What is causing some apps to put a green border around it from comodo antivirus?
Hello @derrick.kleckner ,
When an app is running with a green border around the window, that means the app is running sandboxed. To exclude an app from Sandbox, you should either create a Ignore rule in the sandbox that will apply on that file (e.g. create an Ignore rule for the file C:\Program Files\Program_that_is_sandboxed\Sandboxed_program.exe), either move the file from Unrecognized list to Trusted. In the first case the program will always run unrestricted as long as it is being launched from the same path, in the second case it will run unrestricted regardless the profile applied on the endpoints or the path from where the program is running. However, you should keep in mind that in the second case the whitelisting is based on the file hash, so if the program is updated or changed somehow (the file hash will be changed), the program will run sandboxed again.
In both cases you should be extra cautious on what you whitelist - the Sandbox module is the most important module against 0 day threats (including cryptolockers), therefore whitelisting a too general path (e.g. C:\Program Files*) or files without a though investigation might lead to system infection.
I appreciate it, the issue I am having is that when they open an email on outlook and open an attached PDF its opening Adobe Acrobat in Sandbox mode. When they save the file to their desktop they don’t get this issue, just when they open it within an email. What would be best practice to care for this issue?
Hello @derrick.kleckner ,
The option that controls this behavior is Do heuristic command-line analysis for certain applications. To enable/disable this option, in the profile that is being used by the endpoints, please go to HIPS section and uncheck this option. Please note that even if the HIPS module is disabled, this option is still enabled, so in order to disable it you will have to enable HIPS, disable the option, wait for a few minutes for the profile to be pushed out to the endpoints then you can disable HIPS again.