What Protection Does the Sandbox - Virtual Keyboard Provide against Keyloggers?

Hello All,

Despite Comodo’s assurances that the sandbox-virtual keyboard combination will work against keyloggers, it does not exactly inspire confidence. I’ve searched and information on CIS’s anti-keylogging countermeasures is scant.

Is there anyone who can explain if CIS 7 (both while un-sandboxed and in virtual desktop) will protect against the following?

Keylogger Types:

Hardware (e.g. attached device that records data)
Wireless Keyboard Sniffer
Software (embedded)
Core Operating System (OS) based (driver/firmware)
Hook (legitimate Application) based
Browser (e.g. Javascript) based


Could you clarify what you mean by ‘hardware’? Like some piece of hardware attach in between the keyboard and pc? If so I don’t know if there’s much software can do to help that.

I do know that CIS can monitor hooks and direct access, however some of that depends on what configuration your running, i.e proactive. See the screencap below.

Though this makes me wonder if CIS monitors access to things like embedded devices like cameras and microphones for laptops.

Thanks aim4it,

I think you are absolutely correct. As far as I’ve been able to determine CIS 7 only provides protection against hook-based keyloggers - and probably spyware based.

As far as the others listed, it is uncertain.

Does CIS 7 protect against screen-clipboard-camera-microphone capture - both inside/outside the sandbox?

Are anti-keylogging capabilities even running outside the sandbox?

It seems there is no information on CIS’ full anti-keylogger capabilities…and I can’t even get answers from those who have a lot of experience with the product.

Like I said, doesn’t inspire a lot of confidence


From what I understand: unrecognized files that are accessed by any process executing on the system are sandboxed.

Depending on the level of access restriction to processes w/ in the sandbox, the entire system - NTFS file-structure, registry - are virtualized prior to the Group Policy ACL level.

When one examines the HIPS / D+ rules by application, one can’t help but notice numerous resource access name policy groups. Whatever process that is logging keys, will need some sort of resource name access - since its not in of itself using the keyboard I doubt CIS will alert to that.

I bet that most such requests are so arcane that the request will be granted. Once that’s done, the thing making the request just established root-kit.