to Languy, asking for a special comodo review please.


Languy I watch your youtube videos and was wondering if you can test just comodo sandbox alone for me against malwares such as latest tdss/tdl, MBR rootkits, trojans, and other nasties with the sandbox setting set to “BLOCK” and also one test with sandbox set to “UNTRUSTED”. The reason being is that with the default setting set to “PARTIAL” I saw some videos that infections leaked out of comodo sandbox and infected the pc. SO I want to know if under “BLOCK” or “UNTRUSTED” setting will block scaping infections or not. Right now I am using the setting “BLOCK” along with sandboxie and would like to get rid of sandboxie (slow browser start and issues) if comodo sand box under block or untrusted is rock solid (right now I am scared of using comodo alone without knowing how solid the sandbox is. Thanks in advance

the only problem is that I don’t test software from their stock settings, why becasue 99% of the people run the software like that and then people would want me to test each program differently. Another problem is that I have not seen anything leak out and destroy the computer with the sandbox as of right now. I have heard of people who shut off the sandbox and have infected themselves but that it their fault because they changed the stock settings.

Hi there:

Well if you or anyone could do the test privately or let me know I would be appreciative. I will try and find the youtube videos that show stock setted CIS 5 malware test done and that some infection passed through the protection as was shown on those 2 videos I saw with malwarbyte and hitman pro detecting them. I will post here the link once I find the videos so you can check and see. I think the reason for it is because of the “partial allow” of the sandbox setting. I do not know for sure that why I want to know if by setting the sandbox to block or untrusted will give 100% protection. By the way when I had CIS 4 back then I got infected with MBR rootkit and TDSS rootkits on one time atleast with all setting on nominal. This is a reason I want to know if block setting gives 100% protection.

I would appreciate if anyone can test and or tell me the result. Thanks in advance.

Right now for protection I have appguard, norton antivirus and comodo firewall+Defense plus and windows DEP and UAC on windows 7 premium

I can tell you right now, putting the sandbox on blocked will stop all unknown software from running.


Here is video i found show comodo (stock setting) by passed. The guy used malwarebyte which showed 5 infection and one of them is not on temp file and is in application data folder and 15 infection by hitman pro.

video: COMODO Internet Security V5 2011 Prevention Test/Review - YouTube

I could not find the other videos since I came across them by chance. But the the video above is an example. Anyway I am looking for 100% protection or a protection similar to sandboxie (I have issues with sandboxie so can not use it). Thanks in advance.


Thanks for reply. Do you know if the sandbox of comodo also stops non exe and all other malware stuffs as well? Because not all malwares are .exe. Thanks in advance.

it will stop pretty much anything, the sanbox now has the ability to sandbox other files, such as pdf, script files, java, etc.

Comodo Sandbox is a dangerous activity blocker not a sandbox as sandboxie. Files may be writeen almost everywhere, but they are prevented from modifying other files or processes.

Your spot on!

Comodo auto sandbox: Yes unprotected registry keys may be written, yes some files may spread on the HD, yes other processes may be spawned… The sandbox makes sure that protected files or protected registry keys are NOT modified. All critical areas in your system are protected.



Well then comodo should not call it sandbox then. Then perhaps call it DAB (dangerous activity blocker or something. Because sandbox means an isolation. Means create a locked block so malware, etc. can not pass to the system. That’s what sandbox is like sandboxie. So your dangerous activity blocker is not a real sandbox then. When a company or software states having a sandbox then they should not miss-represent it. Because people buy products base don the ad by the company and under believe that what they see they getting is what they get. Sandbox definition is what sandboxie or bufferzone does. So I hope you understand what I mean. Anyway I think I get bufferzone since sandboxie has issues for me.

actually I’m sorry but you don’t understand what sandbox means, how comodo works is still a sandbox. Look here Sandbox (computer security) - Wikipedia look at Jail, as you can see it still falls under the sandbox terminology and don’t forget that CIS still has the manual sandbox that works exactly just like the other sandboxes.

This is a noob question but does that mean it will work on 64 bit architecture? because other sandboxes don’t protect the right way.

truthfully I don’t know, I have a 32 bit system and I have not tried it on a 64 bit system, maybe someone who has will tell you.


Its exactly what I say. So shouldn’t that means that it stays inside the sandbox (jail) and does not go outside? SO far with the comodo sandbox is like a jail with a faulty door. I say this because the infections sometimes are found outside comodo sandbox (jail) and even after reboot they stay outside and it does not matter if or when run they can be detected by D+ or not but they should not be outside the sandbox to begin with and to start with. Look at sandboxie for example. Nothing is saved outside sandboxie without the user’s decision. You see nothing or can not find any physical evidence of any files outside sandboxie without the user allowing it. Now with comodo certain files sometimes do sneak out of its sandbox and are present on system which is no good.

Anyway I do not know if you understand what I mean or not. But lets leave it. I read somewhere that comodo has partial sandbox and that explains it. Its not a full sandbox.

On another note I saw a test on youtube of someone testing AVAST pro sandbox alone where he ran opera in AVAST pro sandbox and downloaded a bunch of malwares (some very nasty ones) and after reboot nothing was on the system when he tested with malwarebyte and hitman pro. Seemed the sandbox of avast blocked everything. The bad news about it was that nothing would be saved outside and even safe and trusted softwares downloaded from filehippo was locked in sandbox and deleted there. Unless AVAST makes a good white-list of safe applications like comodo does then avast sandbox would be rock solid I guess.

Now this would be an interesting test video if someone would test comodo, AVAST, Kaspersky sandbox alone with a browser like IE running in sandbox and downloading a bunch of malware (including nastiest like MBR rootkits, TDSS rootkits, etc.) to see if any malware can sneak out or not. So I think a sandbox alone test would be great and would answer a lot of questions.

You still don’t seem the understand how comodo works. It has 2 sandboxes.

The automatic sandbox is like the Jail, if you read how a jail works, it allows files to be dropped (what you are finding) and some changes can be made to the system but malware cannot change protected folders or protected registry keys and when you reboot it kills all active processes.

Now it also has a manaul sandbox, just like Avast, kaspersky or sandboxie. If you right click on a file and select run in sandbox or you manually add a program to sandbox it will be put into the manual sandbox. This is a total virtualising sandbox just like the others.

Hi languy:

Well I just ran IE8 in comodo sandbox manualy as untrusted and downloaded eicar file as a test and once all finished I closed IE8 and saw that the eicar was on the desktop and restarted the pc and it was still there and the sandbox was empty?? not even IE8 was in it. So both IE8 and eicar were unsandboxed???. SO wouldn’t the eicar be deleted because of being sandboxed after reboot? Could you tell me how the manual sandbox works in comodo. Strange. By the way I had my norton antivirus and all securities off so not to catch eicar. Just comodo sandbox with sandboxed IE8.

Right click on IE8 and select run in sandbox, that will run it in the manual sandbox.


I did that and downloaded eicar zip and it still was thereon the desktop after reboot?? It was not deleted once the sandbox was emptied. Anyway I give up. Thanks for your help though. You are a great guy languy99.

Do you have checked the option “Enable file system virtualization” in Defense+ Settings->Sandbox?

Hi nime:

Yes I have. I have all check marked in sandbox setting except automaticaly detect installer/ updater(removed the check mark for increase protection). All the setting are set to the highest and optimal setting in comodo.

By the way I saw tests of defensewall and bufferzone, geswall where they failed in sandboxing all infections and some infection sneaked through them to the system. Only sandboxie had 100% blocking in tests. Only if sandboxie would not slow down and interfere with my browser loading.