Sandboxing is a great way to keep out malware and prevent bad software ruining your PC. Roland Waddilove digs deep into the subject
Sandboxing is a way of protecting the computer from viruses, trojans, spyware, adware and badly written software. All these things can seriously damage your computer, with the effects ranging from relatively minor freezes, crashes and changed settings to malicious applications that delete files, encrypt them using ransomware and more.
The word ‘sandbox’ is said to come from the idea of a children’s sandbox, an enclosed area where kids can play with sand without causing a huge mess of your garden, house or classroom. The sand stays in the box, and everywhere outside is clean and tidy.
Table of Contents
Sandboxing on your PC works in the same way. It’s a software technique that creates a safe area, where applications can run without causing any lasting damage to the rest of the system. An application running in a sandbox has limited access to the outside environment of Windows and the hard drive, and often no access at all.
The reason why this is so useful is for security purposes. If you download software from the internet, it might look okay from the description on the web page, but you won’t really know it’s safe until you run it and try it. If a downloaded program is run in Windows in the normal way, then it has the power to do anything, such as infect the system with malware, encrypt your files, access personal information and leak information to third parties on the internet.
If software is run in a sandbox, then the damage they can do is limited. Bad apps might try to change files and settings on the computer, but they’re blocked. It’s like they have a wall around them and they cannot get out of the enclosed area.
Sandboxing features are built into Windows and certain types of software, and there are special utilities that create sandboxes to enable you to test software safely. If software is tested in a sandbox and found to be badly written or malware, the sandbox can be emptied and the system reset to what it was before. It undoes everything the software did. If the sandboxed software turns out to be okay, then it can be installed for real on the disk drive in Windows.
Built-in Sandboxing
Windows has some sandboxing built in, and there are different user accounts. You can choose between a standard account and an administrator account. Anyone that logs into Windows with a standard account will find that some features are unavailable. For example, certain system settings cannot be changed unless you’re logged in as an administrator.
You should create two accounts on your Windows PC, a standard account and an administrator account. Use the standard account for everything you do, such as browsing the web, word processing, watching videos, viewing photos, listening to music and so on. If you encounter any malware, it will find it more difficult to infect the computer, because your account doesn’t have access to certain features. If you need to configure anything, install software and perform maintenance tasks, you can log in as an administrator.
Parental controls add more restrictions to user accounts, which is similar to sandboxing. They limit what software can do, when it can run and what changes it can make to your PC. User accounts are created in the Settings app in Windows 10 and the Control Panel in Windows 7.
User Account Control is also a form of sandboxing: when software tries to make changes to the system, the screen goes dark and a message appears on the screen, which must be clicked in order to let the program proceed. There are several levels of User Account Control, and the setting is in Security and Maintenance in the Control Panel.
Modern apps for Windows 10 run in a sandbox, and certain actions are unavailable. It increases the security of software, which makes Windows Store apps safer than software downloaded from the rest of the internet. However, it places restrictions on software and limits what they’re able to do. Games developers, for example, don’t like it, because they don’t have full access to the hardware and software of your PC.
Microsoft Word has a sort of sandbox mode, and if you open a Word file that has been saved by someone else, it opens in a special Protected View that prevents viruses and other malware that might be in the document from running. To edit the document, you must click an Enable Editing button, otherwise you can only view it.
Web browsers use sandboxing too. For example, it’s built into Chrome. Code within a web page has a great deal of difficulty getting out into Windows unless you do something like download and then run a program. The HTML and JavaScript is locked in, and Flash runs within the browser.
Nothing is perfect, and security flaws are sometimes found, especially in Flash, but generally speaking, code is locked in. In fact, each tab in Chrome is a sandbox, which prevents any code running in one tab from accessing the contents of another tab. When banking online, it’s best if there’s only one tab, but even if there are two, the other tab should not be able to access your account. Security flaws may exist, so it’s not worth banking on one tab while browsing dodgy websites on another, just in case, but in theory it should be okay.
Back Up The Disk
Disk drives sometimes last forever – well, maybe not forever, but they often last until your PC is too old to be useful.
However, you cannot rely on this and assume that the disk will never fail. It might fail next week or next year; you just don’t know. For this reason, you should have a complete backup of the drive, consisting of the operating system, software and personal files.
If you have a complete system backup that contains everything and have a bootable restore CD or USB memory stick, your PC is sort of sandboxed. No matter what happens to your PC, you can erase everything and put everything back exactly as it was at the time of the last backup. If bad software has messed up Windows, restoring the backup solves the problem.
The main drawback of this is the length of time it takes to reset your PC. It could well take two or three hours to perform a restore. It is not something you can use on a daily basis, but it is an option you should have available to you just in case something goes wrong and Windows won’t boot because of malware, bad software, bad drivers or disk corruption.
Free tools like EaseUS To-Do Backup, Paragon Backup & Recovery 14 Free Edition, Macrorit Partition Expert Free Edition 5 Review and AOMEI Backupper can make exact copies of your PC’s disk to a USB drive.
VirtualBox
VirtualBox and the less well known VMWare Player are the ultimate sandboxes, and they’re used to create virtual machines. These enable you to install and run a guest operating system in a window on the desktop. A virtual machine is a completely separate environment that has no access to the rest of the computer, and the OS is completely isolated. Software installed in a virtual machine runs in the guest OS and is also isolated and unable to access the rest of the computer.
This makes virtual machines the perfect sandbox. Any software you install in them only runs inside them, so it’s a great way to test programs you’re unsure about. You can boot Windows 7 or any other OS, install a program and test it. If it turns out to be malware, then you can simply close the virtual machine. Your PC is unaffected, because the malware cannot access it.
You could simply delete the virtual machine and reinstall the guest OS, but there’s no need. VirtualBox and VMWare Player have facilities to create system snapshots. You snapshot the system before installing the software you want to test and then restore the snapshot afterwards to reset everything back the way it was. Unlike restoring a PC’s disk drive, restoring a snapshot takes only a minute to complete.
If you want to have a permanent copy of Windows in a virtual machine, you must buy a licensed copy. Windows 7 will install as a 30-day trial if you skip the bit where you’re asked to enter the licence code. You can test software for a whole month in your virtual machine, then delete it and reinstall it for another 30 days and so on.
Virtual machines are great, but they require a minimum of 30GB of disk space to create and at least 1GB of memory when running. It can be a struggle on a PC with 4GB of memory, and 8GB is recommended.
Read more: VirtualBox Review: A Hands-on Guide on Virtualisation with VirtualBox
Sandboxie
This is a well-known sandboxing utility that has been around for years. Browse the site and you’ll find lots of screenshots for Windows X, but the software works with all versions of Windows, including 7 and 10.
The Sandboxie program is quite small, and it adds an icon at the right side of the taskbar. This opens Sandboxie Control. From here you can open a web browser, email program, Explorer or any program in a sandbox. A yellow border around the window indicates that it’s sandboxed. Software running in the sandbox reads and writes to a separate reserved area of the disk. This means that any changes to the system, such as registry writes, configuration changes and so on, do not really take place, and your Windows installation is protected. Everything is contained within the sandbox on the disk.
You can explore the contents of the sandbox to see what files have been written or changed, programs running in the sandbox can be terminated, and the sandbox can be emptied and wiped clean. Files created in the sandbox can be copied out of them if you know they’re safe and want to keep them.
If you don’t have the disk space or memory for a virtual machine, this is a good alternative. Sandboxie is a lightweight utility that enables you to test software in a safe sandboxed environment.
Comodo Internet Security
Some security software includes a sandbox, and part of their protection involves automatically sandboxing new software that is downloaded from the internet. Sometimes this involves a trial run of the program. When the program is run, the security software starts it in a sandbox and analyses its behaviour. If it’s okay and nothing abnormal is spotted,the program then runs normally.
Comodo Free Internet Security Software has a built-in sandbox that enables programs to be tested without danger of them doing anything nasty to your PC. Sandboxing is automatic, and programs write to a virtual file system and a virtual registry instead of the real thing. You can also run a virtual desktop that can be used instead of the real one.
Any program can be manually run in the sandbox environment, and you can tell a normal program from a sandboxed one, because it has a green border around the window. The sandbox file system can be explored to see what files have been written and where. The sandbox can be reset to clear it of programs, files and settings.
The main drawback of this sandbox is that you have to use Comodo Internet Security, and the sandbox does not exist on its own. You couldn’t use it with a different anti-virus program. Apart from that, the software looks good, works well and is easy to use.
Shadow Defender
Shadow Defender is similar in function to Sandboxie, but it has a more modern and attractive interface. It creates a virtual environment that it calls a Shadow mode, which is basically a sandbox. When programs are run in the Shadow mode, any writes to the system, such as to change settings, the registry, or create files, are intercepted and redirected to a virtual file system. In addition to this, Shadow Defender has the option to use part of the memory as a write cache, so disk access is similar to SSD speeds. The cache is written to disk when the computer is idle.
Shadow mode can be automatically enabled on boot-up and automatically disabled on shut down. This means that anything that is created, saved or changed is automatically reset. This makes it great for children’s computers, public computers in libraries or schools and so on. Each night when your PC is switched off, it’s reset back to how it was.
Shadow Defender is a small program at just 3MB. It’s also £6 cheaper than Sandboxie, which might make it more attractive to you.
Clean Slate
Clean Slate is intended for commercial use and to be installed on public, library, school computers and so on. However, single licences are available, and it isn’t too expensive, which is similar to alternatives.
The software is designed to be permanently active and like Shadow Defender. It runs on boot-up, and any changes to the system, files created by the user, configuration settings and so on, are all undone when your PC is shut down. It means your PC is reset every night when it’s switched off.
One nice feature is that it works with Windows Updates and antivirus software updates, so these download and install as normal, even though Clean Slate is running. It’s compatible with Windows from XP to 10.
Shade Sandbox
Shade Sandbox is free software, and all you need to do is to register to get a free licence code to use it. Shade opens a window on the desktop, and you drag and drop program shortcuts onto it, such as from the Start menu, desktop or Explorer. The programs are started in the usual way, and they run in the sandboxed environment. You can tell a sandboxed program by the purple border around the window. The software doesn’t have as many features as some of the others, but it’s free and easy to use.
Other Sandboxes
There are many more sandboxes, of course. Take a look at ToolWiz Time Freeze (toolwiz.com), WinJail (http://www.winquota.com/wj/), Cameyo (cameyo.com), Cuckoo (cuckoosandbox.org), Evalze (evalaze.de/en/home), iCore Virtual Accounts (icoresoftware.com) and Deep Freeze (faronics.com/en-uk/products/deep-freeze).