Test Center: Sandbox security versus the evil Web
Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed resultsFollow @infoworld
I was keen to see how well programs prevented silent "drive-by" downloads and how well they protected the user even if the user intentionally installed them (as if provoked by social engineering). Some sandbox products only provide protection from silent downloads, which can be furnished by a fully patched system without additional software in most cases. Others provide protection no matter what the user does, which is even more important in today's world of sophisticated social engineering.
Concerns about the class
But before reading the individual product reviews, let's discuss sandbox software in general. Sandbox protection products haven't gained a tremendous amount of traction with customers over the years for a number of legitimate reasons.
The first concern is accuracy. Every product failed one or more tests to varying degrees. All of them failed the Adobe Flash clipboard hijack exploit test, and most failed to accurately clean up from the XP Antivirus malware program (see the sidebar, "Two tenacious exploits debunk vendor claims"). This was despite the fact that many sandbox vendors claimed to prevent all known and unknown attacks. You can see the results and failures in the many screen images and video files offered along with this review.
The question is, despite the dubious accuracy, do these products provide additional value? In most cases, the answer is yes. Most sandbox programs attempt to prevent any system modification and don't care whether a particular threat is "recognizable." But this causes a tremendous amount of false negatives, meaning real threats aren't identified as such, and leads to a second problem.
Inherent in many of the products is the idea that end-users must make a trust decision on whether to erase, save, or execute downloaded content. Taken to one extreme, if end-users erase all content after every session, how would their system, applications, or browsers receive upgrades or security patches? Taken to the other extreme, if users save or execute all content, they will end up infected or negate the need for the additional protection. Ultimately, with varying levels of assistance from the product, the end-user must make the key decision on whether or not to save and execute the data from each session.
Detecting what is and isn't malicious is becoming harder all the time. A large majority of malware is coming from innocent, legitimate Web sites (such as favorite news sites, online social portals, blogs, and so on) that are infected with harmful content, and the social engineering pitches to the end-user are getting more persuasive.
Gone are the days when phishing malware was easy to spot due to obvious grammar issues and misspellings. Today's crimeware poses as legitimate vendor patches, online malware removers ("You are infected and need to run this scanner!"), overdue bills, and legal notices. Because of these increasingly blurred distinctions, end-users can't always be sure which Web site content can be trusted and safely executed. And still users are forced to make a trust decision that twenty years of history shows they aren't adept at making. If users could make consistently correct trust decisions, would they need the protection that sandbox products provide in the first place?