I may make some changes to the auto-sandbox’s rules. But before I do so, I should understand the logic behind its default rules and what they do and do not do. I will note that the auto-sandbox ships with a rule that tells the auto-sandbox to ignore metro apps (not displayed in the above image).
First rule: This rule blocks all files that are known to be malware, regardless of location and origin.
Second rule: This rule blocks all files that are executed from suspicious locations.
Third rule: This rule isolates all unrecognized files that are located on a local (if downloaded from the internet), network or removable drive and not whitelisted by neither COMODO nor the user.
Fourth rule: This rule isolates all unrecognized files that originate from browsers, e-mail clients, file downloaders, and pseudo-file downloaders, regardless of location.
Fifth rule: This rule isolates all unrecognized files that are located in a shared space, regardless of origin or location.
Is this accurate?
Rules follow a hierarchy; rules located at the top of the list are applied first. This brings me to my questions.
What are suspicious locations?
What is the difference between rules 3 and 4? The appear to do the same thing, though the former rule is less restrictive.
Rules follow a hierarchy. Rules at the top of the list are applied first. If rule 5 is at the bottom of the list, what is its purpose? I changed rule 4 to ‘block’. Files located in a shared space were blocked, even though rule 5 is set to isolate files. I had to move rule 5 to a higher position in the hierarchy (higher than rule 4) in order for the auto-sandbox to isolate files located in a shared space. Is it simply there for convenience? This way, users can adjust the existing rule instead of creating a new one?
With the auto-sandbox’s default rules, I assume it will not prevent unrecognized keyloggers; only those which are known to be malicious. The auto-sandbox does not even apply any restrictions to the default rules. Therefore, I am considering configuring the auto-sandbox to block all unrecognized files that are not located in a shared space. Unrecognized files located in a shared space would be run isolated but limited. Is this necessary, or does the auto-sandbox already deal with keyloggers? Sandboxie does not deal with keyloggers by default (It must be configured to do so), so that is why I am asking this.
Edit: Also, what is an example of a pseudo-file downloader? The term pseudo makes me think it is a program that claims to be a legitimate file downloader but is actually malicious. Perhaps it will download additional malware.
Edited image link. JoWa