[Note from Ed Tittel: This post about Sandboxie comes from guest author Bo Elam, whom Kari and I met on TenForums, where he is something of a regular visitor, and a passionate advocate for Sandboxie. Who better to write this Toolkit Item? Further note added October 1, 2019: In the wake of Sandboxie’s conversion to Freeware, we asked Bo to update his article. The text that follows has been updated pretty thoroughly.]
I’ll start this article on Sandboxie with a few words on how I became a Sandboxie user. Before I started using Sandboxie, I used to get malware infections once or twice a year, and simply accepted those infections. I thought, “If I am going to use the internet, I am going to get infected and there’s nothing I can do about it.” The effect of using Sandboxie has been huge on the quality of my computing experience. After I became a Sandboxie user, infections went away completely. I haven’t had an infection since the day I became a Sandboxie user.
So, how did I become a Sandboxie user? One day late in 2008 during a browsing session, I was hit by malware (a rootkit). Until that day, whenever I got infected, I always had somebody clean up the infection. But this time I decided to do it myself. That was a breaking point. I took the approach of cleaning the infection as a challenge, and had fun doing it. During cleanup, I learned a lot about security and came to realize that there were better technologies available to protect our computers than anti viruses/scanners. One of those technologies was sandboxing. Later, while searching for protection against rootkits, my travels led me directly to Sandboxie. I knew nothing about sandboxes. Sandboxie doesn’t allow drivers or services to be installed in the sandbox. That attracted me. So, I decided to try Sandboxie, and nearly 11 years later, I am still using it.
What is Sandboxie?
Sandboxie is a sandbox program for Windows: an applications sandbox is a runtime environment wherein programs run in an isolated space. You can run all kind of programs under Sandboxie . You can run your browsers, email clients, PDF Readers, video players, etc. Personally, I run every program I run on a daily basis inside Sandboxie. Most files I download, they run sandboxed every time they run during their lifetime in my computer. When you run programs under Sandboxie’s supervision, the interaction between programs running in the sandbox (isolated space) and the system outside the sandbox is seamless. So, there is no reason not to do it. Below is a picture of Sandboxie control (The Sandboxie User interface). Each name depicted in Sandboxie control represents a separate sandbox with its own settings. By looking at the names, you can tell the programs I am currently running sandboxed on a regular basis, or the purpose for using a particular sandbox. For example, the one called USB, is where files that run out of USB drives run sandboxed whenever a flash drive is plugged in.
The interaction between programs running in the sandboxed environment with the system outside the sandbox works so well, it’s possible to use programs as you normally use them when not running under Sandboxie’s protection even though your computer is protected. So, in the end, users who run their programs and files in the sandbox achieve a very high level of security for their computers without losing usability or convenience. I am a Sandboxie user to the max. In my case, basically, the only time I am not using Sandboxie is when the computer is idle or I am doing updates.
To be more specific, Sandboxie in a sandbox program designed for running most of the programs that you use regularly, or programs that connect to the internet. But there are other uses for Sandboxie. For example, we can use it for testing programs. If you’d like to test a new browser or video player, you can run the installer in a sandbox, and test the program. In the pictures below, after right-clicking the installer, I get the option to “Run sandboxed” from the installer (top image following). Clicking that option opens up the Sandboxie Menu. In that menu we have the option to choose the sandbox in which we want the installer to run (bottom image following).
If you like, you can keep an installation around for a while, or you can delete the sandbox after testing a program. Right now, I have IrfanView installed in a sandbox. There are several ways that a program installed sandboxed can be run. You can even create a sandboxed shortcut to make things easier to run installed programs in a sandbox, but this is how I run them myself. Look at the 3 pictures below. In the first one, after right clicking the Sandboxie icon by the clock and hovering the browser over the name of the sandbox where I installed IrfanView, I get the menu to the left, and select “Run from Start menu”. That’s the sandboxed Start menu (picture 2 following). I look for IrfanView in that Menu and click it. After doing so, it opens in the sandbox I created and set up as a dedicated sandbox for IrfanView (picture 3 following).
Probably, the most important function in Sandboxie is Delete contents of the sandbox. When you delete those contents, everything you did in a session gets deleted. In fact, all changes that took place in the session get deleted, except what you choose to save outside the sandbox. You can set sandboxes to delete automatically when you close a sandboxed program (that’s what I do in my browser sandboxes) or you can save contents (a sandbox in which you installed a program that you want to keep for a while is a good example). Saved contents may then be deleted later, whenever you decide to do so. In the following picture, you can see the options in Sandbox settings for Delete contents.
I also use Sandboxie for testing changes to my system. After testing, if all looks good in the sandbox, I ll commit the change on the real system. Everyone who uses Sandboxie sometimes innovates and comes up with new ideas on how to use the program.
How does it work?
Programs running in Sandboxie’s isolated space (the sandbox) are prevented from making permanent changes outside the sandbox, to the file system, the registry or other programs. When a program running in the sandbox wants to make a change (good or bad), Sandboxie captures that change. Then, before it takes place, Sandboxie makes a copy of the file and redirects it to the sandbox folder. The sandboxed program thinks the change is applied to the real system but it is not. It applies only to the copy. That’s how Sandboxie protects a computer from unwanted changes.
The following image shows the Sandbox folder on the C: drive.
The Sandbox at work
For example, when I download something, like an installer, the sandboxed program (Firefox in this case) thinks the download goes to user\current\BoVideos\C1 but actually the download is redirected to C:\Sandbox\Bo\DefaultBox\user\current\BoVideos\C1. Look at the picture below. The same thing would happen if you got hit by malware. In that case the infection, and any changes caused by the malware, get redirected to the sandbox. The malware thinks it has infected the system but it has not. The infection is captured by Sandboxie and will be gone when we delete the sandbox. Your actual file system and registry remain intact.
Via Sandboxie control you can track the changes that sandboxed programs make. Some users like to use this option when they test installing a program in a sandbox, to see what files programs create or files they modify.
Some sandbox programs sandbox files or programs when they detect or flag a file or program as malicious. Ditto when a file or program is unknown to the sandbox program. Sandboxie works differently. Sandboxie treats every file the same way, it doesn’t detect anything. We, the users, choose what to sandbox, not Sandboxie. My formula for success with Sandboxie is simple, I sandbox all files and programs that run in my computer every time they run. There are exceptions but they are rare and that’s basically how I use Sandboxie.
Another characteristic of Sandboxie that makes it a unique program is that you can use as many sandboxes as you need. Most sandboxing program support only a single sandbox. Everything that runs, runs together in the same process space. To maximize isolation, Sandboxie allows the user to create separate sandboxes for different programs. By running programs in their own sandboxes, we isolate them not only from the system but from each other as well. Dedicating sandboxes for different programs allows the user to set each sandbox according to the dedicated/primary program. In the example pictured below, you can see Firefox running in one sandbox and Libre Office in another. Using separate sandboxes for those programs allows me to set each sandbox according to the dedicated program. For example, in my Libre office sandbox, no program is allowed access to the internet. That’s security. Whenever I run an Office file, nothing in that file can connect to the internet. I achieve this high level of security because I am using a separate sandbox for Libre. If all programs ran together in one big sandbox, Libre would run sandboxed but it would still have access to the internet.
There are many settings in Sandboxie, some are global but most can be applied to individual sandboxes. Some have to do with security restrictions.Other settings have to do with usability and convenience. There are many Sandbox settings to help the user tailor each sandbox according to the program they plan to run inside it. My goal every time I create a sandbox is to achieve a balance between usability and security. So, I tighten up security as much as possible without sacrificing usability.
I am going to use Firefox to portray some of the settings. In Internet access restrictions, I only allow firefox.exe to connect to the internet. That means that no other program that runs in my Firefox sandbox will have access to the internet.
In Start/Run access restrictions, I only allow firefox.exe, and Foxit (my PDF Reader) exe files to run. If anything other than these programs attempts to run in my Firefox sandbox, it will be blocked.
For better usability and convenience, in Sandbox settings for Firefox, I allow Firefox direct access to bookmarks outside the sandbox. This makes it possible to recover/save bookmarks from the sandboxed environment. But, if you like, you can allow Firefox to have access to anything in the Firefox Profile folder, or even the entire Profile folder.
Sandbox settings are something that most sandbox programs lack. Sandboxie has quite a few: they allow users to loosen or tighten the sandbox as much as they want. You decide how loose you want the sandbox or how tight you want it. Personally, as I said earlier, I try to strike a balance between usability and security when I create sandboxes. That’s what you Sandbox settings are for, and what they do best.
By default, nothing gets out of the sandbox. Not even bookmarks or downloads. Most sandboxing programs don’t allow the user to save anything out of the sandbox. Hopefully, you guys and gals reading this article, realize that with Sandboxie we can leave things as they come by default (nothing gets out). But for convenience and usability, we can also set things up to save bookmarks and/or downloads. If this was not possible, more than likely I would have never become a Sandboxie user. I want a high level of security but don’t want to give up usability. Thankfully, I can have both (usability and security) with this program.
How can Sandboxie help Windows users?
In one short paragraph, Sandboxie helps Windows users keep their systems intact. By using Sandboxie, Windows users prevent programs that run in the sandbox from causing unwanted permanent changes to their operating systems, registries and other programs. Any changes, whether caused by good programs or malicious programs, will be gone when we delete the contents of the sandbox. And nothing gets out of the sandbox unless we allow it explicitly. End of story.
The future of Sandboxie
In late 2013, Invincea acquired Sandboxie from Ronen Tzur, the program’s original developer and creator. This transition was smooth and things worked out pretty well for the software and users during this period. Invincea had a team of professional developers who continuously worked on the development of Sandboxie. Unfortunately, in 2017 Invncea was in turn acquired by Sophos. At first, Sophos said development of Sandboxie would continue. Then, on April 16th 2018, Sophos released an announcement announcing an immediate end to the sale of and support for Invincea products. They said support would end on December 31, 2019. After this announcement appeared, users at the Sandboxie forum continuously asked if that announcement included Sandboxie. The answer time and time again, was no. Instead, Sophos maintained that Sandboxie was not included and stated that development would continue. In my opinion, the truth is they never cared about Sandboxie and had no plans to continue developing the program. They just didn’t come right out and say so.
A few weeks ago (September 10, 2019), Sophos announced major changes to Sandboxie. The company said the software was now a free tool, and discontinued selling licenses. It also announced plans to release Sandboxie software as open source sometime in the future. This is where things now stand.
I think it’s going to take several months before Sophos can get ready to release the Sandboxie code as open source. My guess is this release will occur sometime around the middle of next year (2020). Sophos has already cut off support in the Sandboxie forum. That said, I believe the company will continue to develop Sandboxie over the next few months and release updates until such time as they release an open source version, including source code. In the interim, I expect the company will work on problems related to W10 and major issues with Firefox, Chrome and IE, and nothing else. Thus, problems between Sandboxie and other software is unlikely to be fixed by Sophos. This means we are on our own now. Going forward, maintaining compatibility between Sandboxie and software other than the browsers I mentioned depends on luck — at least until the open source code is released and developers who have the time and enthusiasm for Sandboxie can take a look and fix issues.
Maintaining Sandboxie as an open source program is not going to be easy. Sandboxie is complex software that requires constant maintenance. Perhaps we might get lucky and see a group of experienced developers looking for a hobby prove willing to maintain Sandboxie for free. I personally know two people who have said they will take a look at the code when is released. Likewise, I am sure there are others, so this gives us hope that Sandboxie will keep going (and working). In my opinion, all we can do right now is wait and see what happens after the open source code is released. Keep your fingers crossed, and hope for the best!