Sandbox Settings
The Sandbox Settings area allows the administrator to configure the security level and the overall behavior of the sandbox. To access the Sandbox Settings interface, click the Sandbox Settings link under Sandbox in Defense+ area. Sandbox settings are split into two areas. Click on either of the links to jump straight to that sections.
-
General Settings - Allows you to enable or disable the sandboxing feature and configure various sandbox related settings.
-
Alert Settings - Allows you to configure requests/alerts from the sandbox feature.
General Settings
Security Level Slider
The Security Level slider in the Settings interface allows you to switch the Sandbox between Enabled and Disabled states. The programs included in the Sandbox is executed with the set restrictions only if the Sandbox is in Enabled state. If disabled, the programs is run normally without any restrictions. The Sandbox is disabled irrespective of the settings in this slider, if Defense+ is permanently deactivated from the Defense+ Settings interface.
Check Boxes
Enable file system virtualization - The sandboxed applications are not permitted to modify the files in your 'real' file system. Enabling file system virtualization instructs the Sandbox to create a virtual file system in the endpoint system. The sandboxed applications will write any data only into the created virtual file system, instead of affecting and potentially causing damage to the real file system. If this option is disabled, the sandboxed applications may not function correctly because they will not be able to create the entries that they need too.
|
Note for advanced users: The virtual file system is created inside the Sandbox working folder (e.g. c:\sandbox\) to execute the applications within this file system. If you disable this option here, the virtual file system is not created even if you have enabled file system virtualization for individual applications within the Sandbox. |
Enable registry virtualization -The sandboxed applications are not permitted to access and modify the entries in the 'real' Window's Registry hives. Enabling registry virtualization instructs the Sandbox to create a virtual registry hive in the system. The sandboxed applications write any entries pertaining to them only into the created registry hive, instead of affecting and potentially causing damage to the real registry hives. If this option is disabled, the sandboxed applications may not function correctly because they are not able to create the entries that they need too.
|
Note for advanced users: The virtual registry hive is created as HKEY_LOCAL_MACHINE\SYSTEM\Sandbox\ ... for the sandboxed applications to write their registry values. If you disable this option here, the virtual registry hive is not created even if you have enabled file system virtualization for individual applications within the Sandbox. |
The table below explains the precedence of the file system virtualization and registry virtualization settings made through this interface and those through Adding programs to run inside the Sandbox > Advanced Settings.
|
Sandbox Settings |
Add programs to run inside the Sandbox > Advanced Settings |
Is the setting enabled for the specific application? |
|---|---|---|
|
Yes |
Yes |
Yes |
|
Yes |
No |
No |
|
No |
Yes |
No |
|
No |
No |
No |
Automatically run unrecognized programs inside the Sandbox - If any executable which is not recognized by COMODO is attempted to run, the application is automatically executed within the Sandbox to safeguard the other files/applications in the system. For the applications run within the Sandbox automatically:
-
Maximum of only one third of the system memory can be allocated;
-
The Restriction level is set to 'Limited'. (Click here for more details on 'Limited' restriction level).
Exceptions -
An application is not sandboxed automatically if it is defined as an Installer or Updater in Computer Security Poilcy under Defense+ Tasks > Advanced Tasks.
An application is not sandboxed automatically if it is an installer or an application that requires administrative privileges. On execution of such applications, a 'Run with elevated privileges' request/alert is raised. The administrator can allow or block it depending on the trustworthiness of the publisher / vendor from the alert dialog. Depending on the response, CIS trusts that publisher / vendor and allow all the files from the same publisher / vendor in future.
Automatically detect the installers/updaters and run them outside the Sandbox - On execution of an Installer or an Updater, the application is run outside the Sandbox. Select this option only if you are going to run installers/ updaters from trusted vendors.
Automatically look-up /submit the pending/unrecognized programs online to COMODO for analysis - Instructs the Sandbox to monitor all the unrecognized files in the system and to initiate the file submission process automatically. The files are analyzed by Comodo technicians and added to the safe list or black list accordingly.
Automatically trust the files from the trusted installers - Files that are generated by trusted installers are also trusted. This means that they will not be sandboxed.
Alert Settings
Send Notifications for automatically sandboxed processes - By default, CIS will send a notification to the Administration Console whenever it runs an unknown application in the sandbox. Use this control to enable or disable these notifications.
Request timeout (seconds) – Enables the Administrator to specify the length of time (in seconds) for a request/alert generated by sandbox to expire.
Comodo Endpoint Security Manager | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.