Trust No Program!
I just thought I’d write a little review to spread the word about a free, small (250kb) and very useful sandbox utility called “Sandboxie”.
Depending on the person I explain it to, I usually get two completely different responses. When I explain what this program does, (which I’ll get to in a second) I’ve found that people who are tech oriented think the idea of this program is fantastic, while the average user responds with “cool” which pretty much means “whatever”.
How it works
The program lets you sandbox applications or the install of applications, so it does not have contract with the rest of your system. It does this by getting between the application and your computer and making it think its installing to c:\program files when in fact its installing to C:\Documents and Settings\(your username)\Application Data\Sandbox\DefaultBox\drive\C\Program Files, this goes for any directory on your hard drive. It also fakes the registry and it stores the registry entries for the application in a file called RegHive located in C:\Documents and Settings\(your user name)\Application Data\Sandbox\DefaultBox instead of the actual windows registry. An example of this would be to download an application that you are not quite sure about or just want to install without worrying about it damaging your system. You can right click the EXE and then choose “Run Sandboxed” It then proceeds to install the application to the sandboxed location. Because it installs everything in the sanbox its very easy to remove every trace of the application from the hard drive. You simply have to tell Sandboxie to delete the sandbox (function menu / contents of sandbox / delete contents) and the application you just installed is now gone from your computer.
While using sandboxie to install and test applications is nice, where Sandboxie really shines is while browsing the internet. When you sandbox your web browser (Internet Explorer, Firefox, Opera, ect…) it makes a shadow copy of your web browser and all the files it requires and copies them to the sandbox as it does with any sandboxed application, this happens faster than you might expect, you really don’t notice it much at all. The benefits of this are many but I’ll mention a few. One is privacy, you could install this on someone’s computer or use it on your own,and at the end of your browsing session, delete the sandbox and all traces of your activates are gone and I mean ALL traces. The other benefit is virus and spyware protection / prevention. Any file that you download and open from within the sandboxed web browser willalso be contained in the sandbox. If you download a virus it will affect the sandbox and not your computer, so to remove it just delete the sandbox. Same goes for spyware. Now I’m not saying this is fool proof, there has been mention of some spyware which are sandbox aware and can escape the sandbox. Nothing is perfect but this is the closest thing to it.
I thought I would test it to see just how well this program really works. I started by installing Sandboxie inside a virtual XP install inside virtualbox (just in case it didn’t work), then I proceeded to install Kazaa while sandboxed. During the install it threw a few errors at me but after it installed it ran just fine. After exploring the program files folder located in the sandbox directory, you could see all the crap it installed. You could also see the famous p2p networking running under processes in the task manager. Sense the p2p networking.exe got installed along side kazaa it was also sandboxed. Getting rid of kazaa was so easy it was almost fun. First I Told sandbox to kill all sandboxed processes, this included all the exe’s which were running after the kazaa install. This was done very easily by clicking the function menu and choosing terminates sandboxed processes. Once all the kazaa processes vanished I told it to delete the sandbox and *Poof* no more kazaa.
That was too easy, I mean had a normal computer gotten infected with the wrath of kazaa, it could have been uninstalled and spyware removers could have taken care of the rest, it was nothing that would have required a reformat. So I thought I needed a better test. I needed to find what I call “Pandora’s Box” I’m referring to one of those crack.exe files that are included in warez or program cracks, the kind of file that when you run it, it appears to have done nothing, but if you look at your process list, the CPU is spiked and you see so many random.exe files being loaded onto your system you just want to put your head between your legs and cry. I got a hold of one such file and downloaded it within a sandboxed Firefox and launched it. The only words to describe the activity that file produced is OMG. Because the file was opened with a sandboxed Firefox all the activity I saw on screen was also sandboxed. It took my running processes from 20 to 30. I then told it to Terminate all sandboxed processes, the processes list then dropped from 30 down to 20 instantly, I then told it to delete the sandbox and presto!, an event which had it occurred outside a sandbox would have required without a doubt a clean install of windows and a bleach bath. I preformed a boot time system scan with avast and current definition files. It found 27 infected files and all were located in the system restore directory, I’m not sure if that was from this test or a previous test I did before new about Sandboxie, in either case after an event like that its best to turn off system restore and turn it back on to delete all restore points. I was more than pleased with the results.
As you can tell I really love Sandboxie, I just wanted an opportunity to let otherwise know about this wonderful free little program. They do sell a version that does a few more things for $40/90 which is a life time of free upgrades (which I bought) but the free one does plenty. Included at the bottom is some screenshots of the interface, enjoy!
I've been using sandboxie for the past 5 years (even before i wrote this review). Since writing the review Sandboxie now has a 64bit Version which runs great on Vista and Windows 7 64bit operating systems. Every machine in my home that is used to browse the internet has sandboxie installed.
Question - what happens if you get a malware infection?
Answer - If you get a malware infection from the internet, while your browser was being sandboxied, it's easy to remove. You simply tell Sandboxie to terminate all sandboxed processes. Then you tell sandboxie to delete the sandbox. That's it! The infection has been removed from your computer. It's not removed as it would be with a removal tools. With removal tools, while it might be removed you can never be sure you got it all.
Because the infection was sandboxed and contained you can be sure the entire infection was contained in the sandboxie and that you don't have anything left behind. It's as if the infection never happened.
Edited by warwagon, 25 November 2011 - 20:05.