Sandboxie: Keeping Malware Off Your PC

Friday Oct 9th 2009 by Michael Horowitz

Malware can infect your PC from anywhere on the Web, but the free Sandboxie application effectively blocks it.

There is no safe neighborhood anywhere on the Internet. Even honest reputable sites, such as The New York Times, can inadvertently serve up malware. If you don't keep all the software on your computer patched with the latest bug fixes, you are constantly at risk – malware exploits known bugs to install itself.

Now that Windows does a reasonably good job of self-updating, the bad guys have taken to attacking other software, such as the Adobe Acrobat Reader and the Flash player plug-in, which don't automatically install patches as well as Windows does. And, up to date antivirus software only provides limited protection.

The bottom line: just viewing a web page can infect a Windows computer.

Enter Sandboxie, an excellent program that builds a virtual sandbox around your web browser, making it impossible for your computer to accidentally get infected.

When you run a program in a sandbox, you are really running Sandboxie and it, in turn, is running the program in a walled-off virtual box. Originally developed for Internet Explorer, Sandboxie can now put a sandbox around any Windows program.

Programs running a sandbox can, by default, see everything on the computer. What they can't do is make any permanent changes.

When sandboxed programs try to read files, Sandboxie does not interfere. However, when they try to create new files, Sandboxie intercepts the requests and creates the files in another location. The running program is oblivious to this re-direction. It thinks it's talking to Windows, but it really is talking to Sandoxie. The movie The Truman Show offers a pretty good analogy.

If anything malicious gets accidentally installed on your computer while browsing with a sandboxed browser, it lives only in the sandbox. Specifically, the malware may think it got installed into C:Program Files, but it actually lives in
C:SandboxyouruseridDefaultBoxdriveCProgram Files.

Empty the sandbox and the malicious software is gone.

This is shown visually on the home page of The initial state of a computer is shown below:

Internet explorer 8 fixes, IE8 fixes

The top checkerboard pattern illustrates a hard disk with no sandbox. In the bottom one, the virtual sandbox is shown as a yellow box.

When a program runs, the changes it makes to the file system and the hard disk are shown as red boxes. In the image below we see that normally the red boxes/changes are scattered all over.

After an application makes changes

However, Sandboxie forces all changes made by a sandboxed program to live inside the sandbox. If any of the changes are not wanted, just empty the sandbox.

If this sounds like virtualizaiton, it is. But it's small, lightweight virtualization, whereas full blown virtualization products are large and cumbersome. Also, the changes Sandboxie makes to your computer are minimal compared to full-fledged desktop virtualization software like that offered by VMware.

Has a problem occurred to you? Most likely, there is a simple solution. Sanboxie is nothing if not a well thought out program.

If you don't want malware on your computer, even if it's sandboxed, you can configure a sandbox so that all changes made by any program are discarded as soon as the last program in the sandbox shuts down. You can see this below:

Internet explorer 8 fixes, IE8 fixes

There are two sandboxes on this computer, the default one and another called ThrowMeAway (I chose the name). As the name implies, all changes made in this sandbox are always discarded. If you really want a private browsing mode, this beats them all.

Next Page: Blocking email attachment malware

Note that this sandbox is not limited to a web browser, any program can be run in the ThrowMeAway sandbox.

My first reaction to Sandboxie was wondering how to save bookmarks from a web browser running in a sandbox. Backing out the browser activity is great for reversing drive-by downloads, but there also needs to be a way for a sandboxed browser to make permanent changes to the file system.

No problem, you can poke holes in sandboxes. Any folder can be configured as an exception to normal sandboxing. For web browsers, Sanboxie makes this especially easy. Shown below are the options for running Firefox in a sandbox:

Internet explorer 8 fixes, IE8 fixes

Are there sensitive files on your computer? Perhaps you would prefer that they were not visible by programs running in a Sandbox? Easily done. Sandboxie can be configured so that certain folders and registry keys are totally unavailable to sandboxed programs.

There are also options that make it visually obvious when a program is running in a sandbox and the name of the sandbox it's running inside.

Malicious software often gets on computers as email attachments. To defend against this, simply run your email program in a sandbox. For the best protection, you may want to run all Internet-facing applications in a sandbox.

Even better, a sandbox can be configured such that no programs running inside it can access the Internet other than those that you have pre-allowed. Thus, if an email attachment does install malware, the malicious software can't phone home. This is outstanding protection, even from malicious software that has yet to be invented.

Sandboxie runs on Windows XP, Vista, 2000 and Server 2003. According to the website, "There are no particular hardware requirements. Sandboxie needs only a small amount of memory and should have a very small impact on performance. "

There is both a free version and a paid/registered version of Sandboxie. The free version offers the vast majority of features.

For personal use, Sandboxie costs $39.92 or 26 Euros. This gives you a life-time registration key to the current and all future versions of the software. In addition, paying lets you run the full-featured version of Sanboxie on "any number of computers that you personally own." There are different rules for commercial use.

Perhaps the most important feature offered only to paying customers, is the ability to force programs, such as your web browser, to always run in a sandbox. With the free version, I typically right click on the icon for the application I want to be sandboxed, and select "Run Sandboxed" from the pop-up menu.

Sandboxie was developed by a single person, Ronen Tzur, which I consider a plus. Speaking as a former programmer, the best software is always developed by a very small number of motivated, qualified developers. For assorted reasons, large companies typically produce large software of questionable quality.

I'll take software developed by a single good techie any time.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved