[Note from Ed Tittel: This post about Sandboxie comes from guest author Bo Elam, whom Kari and I met on TenForums, where he is something of a regular visitor, and a passionate advocate for Sandboxie. Who better to write this Toolkit Item?]
I’ll start this article on Sandboxie with a few words on how I became a Sandboxie user. Before I started using Sandboxie, I used to get malware infections once or twice a year, and simply accepted those infections. I thought, “If I am going to use the internet, I am going to get infected and there’s nothing I can do about it.” The effect of using Sandboxie has been huge on the quality of my computing experience. After I became a Sandboxie user, infections went away completely. I haven’t had an infection since the day I became a Sandboxie user.
So, how did I become a Sandboxie user? One day late in 2008 during a browsing session, I was hit by malware (a rootkit). Till that day, whenever I got infected, I always had somebody clean up the infection. But this time I decided to do it myself. That was a breaking point. I took the approach of cleaning the infection as a challenge, and had fun doing it. During cleanup, I learned a lot about security and came to realize that there were better technologies available to protect our computers than anti viruses/scanners. One of those technologies was sandboxing. Later, while searching for protection against rootkits, my travels led me directly to Sandboxie. I knew nothing about sandboxes. Sandboxie doesn’t allow drivers or services to be installed in the sandbox. That attracted me. So, I decided to try Sandboxie, and 10 years later, I am still using it.
What is Sandboxie?
Sandboxie is a sandbox program for Windows: an applications sandbox is a runtime environment wherein programs run in an isolated space. You can run all kind of programs under Sandboxie . You can run your browsers, email clients, PDF Readers, video players, etc. Personally, I run every program I run on a daily basis inside Sandboxie. Most files I download, they run sandboxed every time they run during their lifetime in my computer. When you run programs under Sandboxie’s supervision, the interaction between programs running in the sandbox (isolated space) and the system outside the sandbox is seamless. So, there is no reason not to do it. Below is a picture of Sandboxie control (The Sandboxie User interface). Each name depicted in Sandboxie control represents a separate sandbox with its own settings. By looking at the names, you can tell the programs I am currently running sandboxed on a regular basis, or the purpose for using a particular sandbox. For example, the one called USB, is where files that run out of USB drives run sandboxed whenever a flash drive is plugged in.
The interaction between programs running in the sandboxed environment with the system outside the sandbox works so well, it’s possible to use programs as you normally use them when not running under Sandboxie’s protection even though your computer is protected. So, in the end, users that run their programs and files in the sandbox, achieve a very high level of security for their computers without losing usability or convenience. I am a Sandboxie user to the max. In my case, basically, the only time I am not using Sandboxie is when the computer is idle or I am doing updates.
To be more specific, Sandboxie in a sandbox program designed for running most of the programs that you use regularly, or programs that connect to the internet. But there are other uses for Sandboxie. For example, we can use it for testing programs. If you would like to test a new browser or video player, you can run the installer in a sandbox, and test the program. In the picture below (left side), after right clicking the installer, I get the option to “Run sandboxed” the installer. Clicking that option, opens up the Sandboxie Menu (Right side), in that menu we have the option to choose the sandbox where we want the installer to run.
If you like, you can keep an installation around for a while, or you can delete the sandbox after testing a program. Right now, I have IrfanView installed in a sandbox. There are several ways that a program installed sandboxed can be run. You can even create a sandboxed shortcut to make things easier to run nstalled programs sandboxed but this is how I run them myself. Look at the 3 pictures below, in the first one, after right clicking the Sandboxie icon by the clock and hovering the browser over the name of the sandbox where I installed IrfanView, I get the menu to the left, and select “Run from Start menu”. That’s the sandboxed Start menu (picture 2). I look for IrfanView in the Menu and click it, after doing so, it opens in the sandbox I created and set up specifically as a dedicated sandbox for IrfanView (picture 3).
Probably, the most important function in Sandboxie is Delete contents of the sandbox. When you delete contents, everything you did in a session gets deleted, all changes that took place in the session get deleted, except what you choose to save outside the sandbox. You can set sandboxes to delete automatically when you close a sandboxed program (that’s what I do in my browser sandboxes) or you can save contents (a sandbox where you installed a program that you want to keep for a while is a good example) and delete later, when you decide to do so. Below, you can see the options in Sandbox settings for Delete contents.
I also use Sandboxie for testing changes in my system. After testing, if all looks good in the sandbox, I ll do the change on the real system. Everyone who uses Sandboxie sometimes innovates and comes up with new ideas on how to use the program.
How does it work?
Programs running in Sandboxie’s isolated space (the sandbox) are prevented from making permanent changes outside the sandbox, to the file system, the registry or other programs. When a program running in the sandbox wants to make a change (good or bad), Sandboxie captures that change and before it takes place, Sandboxie makes a copy of the file and redirects it to the sandbox folder. The sandboxed program thinks the change is done for real in the real system but it is not. It is done only to the copy. That’s how Sandboxie protects a computer from unwanted changes.
The Sandbox folder in C Drive.
The Sandbox at work. For example, when I download something, like an installer, the sandboxed program (Firefox in this case) thinks the download went to user\current\BoVideos\C1 but actually the download was redirected to C:\Sandbox\Bo\DefaultBox\user\current\BoVideos\C1. Look at the picture below. The same thing would happen if you get hit by malware. Then the infection, and any changes caused by the malware get redirected to the sandbox. The malware thinks it infected the system but it has not. The infection was captured by Sandboxie and will be gone when we delete the sandbox. Your files system and registry remain intact.
Via Sandboxie control you can track the changes sandboxed programs make. Some users like to use this option when they test installing a program in a sandbox, to see what files programs create or files they modify.
Sandboxie comes in both free and paid versions. Both versions have same degree of security. The difference in the two versions is that with the paid version, sandboxing files and programs becomes automatic. You don’t have to think about sandboxing a file, you just click it and it runs sandboxed automatically. When you buy a license and register your copy of Sandboxie, the Forced folders and Forced programs features are unlocked. The Forced programs feature allow the user to set programs to run automatic every time they run. Via Forced programs, you set your browsers, PDF readers, or any program to run sandboxed automatically. For example, if you set your PDF reader to run sandboxed, whenever you click on a PDF, it will run sandboxed. By using the Forced folder feature, you can set folders, such as, your Download folder or USB drives to be sandboxed. If you set your Download folder as a Forced folder, every file that runs out of that folder, will run sandboxed when executed. If you set your USB drives to run sandboxed, when a flash drive is plugged in, the USB folder opens up using a sandboxed version of File explorer. If anything runs, it will run sandboxed, under Sandboxie’s supervision.
Some sandbox programs sandbox files or program when it detects or flags a file or program as malicious or is unknown to the sandbox program. Sandboxie works differently. Sandboxie treats every file the same way, it doesn’t detect anything. We, the users, choose what to sandbox, not Sandboxie. My formula for success with Sandboxie is simple, I sandbox all files and programs that run in my computer every time they run. There are exceptions but they are rare and that’s basically how I use Sandboxie.
Another characteristic of Sandboxie that makes it a unique program is that you can use as many sandboxes as you need. Most sandboxing program have only one sandbox. Everything that runs, runs together. To maximize isolation, Sandboxie allows the user to create separate sandboxes for different programs. By running programs in their own sandbox, we isolate programs not only from the system but from other programs as well. Dedicating sandboxes for different programs allows the user to set each sandbox according to the dedicated/primary program. In the example pictured below, you can see Firefox running in one sandbox and Libre Office in another. Using separate sandboxes for those programs allows me to set each sandbox according to the dedicated program. For example, in my Libre office sandbox, no program is allowed access to the internet. That’s security. Whenever I run an office file, nothing in that file can connect to the internet. I achieve this high level of security because I am using a separate sandbox for Libre. If all programs ran together in one big sandbox, Libre would run sandboxed but it would have access to the internet.
There are many settings in Sandboxie, some are global but most can be applied to individual sandboxes. Some have to do with security, restrictions. While other settings have to do with usability and convenience. There are many, Sandbox settings help the user tailor each sandbox according to the program you are going to run in it. My goal every time I create a sandbox is to achieve a balance between usability and security. So, I tighten up security as much as possible without losing usability.
I am going to use Firefox to portray some of the settings. In Internet access restrictions, I only allow firefox.exe to connect to the internet. That means that no other program that runs in my Firefox sandbox will have access to the internet.
In Start/Run access restrictions, I only allow firefox.exe, and Foxit (my PDF Reader) exes to run. If anything other than these programs attempt to run in my Firefox sandbox, they will be blocked.
For better usability and convenience, in Sandbox settings for Firefox, I allow Firefox to have Direct access to bookmarks outside the sandbox. This makes it possible to recover/save bookmarks from the sandboxed environment. But, if you like, you can allow Firefox to have access to anything in the Firefox Profile folder, or even the entire Profile folder.
Sandbox settings are something that most sandbox programs lack. Sandboxie has quite a few, they allow users to lighten or tighten the sandbox as much as we want. You decide how loose you want the sandbox or how tight you want it. Personally, like I said earlier, I try to strike a balance between usability and security when I create sandboxes. That’s what you do with Sandbox settings.
By default, nothing gets out of the sandbox. Not even bookmarks or downloads. Most sandboxing programs don’t allow the user to save anything out of the sandbox. Hopefully, you guys and gals reading this article, realize that with Sandboxie we can leave things as they come by default (nothing gets out). But for convenience and usability, we can set things up to save bookmarks and downloads. If this was not possible, more than likely I would have never become a Sandboxie user. I want a high level of security but don’t want to give up usability. Thankfully, I can have both (usability and security) with Sandboxie.
How can Sandboxie help Windows users?
In one short paragraph, Sandboxie helps Windows users keep their systems intact. By using Sandboxie, Windows users prevent programs that run in the sandbox from causing unwanted permanent changes to their operating system, registry and other programs. Any changes, caused by good programs or malicious programs will be gone when we delete the contents of the sandbox. And nothing gets out of the sandbox unless we allow it. End of story.