Internet Security Run Program, One-Off Programs | Comodo Endpoint Security Manager |CIS Configuration guide v1.6

Applications Running inside Sandbox

The 'Files' area lists those applications which the administrator has decided to be executed in the sandbox on a permanent or long term basis. This may include applications that the user suspects are not safe or has other concerns about (for example, the end user may wish to test beta software by running it in the sandbox). These applications will appear as normal programs in the system but will be run in the sandbox under a restricted set of privileges. They will not be allowed to access files on the real system, alter operating system settings or alter the registry entries corresponding to other applications.

The Files area can be accessed by clicking the 'Files' link under Sandbox in the Defense+ area.

Adding programs to run inside the Sandbox

1. Click the Add... icon . The 'Add File to Sandbox' dialog appears.

2. Click 'Browse'.

3. Select the computer from the left hand side pane. The file system in the selected computer will be displayed in the right hand side pane. Navigate to the executable and click 'OK'. The file name with the full path will now appear in the 'Add File to Sandbox' dialog.

4. Choose 'Restriction Settings'.

Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings is imposed.

Note: Some of the applications that require user interaction may not work properly under this setting.

Restricted - The application is allowed to access very few Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings is imposed.

Note: Some of the applications like computer games may not work properly under this setting.

Limited - Only selected Operating System resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings is imposed.

Unrestricted - No Operating System restrictions is applied - meaning the application is allowed to access all the Operating system files and resources like clipboard. Still the restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings is imposed.

5. Choose 'Advanced Settings'

The Advanced Settings tab to configure the restrictions on system resource usage and access to other files. Available options are:

Limit maximum memory consumption - You can define how much of the system memory can be allocated for the application on execution by selecting this checkbox and entering the memory (in MB) in the combo box beside it.

Limit the program execution time - You can define how long the program can be allowed to run by selecting this checkbox and entering the time (in seconds) in the combo box beside it.

Enable file system virtualization -The sandboxed applications are not permitted to modify the files in your 'real' file system. Enabling file system virtualization instructs the Sandbox to create a virtual file system in your system. The application added to the sandbox writes any data only into the created virtual file system, instead of affecting and potentially causing damage to your real file system. If you disable this option, the application may not function correctly because it is not be to create the entries that it needs too.

Note for advanced users: The virtual file system is created inside the Sandbox working folder (e.g. c:\sandbox\) to execute the application within this file system.

The virtual file system is not created even on enabling this setting here, if file system virtualization is disabled in Sandbox Settings.

Enable registry virtualization - The sandboxed applications are not permitted to access and modify the entries in your 'real' Window's Registry hives. Enabling registry virtualization instructs the Sandbox to create a virtual registry hive in your system. The application added to the Sandbox writes any entries pertaining to it only into the created registry hive, instead of affecting and potentially causing damage to your real registry hives. If you disable this option, the application may not function correctly because it is not able to create the entries that it needs too.

Note for advanced users: The virtual registry hive is created as HKEY_LOCAL_MACHINE\SYSTEM\Sandbox\ ... for the sandboxed applications to write their registry values.

The virtual registry hive is not created even on enabling this setting here, if registry virtualization is disabled in Sandbox Settings.

6. Click 'OK' for your settings to take effect.

From this point onwards the application will be run in the sandbox.

To edit the Restriction Settings/Advanced Settings for an application in the sandbox

Double click on the application or click the edit icon . The edit File dialog will appear.

Edit the settings as explained above.

To remove an application from the sandbox

Select the application and click the Delete icon . Click Yes in the confirmation dialog'.

Next time you execute this application it will run outside of the sandbox (presuming it is not then detected as malicious or automatically sandboxed as per the sandboxing process).

Comodo Endpoint Security Manager

CIS Configuration Guide v 1.6

English

Applications Running inside Sandbox