I want to talk about this exciting program I’ve been using lately called Sandboxie. I was first introduced to Sandboxie on a SecurityNow prodcast a while back. Then recently, Leo and Steve did another podcast where they did a more in depth look at this now mature program. I even purchased a license which includes all new upgrades to Sandboxie for life! What a great deal! The podcast on Sandboxie couldn’t have come at a more appropriate time for me. I had just purchased a new Dell laptop with Vista; yeah yeah I know I’m a big Apple/Mac fan-boy but I really couldn’t justify spending over my budget for a new Macbook. I ended my dilemma by settling for a bottom of the line Dell Inspiron with Vista. The truth is that I’m actually very happy with my Dell and I’m even happy – so far – with Vista. Everything works – so far so good. After I ordered my laptop I was thinking about how to keep my new system clean and free of anything malicious such as spyware, adware, etc. This happens to be more of a challenge in a Windows environment. Then I heard about Sandboxie.

So what is Sandboxie? A while back we talked a little bit about a Virtual Machine and how I was able to run Windows on my Mac using Parallels. With Parallels you need to set aside memory and actually install the OS you want to run in the VM so that you essentially have two systems on one computer. Sandboxie is a “lightweight” VM that doesn’t actually need a separate OS to run; it runs as a program on Windows. Sandboxie allows you to run any program within a “contained environment”. Within that environment no permanent changes or modifications can be made to your system. So which programs do I run in Sandboxie? I have two programs that are the most likely vectors for something malicious getting into my system. These are my web-browser FireFox and my email client Thunderbird. I, therefore, ran these programs within Sandboxie before I wrote this post. They are running in their separate space and can’t harm my system. I’m a careful user of the Internet and follow some best practices, such as never downloading anything that is not reputable or clicking on a link in an email from someone I don’t know. However, even the most savvy user can be vulnerable; the bad guys are getting smarter and smarter. So what happens if I suspect I may have accidentally clicked on an unsavory link or downloaded a dangerous file? I wipe my sandbox clean and start fresh. Any malicious files or potential mal-ware is contained in the sandbox never able to harm any part of my system outside of the sandbox. How cool is that? Keep in mind that you must start using Sandboxie on a computer that is in a healthy state, otherwise Sandboxie is useless and all bets are off. Reformat your hard drive and install Windows fresh or start with a new computer.

This is all nice and I can see how Sandboxie can be a very useful tool for running programs in isolation but there are times were I would need my program to make changes to my system. Here’s a good example. I’m browsing on the web using FireFox “sandboxed” and then I go to the popular networking site, Facebook, where there is a picture of me posted by a friend that I would like to download, save and share with others. So I click “save picture” and I proceed to save it to My documents and here is the pop-up that appears from Sandboxie:

What’s happening here is that your “sandboxed” Firefox wants to save a file to your documents folder, which is outside the sandbox. If you click “close” the file will be saved – actually saved – in a directory tree under Sandbox C:\Sandbox\goodbin\DefaultBox where “DefaultBox” is your default sandbox (Sandboxie allows you to create different Sandboxes that behave differently for different uses). If you click on the recover box then you are giving Sandboxie permission to save this file to your Documents folder. If you clicked on close and save the file to your “sandboxed” documents folder then you can open your Windows Explorer in “sandboxed” mode and you’ll see the files. See the screen shot below with 2 different Windows Explorers; one in “sandboxed” mode shows [#] the files while the Windows Explorer not “sandboxed” does not show the files

When you download in Sandboxie, it writes all those new files and system modifications (unless you say it’s OK to save outside the sandbox) into the sandbox “C: location” or C:\Sandbox. Remember, nothing changed outside the sandboxed environment.  That means if you downloaded some changes to your “money management” program using Sandbox, you will see those changes only if you run your money program from Sandbox.  If you run it from it’s regular icon, no changes will have taken effect.  For the more technical users this can come in handy if you want to see how a program behaves when it runs on your system.  You run the program sandboxed and then go into the C:\Sandbox directory to see which system files where changed or which new ones were created.  Perhaps you are auditing a program or are curious to see what the change is so that you can feel safe about modifying your system files “unsandboxed”. See the screenshot below showing C:\Sandbox tree.  Notice the different program directories for Thunderbird and Mozilla.

So far, my experience with Sandboxie has been very positive. The interview on the Security Now podcast with the author of Sandboxie, Ronan Tzur from Israel, was very interesting. Sandboxie is a great addition to your security toolbox. Remember, there is no silver bullet security solution and depending on your level of paranoia is how often you clean out your sandbox.