Test Center: Sandbox security versus the evil Web
Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed resultsFollow @infoworld
Some of the products in this review, notably Sandboxie and SafeCentral, rarely made an attempt to inform the user whether a Web site or download was legitimate or malicious. The user had to make every trust decision. Other products attempted to tell the user which Web sites contained malware and which did not. Prevx did a fairly good job at this, while DefenseWall and ForceField were more hit than miss.
In many products, content downloaded during a browser session must be saved or discarded as a whole (in other words, everything or nothing), while other products, especially Sandboxie and DefenseWall, allow the user to pick and choose between individual objects. I enjoyed the detail Sandboxie showed, as it often allowed me to confirm whether or not something malicious had occurred (such as new files in System32), but it really is only useful for technical users.
Sandboxie and DefenseWall focused on protecting particular applications or sessions, while others fell into the more traditional role of a host intrusion prevention system (HIPS), protecting critical system areas regardless of the attack vector. I was impressed with Sandboxie's ability to ensure that additional child sessions were always launched in protected mode when instantiated by a protected parent process. This is important as the browser is becoming more of a launching point for the rest of our integrated applications. Malware writers are increasingly attacking the applications as operating systems and browsers get more secure.
Another important question is, how good is the emulation coverage? Sandbox protection products, by their very nature, don't emulate the entire operating system, as a full virtualization product such as VMware Workstation, Microsoft Virtual PC, or Parallels would. Malware programs are known to infect more than a hundred different Windows attributes, including registry locations, files, folders, startup areas, and more. How many Windows attributes and APIs are covered in the sandbox? The answer is never all. Does the product protect against remote and local buffer overflows, phishing attacks, alternative data stream techniques, file sharing avenues, and so on? Some did, most didn't.
Some of the products provided additional anti-buffer overflow, privacy, or phishing controls. The privacy and phishing controls are often already provided by other installed anti-malware programs, so their inclusion in this class of products may not be necessary (although additional layers of defense-in-depth never hurt).
Each product offered up differing levels of buffer overflow protection. For example, Sandboxie only prevented local buffer overflows if they happened against a protected process. Prevx protected the whole system against both local and remote buffer overflows, but only when they affected a critical system area being monitored.
Most of these products would not detect previously installed malware (Prevx being the exception) unless the malware made additional system modifications to the monitored areas after the products were installed. None of the products provided anti-DoS services, misconfiguration detection, missing patch analysis, or a host of other protections required to make a host system more fully secure.
Every product in this review worked only with Microsoft Windows. Some required Windows XP SP2 or later, although most worked with Windows 2000 and later versions. DefenseWall refused to defend Windows system processes. All worked with Internet Explorer and Firefox, although some of them would work with any program.