Sarasota PC Monitor

Tech Talk (09/01)

Sandbox Computing
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.

I spend a lot of my time surfing the web looking for research material; computer tech sources, genealogy data, vocal music and other information. This means that I am downloading many web pages, clicking on many links and generally opening up my computer to all types of malware. I always have to be aware that there are many traps on web pages that are just waiting for the unwary surfer. It used to be that having an up-to-date virus checker, a working firewall and parasite scanners, you could adequately protect your computer. That changed to some degree when the "drive by" downloads appeared. Now with the constant appearance of "holes" in the Windows operating system (XP & Vista) and the various web browsers, it is less obvious that you can protect your computer from unwanted visitors. Microsoft recently (October 22, 2008) released an out-of-cycle patch (patch 958644) for Windows for what has been described as a very serious opening that could be exploited regardless of the browser you are using. There have also been recent articles on "clickjacking". In this situation "buttons" or links are floated behind the link you think you are clicking. The only option to prevent this is to disable JavaScript. That creates more problems as JavaScript is a very important part of the whole web experience and is used on almost every page. So when you do know that you can run a script and when you can’t? Well, the "Sandbox" may be a way to surf safely and avoid the installation of malware on your computer without having to disable JavaScript.

My Sandbox experience is based on using the sofware application "Sandboxie" (www.sandboxie.com) with Windows XP and Firefox 3.0. As with everything related to computing, your results might be different. Sandboxie is a very small program, approximately 450 KB. So it is quick to download and doesn’t require a lot of memory to run.

Next, let’s take a look at what is meant when I talk about a computer sandbox. The sandbox is a complete "virtual computer" running in your computer’s memory. This virtual computer is isolated from the real operating system files and creates any files it needs for use within the sandbox. When the sandbox closes, everything in it disappears unless you chose to keep it. It’s like having a bank vault within a building where everything can be locked within the vault and nothing is removed without special permission. The neat thing is that nothing that happens within the sandbox can have any effect on your computer. This means that Trojans, rootkits and other malware have no chance to affect the operation of your computer outside of the sandbox. If a problem occurs when you are running in the sandbox, all you need to do is shut it down, you are returned to your normal computer operations and the malware is erased.

When Sandboxie is started it creates a sandboxed folder which contains a drive folder, user folder, and Registry "hives". The "hive" is Microsoft’s term for collections of related Registry keys stored together. The parts of the Registry needed for sandboxed operations are stored in a hive which is then integrated into the Registry. There are also instances of Windows services stored within the sandboxed folder that can be accessed by applications running within the sandbox. These are referred to as "process objects" and are needed for normal operations. When the sandbox is running there may be instances of these objects running both sandboxed and non-sandboxed. Also, you can run an application within the sandbox at the same you are running it outside the sandbox. The complete operating system is not loaded into the sandbox. This reduces the memory required for the sandbox operations.

Applications running in the sandbox can not hijack non-sandboxed programs. Therefore they can not operate outside the sandbox. New files or other created objects have a path assigned by Sandboxie which directs them into the sandboxed folders. Sandboxie prevents any programs running inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program. This is one of the features that prevents rootkits from being installed outside the sandbox.

In actual operation, using Sandboxie is very simple. To make it even simpler, there is a short tutorial available on the Sandboxie web site. This can be accessed from within the program the first time you run it or directly from the Sandboxie home page by clicking on the "FAQ & Help" link.

After installation it can be set to load whenever the computer is started. This puts an icon in the system tray. Clicking on this icon brings up the Sandboxie Control Center. This window lists all sandboxed applications and object. When I started it, the window indicated nothing was sandboxed. So, using the menu I selected run an application and then selected Firefox. This changed the list in the window to show Firefox as well as the two RegHive files. With Firefox up, I did my usual web surfing. Along the way I received a message from Sandboxie that a new version was available that I could download. At this point, I really couldn’t tell that anything was different from my previous surfing experience with Firefox. So I went to the Sandboxie page and downloaded the new version. After finishing I closed the Sandboxie Control Center. Then I went looking for the download so I could install it. Well, it didn’t exist anywhere on the hard drive! I had closed Sandboxie without marking the update to be saved! As a result the download was deleted, along with all the other sandboxed files when I closed the Control Center. So I opened the Control Center, restarted Firefox and downloaded the update. This time I selected it to be saved before I closed the Control Center. Then I was able to install the update.

I should also point out that now I have an icon on the desktop which automatically runs Firefox sandboxed. Sandboxie can be set up to isolate your browser automatically whenever you open it. To do so, add the name of your browser’s executable file, such as firefox.exe or iexplore.exe, to the list of programs Sandboxie always opens in a sandbox. If you don’t do this, Sandboxie will not set your browser to open automatically in the sandbox.

As you can tell from these comments, Sandboxie does not require a reboot to start the sandbox process. Sandboxie does sandbox access to files, but not to the complete hard drive. It does sandbox access to registry keys. It also sandboxes access to many other classes of system components, in order to trick the sandboxed program into believing that it isn’t being tricked. So you can open and close Sandboxie repeatedly while you are using your computer without having to do any rebooting.

If this discussion has interested you and you would like to take Sandboxie for a test run, the free version can be downloaded from: www.sandboxie.com. This application is free for personal use. However, there is a Pro version available for $30.00. If you like the program and can afford it, buy the Pro version. This software is the work of one person, Ronen Tzur, and this payment is his means of support to continue working and improving this software. After some experience in running Sandboxie, I can highly recommend it as an excellent method of protecting your computer from malware. :

*Dr. Lewis is a former university and medical school professor of physiology. He has been working with personal computers for over thirty years, developing software and assembling systems. He can be reached at bwsail at yahoo.com.

Return to Brian Lewis' Index

Return to Columnist's Index

Copyright 2009. This article is from the January 2009 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org// Web: http://www.spcug.org/ 

The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.

See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.