It's no secret that as they get to know the operating system, many users begin to try more and more of its features - appetite, as you know, comes with eating. It is also not uncommon for those who want to try other operating systems or new versions of an already installed system. The question arises - how to do this without interfering with the key components of the system and the risk of losing important data? How to go back in case of unsuccessful actions? The answer is simple - virtualization is necessary.
A virtual machine is a kind of "computer in a computer" - an emulator of a full-fledged computer using software tools. With its help, you can experiment in every possible way, without fear of spoiling something - after all, the consequences will be minimal and will not affect the "parent" machine. This is a kind of "sandbox" (sandbox), where "playful children" - programs can work without the risk of damaging the software and especially the hardware of the computer. Even the nightmare of Windows users - a system crash will not affect user data. Fans of experimenting with unfamiliar software can run it in a virtual environment - by the way, preliminary launch of programs in a safe environment is one of the main means of checking for modern antiviruses.
However, like everything else in the world, the virtualization method has its drawbacks - after all, when starting a virtual OS, it takes up part of the resources of the main system. One of the main ones is the problem of allocating RAM for the "guest OS" - after all, during operation it uses the resources of the "host system", which does not have the best effect on the work of both. It is considered optimal to allocate no more than 50% of RAM for the operation of a virtual machine. The user chooses the lower limit himself, based on system requirements. Accordingly, it is necessary to share the resources of the GPU.
Due to the specificity of the virtualization method, it is also necessary to establish data exchange between systems - after all, you have to pay for isolation and the file system of the main system cannot be seen from the guest one. To do this, you need to select shared folders - directories in which the data intended for transfer is placed. From the guest system, they are connected as shared network drives - accordingly, their configuration is also necessary. Support for USB devices in a virtual machine is still a headache for the user.
There is a wide variety of software currently available in the virtualization industry, but three of them stand out: VMware Workstation, Windows Virtual PC, and Oracle WM VirtualBox. They provide the most comprehensive set of virtualization software solutions. Below is a comparison of them in terms of home use.
VMware Workstation
VMware Workstation is a great virtualization tool. The developers claim support for more than 200 types of operating systems, which can be allocated up to 32 GB of RAM. The program is positioned as a tool for software developers and testers and is paid. The interface is configured accordingly - in order to feel comfortable, you need to have basic knowledge about installing and configuring virtual machines. The benefits include improved support for 3D hardware acceleration and full compatibility with visual effects like Aero in Windows 7 and support for both 32- and 64-bit systems. However, not every user will agree to pay $133 for the program.
Windows Virtual PC
It is positioned as a free product from Microsoft, which determines its main characteristics. First of all, it is designed to virtualize the work of the Windows family of operating systems in order to ensure compatibility of programs with Windows 7. It is quite easy to install and use, there is support for USB devices. One of the features is support for displaying different operating systems on multiple monitors. It should be noted that Virtual PC often refuses to work with multiple cores on multi-core processors, which reduces its effectiveness. Users wishing to install Linux will have to find other solutions - there is no official support for running Linux as a guest OS. Otherwise, we can recommend Windows Virtual PC as software for home use.
It is a mistake to believe that the built-in protection of the operating system, antivirus or firewall will completely protect against malware. However, the harm may not be as obvious as in the case of viruses: several applications can slow down Windows and lead to various kinds of anomalies. Over time, the consequences of uncontrolled processes on the part of "amateur" software make themselves felt, and uninstallation, deletion of registry keys and other cleaning methods no longer help.
In such situations, sandbox programs, which this review is dedicated to, can play an excellent service. The principle of operation of sandboxes is partly comparable to virtual machines (Oracle VM VirtualBox and others, VMware Virtualization). Thanks to virtualization, all processes initiated by the program are executed in a sandbox - an isolated environment with strict control of system resources.
This method of code isolation is quite actively used in anti-virus software (KIS 2013, avast!), in programs such as Google Chrome (Flash works in the sandbox). However, one should not conclude that sandbox programs are a complete guarantee of security. This is just one of the effective additional means to protect the OS (file system, registry) from external influences.
A review of the program for creating a virtual environment has already been published on the site -. Today, other applications will be considered, in a broader sense: these are not only desktop solutions, but also cloud services that improve not only security, but also anonymity, making it possible to run from removable media, from another computer.
Sandboxie
Developer Ronen Tzur compares the action of the Sandboxie program to an invisible layer applied on top of paper: you can put any inscriptions on it; when the protection is removed, the sheet will remain intact.
There are 4 main ways to use sandboxes in Sandboxie:
- Secure internet surfing
- Privacy Improvement
- Secure Email Correspondence
- Keeping the OS in its original state
The last point implies that you can install and run any client applications in the sandbox - browsers, IM messengers, games - without affecting the system. Sandboxie controls access to files, disk devices, registry keys, processes, drivers, ports, and other potentially insecure sources.
First of all, SandboxIE is useful in that it allows the user to flexibly configure sandboxes and privileges using the Sandboxie Control shell. Here, through the context and main menu, the main operations are available:
- Starting and stopping programs controlled by Sandboxie
- Viewing files inside a sandbox
- Restoring the files you need from the sandbox
- Deleting all work or selected files
- Creating, deleting, and configuring sandboxes
To run the program in the sandbox, just drag the executable file into the Sandboxie Control window, into the sandbox created by default. There are other ways - for example, the Windows Explorer menu or the notification area. The window of a program running in an emulated environment will have a yellow border and a hash mark (#) in the title.
If, when working with a sandboxed program, you need to save the results to disk, any desired source is specified - the files will be placed in the sandbox folder, while at the specified address, outside the sandbox, it will not be. To "real" transfer files from the sandbox, you should use the restore option. There are two types of them - quick or immediate, in both cases, before starting the program in the sandbox, you need to configure folders for recovery ("Sandbox Settings - Recovery").
More detailed access settings are located in the "Restrictions" and "Access to resources" sections. They may be required if the application cannot run without certain privileges (requires a certain system library, driver, etc.). In "Restrictions", in relation to programs or groups, access to the Internet, to hardware, IPC objects, as well as low-level access is configured. In "Access to resources" - the appropriate settings for files, directories, the registry and other system resources.
Also in the Sandboxie settings there is an important section "Applications", which contains groups of programs for which access to the specified resources is granted. Initially, all list items are disabled; to apply changes for a specific application, you need to mark it in the list and click the "Add" button.
Thus, it is possible to create sandboxes with different parameters. It is allowed to clone the configuration of an existing sandbox; for this, when creating a new one, select the environment from which you want to transfer the settings from the drop-down list.
Summary
With the Sandboxie application, you can create virtual environments of any configuration, without user restrictions. Sandboxie provides a large number of settings for both individual applications and sandboxes.
[+] Flexible configuration of each sandbox
[+] Creating rules for a group of applications
[-] You can't create distributions
[-] No setup wizard
Evalaze
It is symbolic that Evalaze originates from the Thinstall 2007 program, currently VMware.
Evalaze is not as well-known as Sandboxie among sandboxing programs, but it has a number of interesting features that distinguish it from a number of similar solutions. Thanks to virtualization, applications can be run in a standalone environment from any computer, regardless of the availability of drivers, libraries, or newer versions of the application being launched. It does not require any prior configuration or additional configuration files or libraries or registry keys.
Evalaze does not require installation, one caveat: you will need Microsoft .NET Framework version 2.0 or higher to work. In the free version, as well as in the professional edition, a virtualization setup wizard and an unlimited number of virtual applications are available. You can download a trial version from the developers' site only upon request (see the developers' email on the site).
The resulting configuration can be saved to a project. From start to finish, the virtual application setup process takes longer than, say, Sandboxie, but is more consistent and straightforward.
It should be noted two additional features of Evalaze, which are likely to be of interest to software developers and testers: this is work with a virtual file system and a virtual registry. These standalone Evalaze environments can be edited at your discretion by adding files, directories, keys necessary for the functioning of a particular virtual program.
Also in Evalaze, you can set up associations out of the box: the virtual application will immediately create the necessary associations with files in the OS upon startup.
Summary
A program with which you can create standalone applications that are convenient to use in all sorts of situations, which in general facilitates migration, compatibility, security. Alas, the free version is practically useless, it is only interesting for a very superficial study of the functions of Evalaze.
[-] Poorly functional trial version
[-] The high price of the Pro version
[+] There is a setup wizard
[+] Virtual file system and registry
Enigma Virtual Box
The Enigma Virtual Box program is designed to run applications in an isolated virtual environment. The list of supported formats includes dll, ocx (libraries), avi, mp3 (multimedia), txt, doc (documents), etc.
Enigma Virtual Box models the virtual environment around the application as follows. Before starting the application, the Virtual Box loader is triggered, which reads the information that is necessary for the program to work: libraries and other components - and provides them to the application instead of the system ones. As a result, the program works autonomously with respect to the OS.
It usually takes about 5 minutes to configure Sandboxie or Evalaze sandboxes. At first glance, Virtual Box also does not involve lengthy configuration. In the documentation, the use of the program is actually contained in one sentence.
Only 4 tabs - "Files", "Registry", "Containers" and, in fact, "Options". You need to select an executable file, specify the location of the final result and start processing. But later it turns out that the virtual environment needs to be created independently. For this, the three adjacent sections "Files", "Registry" and "Containers" are intended, where the necessary data is manually added. After that, you can click processing, run the output file and check the program's performance.
Summary
Thus, in Enigma Virtual Box there is no OS analysis before and after installing the application, as is the case with Evalaze. The emphasis is shifted towards development - therefore, rather, Virtual Box is useful for testing, checking compatibility, creating artificial conditions for running a program. Virtualization of unknown applications will cause difficulties, since the user will be forced to specify all the program's links on his own.
[-] Lack of convenient setting
[+] The resources used by the program can be determined independently
cameyo
Cameyo offers application virtualization in three areas: business, development, personal use. In the latter case, the sandbox can be used to keep the OS in a “clean” state, store and run applications on removable media and cloud services. In addition, several hundred already configured virtual applications are published on the cameyo.com portal, which also saves user time.
The steps for creating a virtual application are similar to Enigma Virtual Box: first, a snapshot of the system is created before installation, then after it. Changes between these states are taken into account when creating the sandbox. However, unlike Virtual Box, Cameyo syncs with a remote server and publishes the application to the cloud. Thanks to this, applications can be run on any computer with access to the account.
Through the library (Library) you can download popular system applications (Public Virtual Apps) for subsequent launch: archivers, browsers, players, and even antiviruses. At startup, you are prompted to select an executable file and indicate whether it works stably or not (which, apparently, is somehow taken into account by the moderators of the Cameyo gallery).
Another interesting feature is the creation of a virtual application through . The installer can be downloaded from a computer, or you can specify a file URL.
The conversion process, according to statements, takes from 10 to 20 minutes, but often the waiting time is several times less. Upon completion, a notification is sent to the email with a link to the published package.
Email notification about distribution creation
With all the cloud conveniences, there are two important points to note. First: each program is updated from time to time, and there are rather outdated copies in the library. The second aspect is that applications added by users may violate the license of a particular program. This must be understood and taken into account when creating custom distributions. And thirdly, no one can guarantee that the virtual application posted in the gallery has not been modified by an attacker.
However, speaking of security, Cameyo has 4 application modes:
- Data mode: the program can save files in the Documents folder and on the Desktop
- Isolated: no writability in the file system and registry
- Full access: free access to the file system and registry
- Customize this app: modifying the launch menu, choosing where to store the program, etc.
Summary
A convenient cloud service that can be connected to on any computer, allowing you to quickly create portable applications. Setting up sandboxes is minimized, not everything is transparent with virus scanning and security in general - however, in this situation, the advantages can compensate for the disadvantages.
[+] Network synchronization
[+] Access to custom applications
[+] Create virtual applications online
[-] Lack of sandbox settings
Spoon.net
Spoon Tools is a set of tools for creating virtual applications. In addition to being a professional environment, spoon.net deserves attention as a cloud service that integrates with the Desktop, allowing you to quickly create sandboxes.
To integrate with the Desktop, you need to register on the spoon.net server and install a special widget. After registration, the user gets the opportunity to download virtual applications from the server through a convenient shell.
Four features brought by the widget:
- Create sandboxes for files and applications
- Tidying up the desktop with shortcuts, quick launch menu
- Safe testing of new applications, running legacy versions on top of new ones
- Undo changes made by the sandbox
Quick access to the spoon.net widget is possible through the keyboard shortcut Alt + Win. The shell includes a search string, in combination - the console. It searches for applications on the computer and on the web service.
The organization of the desktop is very convenient: you can drag the necessary files to the virtual desktop, which will be synchronized with spool.net. New sandboxes can be created in just two clicks.
Of course, in terms of setting up sandboxes, Spoon cannot compete with Sandboxie or Evalaze for the reason that they simply do not exist in Spoon. You can not set restrictions, convert a "regular" application into a virtual one. The Spoon Studio complex is intended for these purposes.
Summary
Spoon is the "most cloudy" shell for working with virtual applications and, at the same time, the least customizable. This product will appeal to users who care not so much about the security of work through virtualization, but about the convenience of working with the necessary programs everywhere.
[+] Widget integration with Desktop
[+] Quick creation of sandboxes
[-] Lack of settings to limit virtual programs
pivot table
| Program/service | Sandboxie | Evalaze | Enigma Virtual Box | cameyo | Spoon.net |
| Developer | Sandboxie Holdings LLC | Dogel GmbH | The Enigma Protector Developers Team | cameyo | Spoon.net |
| License | Shareware (€13+) | Freeware/Shareware (€69.95) | Freeware | Freeware | Free (Basic account) |
| Adding applications to the sandbox | + | − | − | − | − |
| Personalization (shortcut creation, menu integration) | + | + | − | + | + |
| Setup Wizard | − | + | + | + | − |
| Creation of new virtual applications | − | + | + | + | − |
| Online synchronization | − | − | − | + | + |
| Setting Sandbox Privileges | + | + | + | + | − |
| Analysis of changes when creating a sandbox | + | + | − | + | − |
The Sandboxie program creates an isolated environment on the computer. An isolated environment or "sandbox" is an environment where running programs do not have direct access to system files and important computer settings.
The processes that take place in a running program are isolated from the rest of the system. At the same time, the operating system is protected from changes that may occur when a potentially dangerous program is launched.
You can use the isolated environment to run an unknown program, or visit a potentially dangerous site after launching a browser, without risking your computer.
If the malware did infiltrate your computer, then it will not have access to system files to change them. And when you exit the isolated environment, all files that entered the isolated environment will be deleted.
You can create your own isolated environment using specialized programs that restrict access to system files. One such program is the Sandboxie program.
The Sandboxie program is a sandbox for potentially dangerous and unfamiliar programs, as well as for safe surfing the Internet.
The Sandboxie program has the status of shareware. After 30 days of working with the program, the program will ask you to switch to the paid version. But, most of the program's functions will work in free mode for as long as you like. Only certain features of this program will be disabled (for example, running multiple sandboxes at the same time).
You can download the Sandboxie program from the official website of the manufacturer.
Sandbox download
After downloading the Sandboxie program on your computer, run its installation. In the program installation window, select the Russian language.
In the next window, you agree to install the driver for the Sandboxie program, and then click on the "Next" button. In the last window of the installation of the program, click on the "Finish" button.
The program can be launched from the Start menu => All Programs => Sandboxie. There are several points for launching the program for specific purposes.
The Sandboxie program can also be launched from the Notification Panel (tray) by clicking on the program icon. From the shortcut on the Desktop, you can launch the browser in the sandbox, the one that is selected as the default browser on your system.
Launch Sandboxie to make some tweaks to the program. The main window of the program displays the isolated environment created by default - the "sandbox".
Now consider this question: how to set up Sandboxie.
Sandbox setup
To configure the program, right-click on the name of the "sandbox". After that, in the context menu, click on the "Sandbox Settings" item.
In the settings window of the sandbox - "DefaultBox", in the "Behavior" section, you can check the box next to the item "Do not show the Sandboxie indicator in the window title" if you do not want the windows of programs opened in the "sandbox" to be marked with a special icon. You can do this at your discretion.
When you click on the yellow box, in the "Color" window that opens, you can select a color to display a thin border around the window of the program running in the "sandbox". After these settings, if you have changed something in the program settings, click on the "Apply" button.
In the "Recovery" section, in the "Quick Recovery" subsection, you can select folders for quick recovery if you want to change the program's default settings.
In the Immediate Recovery subsection, you can exclude files, folders, or file extension types from immediate recovery if these files are saved by a program running in the sandbox.
In the "Deletion" section, in the "Deletion suggestion" subsection, you can check the box "Never delete this sandbox or clean up its contents" in order not to lose the data stored in the sandbox.
In the "Restrictions" section, in the "Internet Access" subsection, you can add programs to the list or remove programs from the list of programs that can access the Internet. You can allow or block programs from accessing the Internet when they are in a secure environment. If you click on the block all programs button, then all programs running in the sandbox will be blocked from accessing the Internet.
In the "Applications" section, you can choose the rules of behavior for various programs running in the Sandboxie program.
In the "Sandbox" section of the menu, by clicking on the "Set storage folder" item, you can change the drive on which the sandboxes will be stored if you have little space on the "C" drive.
After clicking on the “Create a new sandbox” item, you can create an unlimited number of sandboxes, each with its own settings, in order to run programs with different behavior settings from your sandbox.
This mode of launching several sandboxes at the same time works only in the paid version of the program, after the end of the trial period of working with the program.
Each virtual space works separately, sandboxes are isolated from the system and from each other. By default, the application offers one isolated Sandbox DefaultBox.
How to use Sandbox
First way. In order to run the program in safe mode, right-click on the name of the "sandbox" and in the context menu click on the "Run in sandbox" item. In the list of launch items, you can select the appropriate item to launch the program.
You can launch a browser, the default email client, and launch any program from here or from the Start menu. You can also start Explorer in a safe environment if you click on the "Start Windows Explorer" item.
After that, Explorer will be launched in a protected environment. To close Explorer, right-click on the program folder in the "Manage Sandboxie" window, and select "End Program" in the context menu, or simply close Explorer in the usual way for programs by clicking on the red button.
Second way. It's even easier to run the program in Sandboxie by simply clicking on the program's folder or shortcut, and then selecting "Run in Sandbox" from the context menu.
If you have created several sandboxes, Sandboxie will prompt you to select the desired sandbox to run the program. Select the isolated environment, and then click on the "OK" button.
After that, the program is launched in an isolated environment. When you hover over a program running in the sandbox, a thin colored border will be visible around the program window.
File Recovery in Sandboxie
The Sandboxie program does not allow files from a program running in a sandbox to enter the operating system without your permission. All files created by the program or downloaded from the Internet will by default be deleted after the sandbox is closed.
Working in the Sandboxie program, you can create and save files in regular folders on your computer. These files will not be visible until you give Sandboxie permission to transfer data from the sandbox to the regular environment.
After you have downloaded any files from the Internet using a browser running in an isolated environment, these files will be located in the place where downloads are saved on your computer.
But, you will not see these files while they are in the sandbox. You will need to move these files from the isolated environment to the regular environment.
In Sandboxie, this is called "restoring" the files. There are three file recovery modes: Immediate Recovery, Quick Recovery and Manual Recovery.
Immediate Recovery in Sandboxie
This is the best way to restore as it can automatically call the restore function as soon as the files are created. By default, the program keeps a particularly close eye on the Downloads, Documents, Favorites, and Desktop folders.
You can add other folders to these folders at your discretion in the program settings (right-click on the sandbox folder => "Sandbox Settings" => "Recovery").
After the file is saved to the computer, Sandboxie will immediately show the "Immediate Recovery" window. You can click on the "Repair" button, and if you click on the "Restart" button, then "Repair and explore" or "Repair and run".
Quick Recovery in Sandboxie
Fast recovery transfers files from the sandbox in a quick manual way. You can configure the program to restore files saved in the sandbox when accessing this mode.
Manual recovery in Sandboxie
If you want to clear the sandbox, right-click on the sandbox name and select the "Delete Content" context menu item. After that, the "Delete Sandbox" window appears.
In this window, you can "Restore to the same folder", "Restore to any folder", or "Add folder" files located in the isolated environment. If you click on the "Delete sandbox" button, then all processes in it are terminated and all its contents are deleted.
Using the Sandboxie program allows you to achieve greater security when using your computer. You can safely run some programs in an isolated environment, surf the Internet safely.
Sandboxing tools also have some antivirus programs, such as .
Article Conclusions
The Sandboxie program runs applications in a sandbox, thereby preventing possible dangerous components from penetrating the system. Also, with the help of this program, you can test new programs without installing them on your computer.
So we decided to briefly touch on this topic.
In essence, a "sandbox" is an isolated software environment with strictly limited resources for executing program code (in simple terms, running programs) within this environment. In some way, the "sandbox" is such a stripped-down one, designed to isolate dubious processes for security purposes.
Some of the good antiviruses and firewalls (although, as a rule, in their paid version) use this method without your knowledge, some allow you to manage this functionality (because it still creates excessive resource consumption), but there are also programs that allow implement similar functionality.
We will talk about one of those today.
Sandboxie - Overview, Setup and Download
As you understood from the title and subtitle, we will talk about the program Sandboxie.
Unfortunately, it is shareware, but the same free period will help you get to know this type of tool better, which, perhaps, will push you to a more detailed study in the future, which, for the most part, exists free of charge and provides more features. .
Next, you will be offered to take a short course on working with the program, or rather, they will tell you a little about how it works. Go through all six stages, preferably by carefully reading what is written in the instructions provided to you.
In short, in fact, you can run any program within an isolated environment. In the instructions, if you did read it, a metaphor is given quite well on the topic that, in fact, the sandbox is a piece of transparent paper placed between the program and the computer, and deleting the contents of the sandbox is somewhat similar to discarding a used sheet of paper and its contents, with, which is logical, the subsequent replacement with a new one.
How to set up and use the sandbox program
Now let's try to understand how to work with it. For starters, you can try running, say, a browser in a sandbox. To do this, in fact, either use the shortcut that appeared on your desktop, or use the menu items in the main program window: " DefaultBox - Run in Sandbox - Launch Web Browser", or if you want to launch a browser that is not installed as the default browser in the system, then use the " Run any program" and specify the path to the browser (or program).
After that, in fact, the browser will be launched in the "sandbox" and you will see its processes in the window Sandboxie. From this moment on, everything that happens takes place in, as has been repeatedly said, an isolated environment and, for example, a virus that uses the browser cache as an element to penetrate the system, in fact, will not be able to really do anything, because upon completion of work with the isolated environment .. You can clean it up by throwing out, as the metaphor said, the written sheet and moving on to a new one (while not touching the integrity of the computer as such).
To clear the contents of the sandbox (if you do not need it), in the main window of the program or in the tray (this is where the clock and other icons) use the item " DefaultBox - Remove content".
Attention! Will retire only that part that was written and worked in an isolated environment, i.e., for example, the browser itself will not be deleted from the computer, but transferred to it .. mmm .. relatively speaking, a copy of the process, a created cache, saved data (like downloaded / created files), etc., will be deleted if you do not save them.
To get a deeper understanding of the principle of operation, try running the browser and other software in the sandbox several times, downloading various files and deleting / saving the contents upon completion of work with this very sandbox, and then, for example, launching the same browser or program already directly on the computer. Believe me, you will understand the essence in practice better than it can be explained in words.
By the way, by clicking on the right mouse button on the process in the list of window processes Sandboxie You can manage access to various kinds of computer resources bypassing the sandbox by selecting " Access to resources".
Roughly speaking, if you want to take a risk and give, for example, the same Google Chrome, direct access to any folder on your computer, then you can do this on the appropriate tab ( File Access - Direct/Full Access) using the button " Add".
It is logical that the sandbox is intended not only and not so much for working with the browser and browsing all sorts of dubious sites, but also for launching applications that seem suspicious to you (especially, for example, at work (where often), launch dubious files from mail or flash drives) and/or should not have access to the main resources of the computer and/or leave unnecessary traces there.
By the way, the latter can be a good element for protection, i.e. for launching an application whose data must be completely isolated and deleted upon completion of work.
Of course, it is not necessary to delete the data from the sandbox upon completion and work with some programs only in an isolated environment (progress is remembered and there is a possibility of quick recovery), but it is up to you to do this or not.
When you try to run some programs, you may encounter the above problem. Do not be afraid of her, enough, for starters, just click on " OK", and, in the future, open the sandbox settings using the " DefaultBox - Sandbox settings" and on tab " Transferring files" set a slightly larger size for the file transfer option. 
We will not talk about other settings now, but if they are of interest to you, then you can easily deal with them yourself, since everything is in Russian, it is extremely clear and accessible .. Well, if you have any questions, you can ask them in comments on this entry.
On the sim, perhaps, you can move on to the afterword.
Afterword
Oh yes, we almost forgot, of course, that the sandbox consumes an increased amount of machine resources, because it bites off (virtualizes) part of the capacity, which, of course, creates a load that is different from launching directly. But, logically, security and/or privacy might be worth it.
Incidentally, the use of sandboxes, chroot or virtualization, refers in part to the antivirus-free security methodology that we .
On the sim, perhaps everything. As always, if you have any questions, thoughts, additions, and so on, then welcome to comment on this post.
In the process of publishing the last part of the series of articles “Lies, Big Lies and Antiviruses”, it turned out that the Habra audience is disastrously ignorant in the field of antivirus sandboxes, what they are and how they work. The funny thing about this situation is that there are almost no reliable sources of information on this issue on the Web. Only a bunch of marketoid husks and texts from I don’t understand who in the style of “one grandmother said, listen here.” I'll have to fill in the gaps.
Definitions.
So, sandbox. The term itself did not come from the children's sandbox, as some might think, but from the one used by firefighters. This is a sand tank where you can safely work with flammable objects or throw something already burning into it without fear of setting something else on fire. Reflecting the analogy of this technical structure to the software component, a software sandbox can be defined as "an isolated execution environment with controlled rights." This is how the Java machine sandbox works, for example. And any other sandbox too, regardless of the destination.
Turning to anti-virus sandboxes, the essence of which is to protect the main working system from potentially dangerous content, there are three basic models for isolating the sandbox space from the rest of the system.
1. Isolation based on full virtualization. The use of any virtual machine as a protective layer over the guest operating system, where the browser and other potentially dangerous programs are installed, through which the user can become infected, provides a fairly high level of protection for the main working system.
The disadvantages of this approach, in addition to the monstrous size of the distribution and heavy consumption of resources, lie in the inconvenience of data exchange between the main system and the sandbox. Moreover, you need to constantly return the state of the file system and registry to its original state in order to remove the infection from the sandbox. If this is not done, then, for example, spambot agents will continue their work inside the sandbox as if nothing had happened. There is nothing to block them in the sandbox. In addition, it is not clear what to do with portable media (flash drives, for example) or games downloaded from the Internet, in which malicious bookmarks are possible.
An example of an approach is Invincea.
2. Isolation based on partial virtualization of the file system and registry. It is not at all necessary to carry a virtual machine engine with you, you can push duplicate file system and registry objects to processes in the sandbox, placing applications on the user's working machine in the sandbox. An attempt to modify these objects will only change their copies inside the sandbox, the real data will not be affected. Rights control makes it impossible to attack the main system from inside the sandbox through the interfaces of the operating system.
The disadvantages of this approach are also obvious - the exchange of data between the virtual and real environments is difficult, constant cleaning of virtualization containers is necessary to return the sandbox to its original, uninfected state. Also, breakdowns or bypassing this type of sandbox and the release of malicious program codes into the main, unprotected system are possible.
An example approach is SandboxIE, BufferZone, ZoneAlarm ForceField, Kaspersky Internet Security sandbox, Comodo Internet Security sandbox, Avast Internet Security sandbox.
3. Isolation based on rules. All attempts to change file system and registry objects are not virtualized, but are considered in terms of a set of internal rules of the protection tool. The more complete and accurate this set is, the more protection the program provides against infection of the main system. That is, this approach is a kind of compromise between the convenience of data exchange between processes inside the sandbox and the real system and the level of protection against malicious modifications. Rights control makes it impossible to attack the main system from inside the sandbox through the interfaces of the operating system.
The advantages of this approach also include the absence of the need to constantly roll back the file system and registry to its original state.
The disadvantages of this approach are the software complexity of implementing the most accurate and complete set of rules, the possibility of only partial rollback of changes within the sandbox. Just like any sandbox operating on the basis of a production system, it is possible to break through or bypass the protected environment and exit malicious codes into the main, unprotected execution environment.
An example approach is DefenseWall, Windows Software Restriction Policy, Limited User Account + ACL.
There are mixed approaches to isolating sandbox processes from the rest of the system, based on both rules and virtualization. They inherit both the advantages of both methods and the disadvantages. Moreover, the disadvantages prevail due to the peculiarities of the psychological perception of users.
Approach examples are GeSWall, Windows User Account Control (UAC).
Methods for deciding on placement under protection.
Let's move on to methods for deciding whether to place processes under sandbox protection. There are three basic ones:
1. Based on the rules. That is, the decision-making module looks at the internal rule base for launching certain applications or potentially dangerous files and, depending on this, launches processes in the sandbox or outside it, on the main system.
The advantages of this approach are the highest level of protection. Both malicious program files that came from potentially dangerous places through the sandbox and non-executable files containing malicious scripts are closed.
Disadvantages - there may be problems installing programs that came through the sandbox (although whitelisting makes this task much easier), the need to manually start processes in the main, trusted zone to update programs that update only within themselves (for example, Mozilla FireFox, Utorrent or Opera ).
Examples of programs with this approach are DefenseWall, SandboxIE, BufferZone, GeSWall.
2. Based on user rights. This is how Windows Limited User Account and SRP and ACL based protection work. When a new user is created, he is granted access rights to certain resources, as well as restrictions on access to others. If you need a program to work with resources prohibited for a given user, you must either re-login in the system under a user with a suitable set of rights and run the program, or run it alone under such a user, without re-login of the main working user (Fast User Switch).
The advantages of this approach are a relatively good level of overall system security.
Disadvantages - non-triviality of protection management, the possibility of infection through resources allowed for modification, since the decision-making module does not track such changes.
3. Based on heuristic approaches. In this case, the decision module "looks" at the executable and tries to guess from indirect data whether to run it on the host system or in the sandbox. Examples are Kaspersky Internet Security HIPS, Comodo Internet Security sandbox.
The advantage of this approach is that it is more transparent to the user than rule-based. Easier to maintain and implement for the manufacturing company.
Disadvantages - the inferiority of such protection. In addition to the fact that the decision module heuristics can “miss” on the executable module, such decisions demonstrate almost zero resistance to non-executable files containing malicious scripts. Well, plus a couple more problems (for example, with the installation of malicious extensions from within the browser itself, from the body of the exploit).
Separately, I would like to draw attention to the method of using the sandbox as a means of heuristics, i.e. launching a program in it for a certain period of time, followed by an analysis of actions and the adoption of a general decision about maliciousness - this approach cannot be called a full-fledged anti-virus sandbox. Well, what kind of anti-virus sandbox is this, which is installed only for a short period of time with the possibility of completely removing it?
Modes of using anti-virus sandboxes.
There are only two main ones.
1. Real-time protection mode. When starting a process that can be a threat to the main system, it is automatically sandboxed.
2. Manual protection mode. The user independently decides on the launch of an application inside the sandbox.
Sandboxes that have the main mode of operation as "real-time protection" can also have a manual start mode. As well as vice versa.
Rule-based sandboxing is characterized by the use of real-time protection mode, since the communication between the main system and the processes inside the sandbox is completely transparent.
Heuristic sandboxes are also characterized by the use of real-time protection mode, since the exchange of data between the main system and processes inside the sandbox is absolutely insignificant or comes down to it.
Non-heuristic sandboxes with isolation based on partial virtualization are characterized by a manual protection mode. This is due to the difficult exchange of data between the processes inside the sandbox and the main working system.
Examples:
1. DefenseWall (rules-based isolation sandbox) has the main mode of operation "permanent on the rules". However, manually launching applications inside the sandbox, as well as outside it, are present.
2. SandboxIE (sandboxed and isolated based on partial virtualization) has the main mode of operation "manual". But when buying a license, you can activate the "permanent on the rules" mode.
3. Comodo Internet Security sandbox (sandbox with isolation based on partial virtualization) has a basic mode of operation "permanent heuristic". However, running applications manually inside the sandbox, as well as outside it, are present.
These are basically the basic things any self-respecting professional should know about antivirus sandboxes. Each individual program has its own implementation features, which you yourself will have to find, understand and evaluate the pros and cons that it carries.
