Unsandboxed files Vs. Computer Security Policy

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

I looked for it and I could not find an answer. I have read the tutorials and FAQ and still I have doubts. Since I jumped from 3.14 to 4.1, I am new with this sandbox module. I know that any unknown or unsigned program or file is moved to the sandbox where it or they can work but with certain restrictions to protect the PC. If the program is safe or the user want to unsandbox it, just move it to “My own safe files” where it gets a “trusted file” status.

Now what happens if I do not want that file as trusted and give it certain restrictions in “Access Rights” in “Computer Security Policy”. Do I have to remove the program from “My own Safe Files” or “Computer Security Policy” have precedence over “My own safe Files” so that I can leave it there? ???

For example: I got IAAnotif.exe and IAATmon.exe were sandboxed. I moved them to my own safe files; However, I had them in 3.14 with “access” to the disk only and to “ask” for everything else in Computer Security Policy.

I hope I explained myself correctly.

2

This is a very good question, and one I think that only the devs will have a full answer to. I’ve wanted to know for a while, too. I’ll see if I can get a dev to answer.

Best wishes

Mike

3

Thank you Mike.

I´ll be waiting for the devs to answer my question.

Regards.

Hernan.

4

Hey. What do I do?

I do not see why do I have to run a safe program sandboxed where I do not know what kind of restrictions that file might have; However I may give that file some restrictions in “Computer Security Policy”. If I do, any file that is unsandboxed goes to “My Own safe files”. Now if I set a custom setting to that file in “Computer Security Policy”, Do I remove it from “My Own safe Files”? or “Computer Security Policy” has priority privileges over “My Own Safe Files”?

It seems that I am repeating myself :smiley:

Regards.

5

I am afraid that a reply may take some time. Meanwhile, to answer your other questions, the restrictions involved are listed in the “intro to the sandbox” “how it works” section in the stickies. It’s worth reading all the way through this, as the sandbox does not work as many expect.

If you want the level of control you describe you may be best disabling the sandbox and putting CIS in paranoid mode. Then programs can only do what you say they can!

Best wishes

Mouse

6

Mouse1.

Thank you for your answer. I have read the manual (unfortunately still V.4.0), and I quote:

[i]"Applications in the sandbox are executed under a carefully selected set of privileges and writes to a virtual file system and registry instead of the real system…

Automatically sandboxed applications are run with ‘Limited’ restrictions…

the ‘Limited’ setting applies some of the supported operating system restrictions and grants it access rights similar to if the application was run under a non-admin user account. These restriction levels are fortified with certain Defense + restrictions that apply to all sandboxed applications (for example, they cannot key log or screen grab, set windows hooks, access protected COM interfaces or access non-sandboxed applications in memory.

In addition to the Sandbox restriction level set for an application, Defense + also implements the following
restrictions. A sandboxed application cannot:

• Access non-sandboxed applications in memory
• Access protected COM interfaces
• Key log or screen capture
• Set windows hooks
• Modify protected registry keys (if virtualization is disabled)
• Modify EXISTING protected file (if virtualization is disabled)."[/i]

I have also read your “Intro to the sandbox” sticky:

https://forums.comodo.com/defense-sandbox-help-cis/introduction-to-the-sandbox-t53268.0.html;msg377452#msg377452

My issue is not the Sandbox. I think it is going to work great. When all my safe programs and files, that are not in the safe list or signed, are out of it (I do not see a reason to run a safe file in it), then any new file that pop-ups the sandbox must be taken into consideration.

The thing is that I had problems running 4.1 with my imported 3.14 settings (I had it so sweet), hang outs and repeating alerts for apps already in “Network and Computer Security Policy”. Then I installed 4.1 clean, removed the programs and files that I had unsanboxed from “My Own Safe Files”, and started to set everything like I had in 3.14. BTW I had set 4.1 to Proactive Security and Sandbox enable. I started in Safe Mode for the firewall and Clean PC mode for D+, but did not have any apps setting rules in either of the modules, F/D+. I clicked “Creates Rules for safe Applications” in Firewall Behavior Settings, and set D+ to Safe mode, and disable Sandbox. CIS 4.1 started to hang when booting the PC first time in the day. It did not work right, every time I accessed it to add or to change something in it, it “will not respond”. So I am again to square one, Proactive, F/D+ in safe mode, and sandbox enable with a list in my own safe files growing to some 100 and + progs and files, and after Windows Update yesterday even more files, and that is why I am asking if those files in My Own Safe Files must be there eventhough there can be another set of rules written in Computer Security Policy.

Right now 4.1 is not misbehaving and I will wait for the devs to answer my question.

Thank you again mouse1 and regards.

7

You did what I would have done.

But I think it may not be the best approach.

In V4 series I have found it best to use mainly ‘My Safe FIles’. These are no longer the same as trusted files in CSP.

On top of this I think you may have trusted vendor list corruption problems. You should not have tons of OS files in My Pending Files.

I’d suggest a) uninstall completely b) clear it out with Revo or some other uninstaller on deep scan mode (not hunter mode). (There is a forced uninstaller for CIS if all else fails, but do take a restore pt before you use it!) Reboot, then re-install. Add files to my safe files, unless they need unusual permissions, only then use the CSP.

I’d take image execution control off aggressive, if you have it set that way - can cause boot problems.

BTW the best way to understand what might be running in the sandbox is the D+ event logs…

Best wishes

Mike