Comodo Help
Find the desired product help
Comodo Internet Security

Comodo Internet Security

Version 6.3

English

Print Help Download Help
Advanced Settings > Security Settings > Defense+ Settings > Behavior Blocker > The Sandbox - An Overview > Unknown Files - The Auto - Sandboxing And Scanning Processes
  • Introduction To Comodo Internet Security
    • Special Features
    • System Requirements
    • Installation
      • CIS Premium – Installation
      • CIS Pro - Installation And Activation
      • CIS Complete - Installation And Activation
      • Activating CIS Pro/Complete Services After Installation
        • Activating Your License
        • Activating Your Guarantee Coverage
        • Renewal Or Upgrading Your License
    • Starting Comodo Internet Security
    • The Main Interface
      • The Home Screen
      • The Tasks Interface
      • The Widget
      • The System Tray Icon
    • Understanding Security Alerts
  • General Tasks – Introduction
    • Scan And Clean Your Computer
      • Run A Quick Scan
      • Run A Full Computer Scan
      • Run A Rating Scan
      • Run A Custom Scan
        • Scan A Folder
        • Scan A File
        • Create, Schedule And Run A Custom Scan
    • Instantly Scan Files And Folders
    • Processing Infected Files
    • Manage Virus Database And Program Updates
    • Manage Quarantined Items
    • View CIS Logs
      • Antivirus Logs
        • Filtering Antivirus Logs
      • Firewall Logs
        • Filtering Firewall Logs
      • Defense+ Logs
        • Filtering Defense+ Logs
      • Alerts Logs
        • Filtering Alerts Displayed Logs
      • Tasks
        • Filtering Tasks Launched Logs
      • Configuration Changes
        • Filtering Configuration Changes Logs
    • Manage CIS Tasks
    • View Active Internet Connections
    • View Active Process List
  • Firewall Tasks – Introduction
    • Allow Or Block Internet Access To Applications Selectively
    • Stealth Your Computer Ports
    • Manage Network Connections
    • Stop All Network Activities
    • Advanced Firewall Settings
  • Sandbox Tasks – Introduction
    • The Virtual Kiosk
      • Starting The Virtual Kiosk
      • The Main Interface
      • Running Browsers Inside The Virtual Kiosk
      • Opening Files And Running Applications Inside The Virtual Kiosk
      • Configuring The Virtual Kiosk
      • Closing The Virtual Kiosk
    • Run An Application In The Sandbox
    • Reset The Sandbox
  • Advanced Tasks – Introduction
    • Create A Rescue Disk
      • Downloading And Burning Comodo Rescue Disk
    • Remove Deeply Hidden Malware
    • Submit Files
    • Identify And Kill Unsafe Running Processes
  • Advanced Settings
    • General Settings
      • Customize User Interface
      • Configure Program And Virus Database Updates
      • Log Settings
      • Manage CIS Configurations
        • Comodo Preset Configurations
        • Importing/Exporting And Managing Personal Configurations
    • Security Settings
      • Antivirus Settings
        • Real-time Scanner Settings
        • Scan Profiles
        • Exclusions
      • Defense+ Settings
        • HIPS Behaviour Settings
        • Active HIPS Rules
        • HIPS Rule Sets
        • Protected Objects
          • Protected Files
          • Blocked Files
          • Protected Registry Keys
          • Protected COM Interfaces
        • Behavior Blocker
          • The Sandbox - An Overview
            • Unknown Files - The Auto - Sandboxing And Scanning Processes
        • Configure The Sandbox
      • Firewall Settings
        • Firewall Behavior Settings
        • Application Rules
        • Global Rules
        • Firewall Rule Sets
        • Network Zones
          • Network Zones
          • Blocked Zones
        • Port Sets
      • Manage File Rating
        • File Rating Settings
        • Trusted Files
        • Unrecognized Files
        • Submitted Files
        • Trusted Vendors List
  • Comodo GeekBuddy
    • Overview Of Services
    • Activation Of Service
    • Launching The Client And Using The Service
    • Accepting Remote Desktop Requests
    • Chat History
    • Using Issue Tracker
    • Uninstalling Comodo GeekBuddy
  • TrustConnect Overview
  • Comodo Dragon
  • Comodo BackUp
  • Appendix 1 CIS How To... Tutorials
    • Enabling / Disabling Security Components Easily
    • Setting Up The Firewall For Maximum Security And Usability
    • Blocking Internet Access While Allowing Local Area Network (LAN) Access
    • Setting Up The HIPS For Maximum Security And Usability
    • Setting Up The Behavior Blocker For Maximum Security And Usability
    • Password Protect Your CIS Settings
    • Reset Forgotten Password (Advanced)
    • Running An Instant Antivirus Scan On Selected Items
    • Creating An Antivirus Scanning Schedule
    • Running Untrusted Programs Inside Sandbox
    • Running Browsers Inside Sandbox
    • Running Untrusted Programs Inside Virtual Kiosk
    • Running Browsers Inside The Virtual Kiosk
    • Restoring Incorrectly Quarantined Item(s)
    • Submitting Quarantined Items To Comodo For Analysis
    • Enabling File Sharing Applications Like BitTorrent And Emule
    • Blocking Any Downloads Of A Specific File Type
    • Disabling Behavior Blocker And Auto-Sandboxing On A Per-application Basis
    • Switching Between Complete CIS Suite And Individual Components (just AV Or FW)
    • Switch Off Automatic Antivirus And Software Updates
    • Suppressing CIS Alerts Temporarily While Playing Games
    • Renewing Your License
  • Appendix 2 - Comodo Secure DNS Service
    • Router - Manually Enabling Or Disabling Comodo Secure DNS Service
    • Windows XP - Manually Enabling Or Disabling Comodo Secure DNS Service
    • Windows 7 / Vista - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Appendix 3 - Glossary Of Terms
  • About Comodo Security Solutions

Unknown Files: The Auto - Sandboxing and Scanning Processes


  • When an executable is first run it passes through the following CIS security inspections:
  • Antivirus scan
  • HIPS Heuristic check
  • Buffer Overflow check
  • If the processes above determine that the file is malware then the user is alerted and the file is quarantined or deleted
  • An application can become recognized as 'safe' by CIS (and therefore not auto-sandboxed or scanned in the cloud) in the following ways:
  • Because it is on the local Comodo White List of known safe applications
  • Because the user has added the application to the local 'Trusted Files'
  • By the user granting the installer elevated privileges (CIS detects if an executable requires administrative privileges. If it does, it asks the user. If they choose to trust, CIS regards the installer and all files generated by the installer as safe)
  • Additionally, a file is not auto-sandboxed or sent for analysis in the cloud if it is defined as an Installer or Updater in HIPS Ruleset (See Active HIPS Rules for more details)
  • Cloud Scanning Part 1

Files and processes that pass the security inspections above but are not yet recognized as 'safe' (white-listed) are 'Unrecognized' files. In order to try to establish whether a file is safe or not, CIS will first consult Comodo's File Look-Up Server (FLS) to check the very latest signature databases:

  • A digital hash of the unrecognized process or file is created.
  • These hashes are uploaded to the FLS to check whether the signature of the file is present on the latest databases. This database contains the latest, global black list of the signatures of all known malware and a white list of the signatures of the 'safe' files.
  • First, our servers check these hashes against the latest available black-list
  • If the hash is discovered on this blacklist then it is malware
  • The result is sent back to the local installation of CIS
  • If the hash is not on the latest black-list, it's signature is checked against the latest white-list
  • If the hash is discovered on this white-list then it is trusted
  • The result is sent back to local installation of CIS
  • The local white-list is updated
  • The FLS checks detailed above are near instantaneous.
  • Sandbox and Cloud Scanning Part 2

If the hash is not on the latest black-list or white-list then it remains as 'unrecognized'. CIS simultaneously takes two distinct but complementary actions -

(1) It will run the unrecognized file in the auto-sandbox so that it cannot access important operating system files or damage your computer, and

 

(2) It will leverage Comodo's Cloud Scanning technology to determine whether the file behaves in a malicious fashion.

    • Unrecognized files and applications will be isolated and run in the auto-sandbox. CIS will alert the user that it is going to run the application in the sandbox.

    • By defaullt, auto-sandboxed applications are run with 'Partially Limited' restrictions.  

More detail: Auto-sandboxed applications are allowed to run under a specific set of conditions or privileges. In CIS, these are known as 'Restriction Levels'. In part, auto-sandbox restriction levels are implemented by enforcing or relaxing the native access rights that Windows can grant to an application. There are six levels - Partially Limited, Limited, Restricted, Untrusted, Blocked and Fully Virtualized. 'Partially Limited' is the default restriction level for auto-sandboxed applications, but you can change this to a different level in the Behavior Blocker Settings panel:

      • Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.(Default)

      • Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run without Administrator account privileges.

      • Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

      • Untrusted - The application is not allowed to access any operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications that require user interaction may not work properly under this setting.

      • Blocked - The application is not allowed to run at all.

      • Fully Virtualized - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.

    • Unrecognized files are simultaneously uploaded to Comodo's Instant Malware Analysis servers for further checks:

      • Firstly, the files undergo another antivirus scan on our servers.

      • If the scan discovers the file to be malicious (for example, heuristics discover it is a brand new variant) then it is designated as malware. This result is sent back to the local installation of CIS and the local and global black-list is updated.

      • If the scan does not detect that the file is malicious then it passes onto the the next stage of inspection - behavior monitoring.

      • The behavior analysis system is a cloud based service that is used to help determine whether a file exhibits malicious behavior. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all actions that it takes will be monitored. For example, processes spawned, files and registry key modifications, host state changes and network activity will be recorded.

      • If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list.

      • If no malicious behavior is recorded then the file is placed into 'Unrecognized Files' and will be submitted to our technicians for further checks. Note: Behavior Analysis can identify malicious files and add to the global black list, but it cannot declare that a file is 'safe'. The status of 'safe' can only be given to a file after more in-depth checks by our technicians.

      • In either case, the result is reported back to your CIS installation in approximately 15 minutes. If the executable was not found to be malicious then it will be run in the auto-sandbox. It will simultaneously be added to the 'Unrecognized Files' list and uploaded to our technicians for analysis. If it is discovered to be a threat then CIS will show an AV alert to the user. From this alert the user can opt to quarantine, clean (delete) or disinfect the malicious file. This new threat will be automatically added to the global black list database and therefore benefit all CIS users.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.