What restriction level for sandboxed browser(s)?

I see that the Widget’s Browsers Pane results in a green border i.e. “running in the sandbox” but what restriction level is used for these?

I want to start my Firefox with a .VBS file, and have put that VBS file into the Sandbox via Defense+ settings, but don’t know which Restriction Level I should use. It wants to assign Partially Limited–is that also the default level for a “normal” launch-from-Browsers-Pane?

Argh, never mind–I looked at the logs and see that firefox.exe is run as “Partially Limited” and no doubt has nothing to do with the setting I made for my .VBS file itself…

I suppose I should ask here a different question: Is Partially Limited the safest (or only) acceptable setting for a browser? Isn’t that the least restrictive option?

Anything runs at the security level defined for the object configured to run w/ in the sandbox.

With increased restriction, you sacrifice functionality. For example Adobe PDF files are notorious security risk; bless their tiny bleeding hearts at the massive and monumental efforts these gagantuan corporatoins expend to keep their product free of threat vectors, and their users safe and secure. :P0l


Sorry, I did it again; I digress.

The problemo is that even so the browser can be configured to launch the PDF as a seperate process - that is best bractice - but I’ve yet to finger out how to launch a PDF in the sandbox because Adobe creates their own sandbox for the PDF session.

You can do some registry edits to add a “Run File in COMODO Sandbox” for .PDF files (and all other file extensions…) Then when right-clicking the .PDF file and clicking to run in the Comodo Sandbox then it will open the .PDF in the default .PDF reader while also sandboxing that reader as Fully Virtualized.

Edit: Though in this case you can’t really open the PDF through the browser, you can set up the PDF to be opened in the browser though but you need to download it and right-click it first so… Iunno maybe it’s not the best way to deal with this.

Perhaps there’s some easier way to run a PDF file in the Sandbox, other than starting the PDF viewer in the sandbox and then searching for the PDF file…

In the Advanced Settings where you set up programs to always be sandboxed, they will always be started in Fully Virtualized, so if you choose restriction level “Partially Limited” it will be started as Fully Virtualized + Partially Limited. Do note that this is NOT the case for the auto-sandbox! When using the Widget to launch the web browsers in the sandbox it will launch it in a normal Fully Virtualized mode without any extra restrictions, this is the mode I’d recommend for web browsers, i.e Fully Virtualized and no extra restriction, so the .VBS file should be set up to always be sandboxed as Fully Virtualized with no extra restrictions, or at least that’s how I’d set it up, if you want even more protection you may want to increase the restriction though, but that may limit some functionality in the browser.

Thank you very much for this explanation, and for trying to help me. I must admit that although I’ve [tried to] read all the Sandbox help stuff, it remains mostly a mystery to me, but I am trying to be safer on-line so have only recently tried to use this aspect of CIS.

I never realized the “base FV + more restrictions optionally” and will do some more playing with this. I had given-up on sandboxed browsing when I found I couldn’t even do anything so simple as print-out a web page for example which IMO renders sandboxed browsing as useless…

But I will keep trying to understand and explore the mysteries of the Sandbox. :wink:

I’ve seen reports that printing doesn’t work from FV sandbox, don’t know if that has been fixed yet though.