Browsing the Internet is always risky, but it is particularly dangerous when conducting security research. Researching free security tools and questionable Web sites can turn my computer into a boat anchor. Or worse, I might end up with software on my system that silently grabs everything it can get its virtual hands on.
One solution is to reimage my test system after every research session. Products like Acronis True Image are a good way to create and install entire environments. If frequent reimaging is too much trouble (and it usually is), configuring disposable virtual desktops is an option. But this is still more work than I usually have time for. So I use a product I found some time ago, and for which a new version was recently released—Sandboxie.
What Sandboxie is
Sandboxie, released in 2004 as a proof of concept product for Windows, sits between running applications and the operating system. It creates a ‘sandbox’ in which all or some of my applications run. By default, anything written to disk is instead written to a virtual folder of the same name. The same process takes place when a registry change is made.
When I finish a research session, I simply close the sandbox. This terminates all applications running within it. If I want to keep files I downloaded during the session, I can ‘recover’ them before destroying the sandbox.
In addition to preventing unwanted files from being inadvertently written to disk, Sandboxie allows me to install a complete application within a sandbox for testing or evaluation. None of the application components are permanently written to disk or the registry. When I finish the evaluation or test, I close the sandbox. No remnants of the tested application remain.
At a high level, Sandboxie creates an isolated operating environment which prohibits applications from directly writing to anything on local or mapped drives—unless I want it to.
What Sandboxie is not
Sandboxie will not protect your privacy. It is intended to create an area in which one can play around a little with no permanent alterations to the underlying environment. But whatever is written and executed within a sandbox is still capable of stealing your data.
For example, if a keylogger is downloaded into a sandbox, it will install itself in the virtual environment. Anything you type within the sandbox will be captured and sent home. The bottom line? Sandboxie does not relieve you of responsibility for not being careless.
Finally, Sandboxie is not a virtual desktop application. But it does allow protected, isolated operating environments without having to purchase a separate OS license for each one.
Getting started was easy. I just downloaded a free copy of Sandboxie from the Web site. I say free because a version is available at no cost. A for-fee version is available for 22 euros (about $30). There are two feature differences which I’ll explain as we step through the product. In addition, each time you load Sandboxie after the 30 day evaluation period expires, the message in Figure 1 appears.
I purchased a license which is good forever. It also allows me to install Sandboxie on an unlimited number of personally owned systems.
It takes little time to install the product. By default, one sandbox is created. I can run multiple applications in a single sandbox, but it’s safer and more flexible to create multiple instances. I can configure each sandbox for specific behavior, depending on what I want to do and the risk involved. I created a test sandbox for this article. Figure 2 shows how to launch IE, in the test sandbox, from the system tray. The red arrow points to the Sandboxie icon. When applications are active in one or more sandboxes, red dots appear on the yellow background.
There are two other ways to launch sandboxed applications. Right-clicking an executable in Windows Explorer enables a sandboxed launch from the options menu. I can also configure Sandboxie to detect the launch of certain applications and automatically sandbox them (only available in the licensed version).
Once an application is launched, all components running are viewable. This includes any unwanted applications that might have crept down the link from the Internet. Figure 3 shows how the running applications list looks in the Sandboxie window. In this example, I launched IE in the default sandbox. If I have multiple sandboxes running, they would all display here with their sandboxed applications.
Although running sandboxed, I often want to download a file I want to keep. This is a two step process. First, I save the file to a folder just as I would in an open, un-sandboxed environment. In Figure 4, I downloaded and saved the Security Now Sandboxie netcast transcript. This appears to work normally. However, the file is actually stored to a virtual folder.
I can view the files I’ve saved to virtual folders via the Sandboxie window, as shown in Figure 5. To permanently write a file (or a new folder and its contents) to disk, I right-click and choose to save it to the path specified in the Window or to a new location.
Quick recovery folders are defined in each sanbox’s configuration. By default they include those listed in Figure 6. This list is from a Sandbox on my Windows Vista desktop.
Figure 6 also shows the sandbox configuration menu (on the left). Using this menu, I can configure each sandbox instance to allow the application behavior I need for the task performed. One feature I turned on immediately was automatic sandboxing of applications that auto-run from CD, DVD, or USB storage. This is one of the features available only with a paid license.
Again, the other paid license feature is the ability to auto-sandbox any application upon launch. No applications are included in this category by default. However, I added IE as shown in Figure 7.
There are some known issues with Sandboxie. For example, attempting to convert a Web page to a PDF generates an error. This is due to Sandboxie blocking required access to the actual drive. However, this and several other issues are addressed at the Sandboxie site.
The final word
Sandboxie isn’t a security panacea. I still need to be cautious about when and where I run certain applications. However, I no longer worry about leaving unwanted code behind on my system after a browsing session. And I can install and remove applications without hosing my registry or increasing the number of orphaned files. It is just one more tool in my kit.
Sandboxie might or might not be for you. But what have you got to lose. The price is right.
Tell us what you think
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.