sandbox? System will not be harmed of course, but depending on how many legit programs CIS will send to FV sandbox, that still can cause problems…

I don’t really see what CIS devs are trying to do setting up auto-sandbox the way is it now… do they think users only download signed programs?

I agree with you, I have always though about “virtualization” as something related with “test”… of course, it can be a great protection feature, but I don’t see it as a default option…
To get a malware should be the exception, not the rule… but with this new auto-sandbox policy many reliable programs would be fully virtualized, so the user will have to re-install them in the real environment later…