Test Center: Sandbox security versus the evil Web
Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed resultsFollow @infoworld
[ View the companion videos, "Sandboxie sandbox under attack," "Sandboxing programs in Sandboxie," and "Sandboxie configuration options." Download the QuickTime versions: "Attack," "Sandboxing," "Configuration." ]
Because of the number of things Sandboxie emulates, it successfully stopped almost everything I threw at it, including bots, worms, Trojans, viruses, rootkits, low-level disk editing, and malicious alternative data streams. The two exceptions were, as covered in the accompanying sidebar, two tenacious tricksters, the Adobe Flash clipboard hijack and the XP Antivirus malware program. Sandboxie didn't prevent the clipboard hijack, and it did not remove all remnants of the XP Antivirus malware program when I told it to delete everything.
Still, overall, I was more impressed with Sandboxie than I expected to be -- with three reservations. First, as comprehensive as the coverage appears, Sandboxie cannot virtualize system-level drivers, which can lead to installation and stability problems from both legitimate and malicious programs. Some of the low-level malware programs I tested caused "blue screen" errors and severe booting problems afterward. To be clear, at no time did I see a malware program installed in such a way that Sandboxie allowed it to run seamlessly outside of virtualization; however, Sandboxie allowed more browser and system crashes than most of the competitors.
Second, Sandboxie only protects one program or process at a time. When you use Sandboxie, you must choose which programs and processes to protect and when. You can create one or more virtual sandboxes, each with its own settings, but what goes into each sandbox is up to the user. Occasionally, I found myself accidentally running unprotected programs when I wasn't paying attention. Plus, it's just not possible to run every program and process virtualized all the time, for various reasons (consider remotely buffer overflowed system service, anti-virus software, tape backup software, and so on), which means they can be exploited. Other competitors in this review focused on protecting critical system areas against all threats and didn't rely on the user to choose which area to defend.
Third, all trust decisions are left up to the end-user. Sandboxie never makes a declaration of safe versus unsafe content. The nontechnical end-user usually doesn't have enough knowledge of malware to make successful trust decisions. For example, Sandboxie doesn't prevent against phishing, so if a user is sent an e-mail claiming to be a security patch from Microsoft, how many end-users would download and install the patch using an unprotected browser session? How many users might be tricked by the XP Antivirus malware program? Too many, I suspect.
Overall, I liked Sandboxie's coverage, user interface, level of protection, and wealth of configuration options, especially for the price. It's a solid utility for those who can make the right trust decisions.