comodo sandbox elevating privelege

I have used the latest version of comodo firewall and it works perfectly with my system and no compatibility problems. I use it because i think it's the best firewall as of now, and it's very easy to use and configure, by the way i'm an average computer user. I always use a limited account in my windows xp, as my first line of defense in windows security, and i also use surun if i have an application that requires adminitrative privilege. What i notice when i used comodo firewall, is that i can use an application in my limited account that requires an administrator privilege by simply putting these applications in "always sandbox" option in defense+ tab, even though i do not elevate this applications using surun. Is this normal in comodo sandox to elevate an application in a limited account. Thanks

I haven't used Comodo Firewall for a long time, but that doesn't sound right (the fact that Comodo effectively elevates an application from having Limited rights to having Administrator rights). You should report it to the Comodo devs.

Yup, i think so, it doesn't sound right. Actually, i follow you security setup, so i always use limited account, implement srp, and use surun to elevate some applications that needs admin rights. I just notice that even though i do not give surun a permission to elevate those applications i use that needs admin rights, by simply putting it in comodo sandbox(manual), i can now use those applications in my limited account without a problem. I think i have to report it to comodo. Is there anyone in this forum experience this?

Perhaps you can give a few steps to reproduce the problem? I could test it with Sandboxie too.

Well, if you can test the comodo firewall in virtualbox, i am very certain that it really elevate the privilege of an application in limited account, so you can reproduce it. In fact, to verify my observation, i uninstall surun in my windows xp, to make sure that there will be no reason for an application to elevate it's privilege under limited account. After i uninstall surun, i launched my applications that needs admin rights in my limited account, and as expected, of course it will not run. But , when i start to put those applications that needs admin rights under the comodo sandbox(manual), to be specific, is when i put those applications in "always sandbox" options in defense+ tab, in my surprise, i can now use those applications that needs admin rights under limited account without a problem, even though i uninstalled surun in my system. I hope you can reproduce the issue in virtualbox, for you to know what i mean. And i forgot to say, my restriction level under comodo sandbox(manual) is limited.

I'll need to know exactly what application you're running sandboxed (and download link for it). Currently, I can't think of an application that absolutely needs Administrator rights to run.

Ok, one of these programs is garena client. This is a program used to connect to other players in the internet. When im in a limited account in windows xp, i cannot run this application, it needs admin account, so i elevate it using surun. but after i uninstalled surun, i just put it in comodo sandbox(manual), and now i can use it in my limited account with no problems. I try to put the link to download this application, but i am not allowed, because it says that im only a new member, and needs 7 days past before i can put a link. Search for garena client in google, or go to garena.com

I don't think I can test that application properly since I don't have an account to login with. I can get to the login screen in a LUA on a cleanly installed Windows XP, SP3. Presumably Admin rights are required to go beyond that?

yup, you're definitely right, you cannot login in garena client if you don't have an admin account, thats why i elevate it using surun. But now i am using it in my limited account under comodo sandbox without problem, even though i already uninstalled surun in my system, that's strange..

you can use my account to try to login in garena client under limited account, to verify that you can't use this application under limited account, or you can register yourself.

Okay I think I've worked it out. I can also reproduce the same thing with Sandboxie, which pretty much gives away the reason for this behaviour.

This application requires writing access into the C:\Program Files folder in order to run. When you try to run the application with Limited rights, it won't work, as Limited users can't write into the C:\Program Files folder.

However, when you run it sandboxed, you are sort of "tricking" the application so that it thinks it can write into the (sandboxed) C:\Program Files folder. With Sandboxie, this Program Files folder is (created) inside C:\Sandbox. Limited users can write within this C:\Sandbox folder. The REAL path of this folder will be something like:
C:\Sandbox\Limited User Account\DefaultBox\drive\C\Program Files\Garena Classic

Presumably Comodo's sandbox does something similar to Sandboxie's. Therefore, you aren't running the sandboxed application with Administrator rights - you're running it with Limited rights - SuRun actually confirms that it's running with Limited rights too (with the Green smiley face).

thanks for the explanation, i understand it now clearly, i just thought that it gains admin rights because i use it in limited account, even without using surun. The same goes maybe with other applications i have. This forum is great, thanks again