I think it can risk users from a keylogger when auto-sandbox is enabled. I’ve tested Comodo HIPS with SpyShelter security test tool (Security Test Tool - SpyShelter Anti-Keylogger - World's Best Anti Keylogging software) in sandboxed mode (Comodo sandbox) and tried to start keylogger test and other test to test whether HIPS detect it, but it doesn’t show popup alert and security test tool still can capture my keystroke even in none sanboxed apps, and also can run screenshot, webcam capture, clipboard monitoring succesfuly. Tested run in sandbox with untrusted restriction level, only clipboard monitoring failed to capture. Is there a better way to prevent unknown files from stealing password?
Basically, sandbox was meant to replace HIPS because it should give you higher protection with fewer alerts.
In my opinion it’s better to keep both sandbox and HIPS enable (which is what happens if you enable the Proactive Security configuration).
The problem with sandbox is that it’s not working as expected with Windows 10. You can check the details here:
Because of this problem, I have delete the sandbox rules to “run virtually” unknown apps and I have added a rule to block unknow apps instead.
If the sandbox blocks an app, I can check “don’t sandbox it again”, then re-launch the app. Like this the HIPS will tell me what the app is trying to do.
If I’m not sure about the app, I can always use the sandbox (meaning run virtually) as on-demand feature only.