Specific FW rules for s'boxed processes ? (Technical FAQ) [v6]

You can create a firewall rule requiring all executables installed or stored in the sandbox to ask for access, using the path C:\VTRoot* or C:\VTroot* to define such apps. You can also create a rule for specific executable if you wish to.

To create such a rule for unknown files:

[ol]- Ensure the FW is in safe mode.

  • Go to Advanced Settings ~ D+ ~ HIPS ~ File Protection ~ Arrow ~ Groups, and add a file group comprising the folder C:\VTroot*, or your executable’s path and name
  • Go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a custom firewall rule, specifying that the firewall should ask for all in- and out-bound connections, or whatever else you like
  • More this rule to the top of the list[/ol]

To create such a rule for all files:

[ol]- Ensure the FW is in custom mode.

  • Go to Advanced Settings ~ D+ ~ HIPS ~ File Protection ~ Arrow ~ Groups, and add a file group comprising the folder C:\VTroot*, or your executable’s path and name
  • Go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a custom firewall rule, specifying that the firewall should ask for all in- and out-bound connections, or whatever else you like
  • More this rule to the top of the list
  • If you don’t want outbound alerts for files which are not stored in the sandbox, go to Advanced Settings ~ FW ~ Application Rules ~ Sandbox add a rule for the ‘all applications’ group, using the ruleset ‘Allowed Application’. Place this rule below the first rule.
  • If you are using the (default) Internet Security Configuration, ensure that Advanced Settings ~ FW ‘do not show pop-up alerts’ is unticked.[/ol]


  • If you have the same program installed outside the sandbox you will only get alerts when the one stored inside the sandbox is run. To ensure you run the installed version, take a look at this FAQ here.
  • Apps stored in the sandbox are not necessarily sandboxed (virtualised) when run - they will be only if you specifically ask them to be, or if run from the Kiosk. However, given that C:\VTRoot is hidden from non-sandboxed processes, it is most likely they will always be run sandboxed.
  • There appears to be no way of setting a firewall rules for sandboxed processes that don’t depend on whether they are stored in the sandbox.

Special thanks are due to TreeFrogs for all his work in assisting the development of this FAQ.

This is something I have been looking at, an option in the GUI to enable this would be good.
How have you created this rule ? I have been unable to ???
Thanks TF

Sorry should have said - use groups

Thanks and no worries
Although I still am struggling :-[
I will try again later with fresh eyes and mind

At what stage do you have a problem?

I have created a rule to always ask for any connection in or out but I’m struggling to “see” how to apply it to C:\VTRoot*
I’m going in circles but still missing a whole step somewhere :-\

Just re-checked and it’s working here.

You need to be careful you are actually running a program instance stored in the sandbox.

If you install a program inside and outside on the same path, CIS runs the one outside, if they are the same version.

To test I created the VTRoot rule, then an all apps rule beneath is set to always allow outbound.

When executing a trusted VTroot executable, with FW in custom mode you get an alert. When executing a executable not store in the sandbox you don’t.


OK I’ll move this to feedback later, but for now lets do it here.

  1. Go to Advanced settings (AS) ~ D+ ~ HIPS ~ File protection. Click the arrow, and click on groups
  2. Click the arrow ~ choose add. Navigate to an executable in the sandbox, add it. Now right click, choose edit. Edit the path down to C:\Vtroot*. Now name your group say FV apps.
  3. OK out of that right back to the CIS main interface or advanced settings will do
  4. Now go into firewall rules, choose add ~ Groups. Now create your rule. Choose custom and set it to ask in/out. OK out of that.

Now you are set. To test it’s easiest to use an installed trusted file for now - there’s something complex going on with unknown files I’ve not yet bottomed. So you need custom mode, which means everything gets alerted. So you make this a valid test, and to make this approach meaningful you need an allow all apps outbound rule below the Fv apps rule. Now it should alert for stored-in-sandbox apps outbound but not nonstored ones

This does not seem to work. At least I believe I set it up correctly.

However, when I tested it against the leaktest discussed in this topic it was able to leak information without causing a firewall alert. Also, Comodo Dragon was able to connect, when opened by the automatically FV sandboxed leaktest without triggering an alert.

Am I misunderstanding how this works or have I set it up wrong? Can someone else please test?


You may be misunderstanding. The browser instance would need to be stored in the sandbox. Leakout runs the default browser which connects. To make it easy, install an unusual browser on an unusual path, and make it the default, if the sandbox allows. If it has a choice, CIS virtualiser will run the instance that is not stored in the sandbox for preference.

For it to work with trusted files FW has to be in custom mode - see experiment steps above for the rest.

You have to be very very careful to set this up right, but it worked at Beta, and again this PM on my machine. (I’m re-testing as promised).

Oh also browser may need to start closed

Okay, I was misunderstanding you. I suppose this will not work the way I would like it to.

Oh well, thank you anyway.

Also note from the above:

To run the instance of the executable which is stored in the sandbox, you may need to create a direct shortcut to it. I explain how to do this [insert xref]

but isnt it the most necessary place to activate firewall questions when something is running in a sandbox?

We remember:
“Unknown things run in sandbox so can not do harm to your computer (more or less).”
Why should especially these potential dangerous things get permission to phone without question?

Sometimes i really wonder.

Ok I created the rule correctly…i think :slight_smile:
I get alerts for most sandboxed processes - all the ones I have created shortcuts for
I have to leave for work now but will look at unknown app’s this evening

If anyone has time to post a step by step guide then this can be recreated faithfully

Thanks Treefrogs, good to know.

You should get alerts for all apps stored in the sandbox, the complexity is that CIS will often run a version stored outside the sandbox fro preference when it’s installed on the same path, unless you use my fix. Say you have a link to C:\Program Files\Comodo\IceDragon\IceDragon.exe. The order of execution priority seems to be:

  • most recent version number
  • non-sandboxed
  • sandboxed

But this is just an impression.

After further experiment I think my problems with unknown files were a bug - got a Kiosk crash soon after. So hopefully this should work with FW in safe mode, without the special firewall rules, for unknown files. It did in Beta :slight_smile:

See if you can confirm.

If you can I will document the steps in the first post.

Best wishes


Okay, I made a group pertaining to C:\Vtroot* and then went to the Firewall Application Rules and made a rule for that group to be a Blocked Application. I then clicked on the option to open Comodo Dragon as FV from the widget. However, it is able to connect to the internet. Shouldn’t it be blocked?

Does the HIPS have to be turned on for this to work, have I set it up incorrectly, or am I still confused about exactly what this rule is supposed to do. Is there any way to make CD running as FV not be able to connect to the internet?

By default Dragon is not installed into (stored in) the sandbox. This only works for executable stored in the sandbox. If you install it, you may have to use the shortcut re-direction wangle (referenced above) to ensure the right instance is run.

As it’s a trusted file, you’ll need to be in custom mode, and use the rule sequence I suggest above and treefrogs seems to have successfully tested.

Hope this helps.


Ok I can confirm this works for known app’s I’m still to test with unknown app’s
If the rule is block no connection is allowed - if ask an alert is issued :-TU
I can also confirm that the file will obey this rule if it’s only “stored” in the sandbox - in the context of unknown app’s this could be a good thing… if the BB is set to FV the unknown app will/can only be running in the sandbox hence a FW alert - if my understanding of this is correct ??

Yes barring bugs and shared space, that is correct. But Chiron is trying to deal with hybrid FV/NVirt issues too, also autovirtualisation, which means the executable may not be stored in the sandbox.

Personally I think a solution to the browser Leakout problem may be able to be evolved, Chiron. Make the default browser for FV the stored instance maybe? You can have a different default browser in Kiosk, not sure if it applies to all browsers invoked by FV processes though. Hopefully it does.

This may bring us closer to a general solution, hopefully

There’s a drawback here that a rule is created around an app that’s only installed in the sandbox
when the sandbox is reset the app is deleted and the rule fails

I’m in the process of testing the leakout test here - Comodo Forum
I have run this once and it seems the data leaked - no alert I need to retest this though…