Why is svchost always sandboxed?

Hello guys,

I always use Comodo since years as real time firewall and antivirus, plus defens+ and now also sandbox.
But sandbox is confusing because I have no idea of what happens if a good program needs to have access to the system and by sandboxing it I mess it up and then things are not well installed and do not work well.
Gave the idea? :slight_smile:
So, svchost is an important file, and supposedly trusted, right?
Why is it sandboxed? Does this not compromise the efficency of the system?
It is the real svchost, not a fake. C:\Windows\System32\svchost.exe
Actually it is twice in the sandbox, once with PID 3000 and Username NT Authority\System, and once with PID 3984 and Username NT Authority\Network Service.
Both voices are fully virtualized (although the auto-sandbox is set in Partially limited) and rating is trusted.
I have the lesser idea what all that means and what I should do about, but I am surprised that I am not given an option to put them out of the sandbox and stop sandboxing them.

Thanks for the help!

Have you launched any files in the FV sandbox? (from for example right-clicking and choosing “Run in COMODO Sandbox” or using the Virtual Desktop? etc) When you sandbox something it will also sandbox cmdvirth.exe and 2-3 svchost.exe processes (or perhaps more, depends on what you sandbox) this is intentional behavior.

Hello Sanya,

yes but not lately. I mean, I did it looooong ago, once or twice.
Correct me if I am wrong but, when I open Comodo (CIS) and I click on “Sandbowed Apps”, a window opens with the list of “active processes list (sandboxed only)”, and I understood that the listed programs are the ones actually sandboxed in this moment.
Is it so? Or is it a sort of History of what has been sandboxed since the beginning of time?
Because, well, always, every day, these two svchost are in this list…

You’re right about the listed processes being the ones that are sandboxed at that point in time, it is not a history.

Have you restarted the computer since you launched the applications in the FV sandbox? (The processes svchost.exe processes will stay in sandbox even after the sandboxed application is closed) I’m just wondering since some people never restart their computers.
If you have restarted your computer then the processes shouldn’t be there unless something was launched in the FV sandbox after you restarted, however there have been some reports that these processes have been started in the FV sandbox even after a restart (it did for me some while ago) Please try resetting/cleaning the sandbox and see if the issue persists.
If you haven’t restarted your computer then the processes are probably still there since that time long ago in which case I’d recommend you restart your computer, but I’m guessing you’ve already done that…

Point is, try restarting your computer and see if the processes are still there afterwards and if so then try resetting the sandbox.

What he said.

Also, there’s a sandboxed SVCHost process if there are any apps configured to run in the sandbox, e.g., IceDragon, even if the browser isn’t launched.


sorry, I was sure that I had answered to Sanya.
So, I had of course already restarted the system, so I tried with resetting the Sandbox.
It worked. Now there is nothing more in the Sandbox, every time I look there.
I also did not know about what WxMan1 says. I will consider it when I will ever set something to run in the sandbox.

So, thanks for the help :slight_smile: