Sandbox Security Versus the Evil Web

Sandboxie 3.28

Sandboxie is a superquick download (421K) and an easy install, supporting Windows 2000 and later Microsoft operating systems. It can be used to provide sandboxed protection (for files, disk devices, registry keys, processes, threads, driver objects, named pipes, mailbox objects, events, mutexs, semaphores, sections, and LPC ports) while running any program, including any Internet browser, command prompts, and Windows Explorer. It has a multitude of configuration options and a good interface that is directed more toward technical end-users.

Sandboxie offers many runtime and configuration choices over two main views: Programs (Figure 1) and Files and Folders (Figure 2). Both figures show Sandboxie running with active malware. At any point, the user can choose to terminate sandboxed programs and delete or restore the involved objects.

Because of the number of things Sandboxie emulates, it successfully stopped almost everything I threw at it, including bots, worms, Trojans, viruses, rootkits, low-level disk editing, and malicious alternative data streams. The two exceptions were, as covered in the accompanying sidebar, two tenacious tricksters, the Adobe Flash clipboard hijack and the XP Antivirus malware program. Sandboxie didn't prevent the clipboard hijack, and it did not remove all remnants of the XP Antivirus malware program when I told it to delete everything.

Still, overall, I was more impressed with Sandboxie than I expected to be -- with three reservations. First, as comprehensive as the coverage appears, Sandboxie cannot virtualize system-level drivers, which can lead to installation and stability problems from both legitimate and malicious programs. Some of the low-level malware programs I tested caused "blue screen" errors and severe booting problems afterward. To be clear, at no time did I see a malware program installed in such a way that Sandboxie allowed it to run seamlessly outside of virtualization; however, Sandboxie allowed more browser and system crashes than most of the competitors.

Second, Sandboxie only protects one program or process at a time. When you use Sandboxie, you must choose which programs and processes to protect and when. You can create one or more virtual sandboxes, each with its own settings, but what goes into each sandbox is up to the user. Occasionally, I found myself accidentally running unprotected programs when I wasn't paying attention. Plus, it's just not possible to run every program and process virtualized all the time, for various reasons (consider remotely buffer overflowed system service, anti-virus software, tape backup software, and so on), which means they can be exploited. Other competitors in this review focused on protecting critical system areas against all threats and didn't rely on the user to choose which area to defend.

Third, all trust decisions are left up to the end-user. Sandboxie never makes a declaration of safe versus unsafe content. The nontechnical end-user usually doesn't have enough knowledge of malware to make successful trust decisions. For example, Sandboxie doesn't prevent against phishing, so if a user is sent an e-mail claiming to be a security patch from Microsoft, how many end-users would download and install the patch using an unprotected browser session? How many users might be tricked by the XP Antivirus malware program? Too many, I suspect.

Overall, I liked Sandboxie's coverage, user interface, level of protection, and wealth of configuration options, especially for the price. It's a solid utility for those who can make the right trust decisions.

SoftSphere DefenseWall HIPS 2.44

Although security is rarely a binary choice, SoftSphere's DefenseWall HIPS separates all applications into just two categories: trusted or untrusted. Applications that can be expected to interface with potentially malicious content should be placed into the untrusted category. Processes started by untrusted programs automatically inherit untrusted status. Automatically downloaded or executed content from an untrusted program is protected from execution and prevented from manipulating protected resources.

Installation of DefenseWall HIPS was simple and quick, and the accompanying help file covered the essentials. The DefenseWall HIPS comes preconfigured with 11 untrusted programs, including Internet Explorer, Firefox, QuickTime, and a few other frequently exploited programs. However, Adobe's Flash Player was not automatically included on this list, and this allowed the clipboard hijack exploit demo to be successful.

Untrusted programs can be launched in a trusted state by choosing the application in the Untrusted applications window and selecting the Run as Trusted button. This is a nice way to end up with both trusted and untrusted browser sessions to handle various Web sites. The untrusted browser sessions are marked in the title bar to help users distinguish between the two.

The SoftSphere program has many customizable options, including the ability to include or exclude specific Windows resources (such as files, folders, registry keys, and so on) as trusted or untrusted. You can roll back any identified resource changes on a per-resource basis, although the program does not always distinguish between legitimate and malicious changes, leaving the final trust decision to the end-user. I especially like that DefenseWall HIPS considers all programs from removable sources to be untrusted by default.

Overall, DefenseWall HIPS stopped most malicious threats from automatically executing, though at times in a disconcerting way. When I browsed to malicious Web sites with an untrusted browser, the DefenseWall HIPS added any further starting programs (in testing, these were always malicious programs) to the untrusted applications list, which prevented much malicious activity. Further, it warned me when a malicious program was trying to modify critical system files.

Auto-downloaded malware is saved to the disk, but in such a way that it is not a threat to your system. You can disable the program, remove it, or, if the program is legitimate, move it to the trusted applications area. If you manually save a file to the desktop, which is often the case with social engineering, DefenseWall HIPS attempts to keep it marked as untrusted, but I found instances where malicious files could escape to trusted areas.

The DefenseWall HIPS includes a Stop Attack window, which allows a user to quickly close all untrusted processes if a malicious attack is suspected. The Adobe Flash clipboard hijack exploit lived through this closing; DefenseWall HIPS did not report any events or modifications, nor did it offer to roll back any changes.

DefenseWall HIPS also had a hard time cleaning up from the XP Antivirus malware, as did many of the competing programs. Although XP Antivirus was executed from within an untrusted browser session, the malware program was able to permanently modify the system and leave remnants of itself behind, even after I instructed DefenseWall HIPS to close all untrusted processes and delete all resource changes. DefenseWall HIPS did a pretty good job in stopping most malware programs, but it wasn't perfect.

Subscribe to the Security Watch Newsletter