Always Sandbox

The 'Always Sandbox' area lists those applications which the user has decided should be executed in the sandbox on a permanent or long term basis. This may include applications that the user suspects are not safe or has other concerns about (for example, you could test beta software by running it in the sandbox). These applications will appear as normal programs in your system but will be run in the sandbox under a restricted set of privileges. They will not be allowed to access files on your real system, alter operating system settings or alter the registry entries corresponding to other applications

To open the 'Always Sandbox' interface, Click Defense+ > Computer Security policy > Always Sandbox.

To (permanently) add programs into the sandbox

Click 'Add...' from the 'Always Sandbox' interface. This will open the 'Add a Program to Sandbox' dialog.
Click 'Select' and browse to the file or currently running process that you wish to sandbox.

Click 'Open'. In the example below, we are adding opera.exe.

Choose 'Restriction Settings'

Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings are imposed.

Note: Some of the applications that require user interaction may not work properly under this setting.

Restricted - The application is allowed to access very few Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings are imposed.

Note: Some of the applications like computer games may not work properly under this setting.

Limited - Only selected Operating System resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings are imposed.
Partially Limited(Default) - The application is allowed to access all the Operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. The restrictions on usage of system memory, operation with virtual file system and registry and execution time defined in Advanced Settings are imposed.

Choose 'Advanced Settings'

The Advanced Settings tab to configure the restrictions on system resource usage and access to other files. Available options are:

Limit maximum memory consumption - You can define how much of the system memory can be allocated for the application on execution by selecting this checkbox and entering the memory (in MB) in the combo box beside it (Default = Disabled).
Limit the program execution time - You can define how long the program can be allowed to run by selecting this checkbox and entering the time (in seconds) in the combo box beside it (Default = Disabled).
Enable file system virtualization -The sandboxed applications are not permitted to modify the files in your 'real' file system. Enabling file system virtualization instructs the Sandbox to create a virtual file system in your system. The application added to the sandbox writes any data only into the created virtual file system, instead of affecting and potentially causing damage to your real file system. If you disable this option, the application may not function correctly because it is not be to create the entries that it needs too (Default = Enabled).

Note for advanced users: The virtual file system is created inside the Sandbox working folder (e.g. c:sandbox) to execute the application within this file system. The virtual file system is not created even on enabling this setting here, if file system virtualization is disabled in Sandbox Settings.

Enable registry virtualization - The sandboxed applications are not permitted to access and modify the entries in your 'real' Window's Registry hives. Enabling registry virtualization instructs the Sandbox to create a virtual registry hive in your system. The application added to the Sandbox writes any entries pertaining to it only into the created registry hive, instead of affecting and potentially causing damage to your real registry hives. If you disable this option, the application may not function correctly because it is not able to create the entries that it needs too (Default = Enabled).

Note for advanced users: The virtual registry hive is created as HKEY_LOCAL_MACHINESYSTEMSandbox ... for the sandboxed applications to write their registry values. The virtual registry hive is not created even on enabling this setting here, if registry virtualization is disabled in Sandbox Settings.

Click 'OK' for your settings to take effect.

From this point onwards the application will be run in the sandbox. If you wish to remove it at a later date, simply highlight it in the list and click 'Remove'. If you wanted to run an application in the sandbox on a 'one off' basis instead, then please use 'Run a Program in the Sandbox' instead.

To edit the restriction settings for an application included in the sandbox, select the application and click 'Edit'.

To remove an application from the sandbox, select the application and select 'Remove'. Next time you execute this application it will run outside of the sandbox. (presuming it is not then detected as malicious or automatically sandboxed as per the sandboxing process)

To remove invalid entries (programs/files that are not present or uninstalled from your computer) automatically, click 'Purge'.

Comodo Internet Security

Version 5.9/5.10

English

Always Sandbox