DCSIMG
Running Suspicious Applications in a Sandbox - A Regular Joe

A Regular Joe

Running Suspicious Applications in a Sandbox

Every now and than I get an application I want to check, but I'm worried that it might harm other processes on my machine, or block my memory if they suffers from a memory leaks.
Sometimes I get files from people which contains viruses, but still I need to have a look at them (what if the RAR file, with all the pictures from that trip, also has a virus in it?).

For all of the above (and maybe some others) the perfect solution is some kind of a sandbox.

For quite a while I was using a virtual PC, running the same OS as the host machine, as a sandbox.
I copied the files there, checked them for viruses, cleaned them, and/or just had a look at them, ignoring all the virus alerts, and then coping a fresh copy of that VPC.

A few weeks ago I found Sandboxie (www.sandboxie.com). An application that creates a sandbox on your operating system and allowing you to run anything you want in a controlled environment, separated then the OS it self.
It runs in an isolated memory range, and controls all the interaction to you hard drive, memory, etc.

Installation is fast and easy, it is a  "next-next-next" installation.
Besides the application itself, the installation installs a system level driver, which controls the memory and hard-disk access.

After installation, you'll have a small icon in the system tray, and on your desktop.
Image of Sandboxie's Tray Icon  Image of Sandboxie's Desktop Icon

The desktop icon runs Internet Explorer in a sandbox (very good for checking sites that you don't know or don't trust).
The window's title changes, and is surrounded by "[#]" to indicate that the browser is in sandbox mode now:

Image of the browser's window's title when in sandbox mode

The load time doesn't seem to be effected, nor does any other browser functionality. The page looks the same with, and without the sandbox control (On the left - IE with sandbox, on the right, without sandbox. Click to enlarge) :

Image of Internet Explorer Window with Sandboxie on (new window) Image of Internet Explorer Window with Sandboxie off (new window)

The tray icon allows to see the currently active sandboxes, to monitor them, etc.

The application add a context menu entry, allows you to start every application inside a sandbox. This is how it looks like when you right click a folder:

 Image of a context menu with Sandboxie (new window)

And this is the folder, when it opened within a sandbox:

Image of a folder opened with Sandboxie (new window)

Note the "[#]" signs in the window's title, same as in IE. The folder content looks just the same and work the same as before. And here's the cool thing: if I'll open one of the images in my image viewer, the image viewer application will start inside the sandbox just as well!

The Sandboxie window, displays all the processes that currently runs inside a specific sandbox. You can have as many sandboxes as your memory allows.
Dragging an application executable or even a shortcut to that window, will open the application inside the sandbox it was dropped on.

This is how Sandboxie window looks like, with all the processes I've run for this post opened:

Image of Sandboxie main window (new window)

Summarizing everything said, this is a very nice application no matter what you'd use it for. You don't have to keep it in memory, you can just start it when you need it. If you're just checking unknown web sites, or un-trusted ones, every now and then. If you have to check applications here and there. Or even if you just want to run your own code in an isolated environment, Sandboxie will suit you.
It is free to try and to run, but it will show you some nag screens after 30 days, which you can avoid if you buy a license (30$). Buying the application will give you a life time license including future releases.

Posted: May 07 2008, 12:52 PM by Joe | with 5 comment(s)
תגים:, ,

Comments

Noam said:

But how can you be sure that it's really secure. I use VPC to be sure but still I read about viruses that become Virtual aware.

# May 7, 2008 5:55 PM

Erik Rozman said:

Very interesting...hope to test it later on today...

# May 7, 2008 9:13 PM

Joe said:

Noam - there's a nice explanation about how it works on the front page of their site: http://www.sandboxie.com

It explains how there's no interaction with your local storage.

VPC is still a good solution, I never said it isn't, I'm using it to for certain checks.

# May 8, 2008 4:16 PM

Tal Shahar said:

One other great trick Sandboxie has called - Recovery.

Try to think of it as "commit" - if you like what you have tried inside Sandboxie - recovery will "burn" it permanently like it was installed without Sandboxie.

Also inside the Control you can see any registry key or file that is written by the program.

I love this tool and I use it a lot.

# May 9, 2008 12:44 PM

Nebastion said:

What advantage of running an app is there, how would you know if its infected or not, i dont get it?

# May 29, 2009 1:04 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: