You can endlessly look at the fire, water and activity of programs isolated in the sandbox. Thanks to virtualization, with one click you can send the results of this activity - often insecure - into oblivion.

However, virtualization is also used for research purposes: for example, you wanted to check the effect of a freshly compiled program on the system or run two different versions applications at the same time. Or create a standalone application that won't leave any traces on the system. There are many options for using the sandbox. It is not the program that dictates its conditions in the system, but you show it the way and allocate resources.

If you are not satisfied with the slowness of the process, using the ThinApp Converter tool you can put virtualization on stream. Installers will be created based on the config you specified.

In general, the developers advise to produce all these preparations under sterile conditions, on a fresh operating system, so that all the nuances of the installation are taken into account. For these purposes, you can use a virtual machine, but, of course, this will leave its mark on the speed of work. VMware ThinApp already heavily loads system resources, and not only in scan mode. However, as they say, slowly but surely.

BufferZone

• Website: www.trustware.com
• Developer: trustware
• License: freeware

BufferZone controls the Internet and software activity of applications using a virtual zone, closely approaching firewalls. In other words, it uses rules-driven virtualization. BufferZone works seamlessly with browsers, instant messengers, email and P2P clients.

At the time of this writing, the developers warned about possible problems when working with Windows 8. The program can kill the system, after which it will have to be deleted through safe mode. This is due to the BufferZone drivers, which come into serious conflict with the OS.

What falls under the BufferZone radar can be tracked in the main Summary section. You determine the number of restricted applications yourself: the Programs to run inside BufferZone list is intended for this. It already includes potentially unsafe applications like browsers and mail clients. A red border appears around the window of the captured application, giving you confidence to surf safely. If you want to run outside the zone - no problem, control can be bypassed through context menu.

In addition to the virtual zone, there is such a thing as a private zone. You can add sites to it that require the strictest confidentiality. It should be noted right away that the function only works in Internet Explorer retro versions. In more modern browsers there are built-in means to ensure anonymity.

In the Policy section, the policy is configured in relation to installers and updates, as well as programs launched from devices and network sources. See also in Configurations additional options security policy (Advanced Policy). There are six levels of control, depending on which the attitude of BufferZone to programs changes: no protection (1), automatic (2) and semi-automatic (3), notifications about the launch of all (4) and unsigned programs (5), maximum protection (6).

As you can see, the value of BufferZone is total Internet control. If you need more flexible rules, then any firewall will help you. BufferZone also has it, but more for show: it allows you to block applications, network addresses and ports. From a practical point of view, it is not very convenient for active access to the settings.

Evalaze

• Website: www.evalaze.de/en/evalaze-oxid/
• Developer: Dogel GmbH
• License: freeware / commercial (€2142)

The main feature of Evalaze is the flexibility of virtualized applications: they can be run from removable media or from network environment. The program allows you to create completely standalone distributions that operate in an emulated file system and registry environment.

The main feature of Evalaze is a user-friendly wizard that is understandable without reading the manual. First, you make an image of the OS before installing the program, then you install it, make a test run, and configure it. Next, following the Evalaze wizard, you analyze the changes. It is very similar to the principle of operation of uninstallers (for example, Soft Organizer).

Virtualized applications can work in two modes: in the first case, write operations are redirected to the sandbox, in the second case, the program will be able to write and read files in the real system. Whether the program will delete traces of its activities or not is up to you, the Delete Old Sandbox Automatic option is at your service.

Many interesting features are available only in the commercial version of Evalaze. Among them - editing environment elements (such as files and registry keys), importing projects, setting the reading mode. However, the license costs more than two thousand euros, which, you see, is somewhat higher than the psychological price barrier. At a similarly prohibitive price, the use of an online virtualization service is offered. As a consolation, the developer's site has pre-made virtual sample applications.

cameyo

• Website: www.cameyo.com
• Developer: cameyo
• License: freeware

A cursory examination of Cameyo suggests that the functions are similar to Evalaze and you can “blind” a distribution kit with a virtualized application in three clicks. The packer takes a snapshot of the system, compares it with the changes after installing the software, and creates an ecosystem to run.

The most important difference from Evalaze is that the program is completely free and does not block any options. The settings are conveniently concentrated: switching the virtualization method with saving to disk or in memory, choosing the isolation mode: saving documents to specified directories, prohibiting writing or full access. In addition to this, you can customize the virtual environment using the file editor and registry keys. Each folder also has one of three isolation levels that can be easily overridden.

You can specify how to clean up the sandbox after exiting the offline application: remove traces, no cleanup, and write registry changes to a file. Also available is integration with Explorer and the ability to bind to specific types of files in the system, which is not even in paid analogues of Cameyo.

However, the most interesting thing is not the local part of Cameyo, but the online packager and public virtual applications. It is enough to specify the URL or upload the MSI or EXE installer to the server, specifying the bitness of the system, and you will get a standalone package at the output. From now on, it is available under the roof of your cloud.

Summary

Sandboxie will be the best choice for experiments in the sandbox. The program is the most informative among the listed tools, it has a monitoring function. A wide range of settings and good options for managing a group of applications.

Doesn't have any unique features, but very simple and trouble-free. An interesting fact: the article was written inside this “sandbox”, and due to an unfortunate mistake, all changes went into the “shadow” (read: astral). If not for Dropbox, a completely different text would have been published on this page - most likely, by a different author.

Evalaze offers not an integrated virtualization approach, but an individual one: you control the launch of a specific application by creating artificial habitat conditions for this. There are advantages and disadvantages here. However, taking into account the curtailedness of the free version of Evalaze, the dignity will fade in your eyes.

cameyo carries a certain “cloudy” flavor: the application can be downloaded from the site, uploaded to a USB flash drive or Dropbox - this is convenient in many cases. True, it leads to associations with fast food: you can’t vouch for the quality and compliance of the content with the description.

But if you prefer to cook according to the recipe, VMware ThinApp- your option. This is a solution for experts who care about every nuance. A set of unique features is complemented by the capabilities of the console. You can convert apps from command line, using configs, scripts - in individual and batch mode.

BufferZone is a sandbox with a firewall function. This hybrid is far from perfect and up-to-date settings, but you can use BufferZone to control Internet activity and applications, protect against viruses and other threats.

There are two main ways to safely run a suspicious executable: under a virtual machine or in a so-called "sandbox" (sandbox). Moreover, the latter can be adapted using an elegant way for online file analysis, without resorting to specialized utilities and online services and without using a lot of resources, as is the case with a virtual machine. I want to tell you about him.

WARNING

Incorrect use of the described technique can harm the system and lead to infection! Be attentive and careful.

"Sandbox" for analysis

People who deal with computer security are very familiar with the concept of a "sandbox". In short, a sandbox is a test environment in which a certain program is executed. At the same time, the work is organized in such a way that all program actions are monitored, all changed files and settings are saved, but nothing happens in the real system. In general, you can run any files in full confidence that this will not affect the performance of the system in any way. Such tools can be used not only to ensure security, but also to analyze the actions of the malware that it performs after it is launched. Still, if there is a cast of the system before the start of active operations and a picture of what happened in the "sandbox", you can easily track all the changes.

Of course, there are a lot of ready-made online services on the Web that offer file analysis: Anubis, CAMAS, ThreatExpert, ThreatTrack. Such services use different approaches and have their own advantages and disadvantages, but common main disadvantages can be identified:

You must have access to the Internet. It is necessary to wait for the queue in the process of processing (in free versions). Typically, files that are created or modified during runtime are not provided. Unable to control execution options (in free versions). It is impossible to interfere with the startup process (for example, click on the buttons of the windows that appear). It is generally not possible to provide the specific libraries needed to run (in the free versions). As a rule, only executable PE files are analyzed.

Such services are most often built on the basis of virtual machines with installed tools, up to kernel debuggers. They can also be organized at home. However, these systems are quite demanding on resources and take up a large amount of hard disk space, and the analysis of debugger logs takes a lot of time. This means that they are very effective in the deep study of certain samples, but are unlikely to be useful in routine work, when there is no way to load system resources and waste time on analysis. Using the "sandbox" for analysis allows you to do without huge resource costs.

A couple of warnings

Today we will try to make our own sandbox-based analyzer, namely the Sandboxie utility. This program is available as shareware on the author's website www.sandboxie.com. For our study, a limited free version. The program runs applications in an isolated environment so that they do not make malicious changes to the real system. But there are two nuances here:

1. Sandboxie only allows you to track programs at the user mode level. All activity of malicious code in kernel mode is not tracked. Therefore, the maximum that can be learned when studying rootkits is how the malware is introduced into the system. Unfortunately, it is impossible to analyze the behavior itself at the kernel mode level.
2. Depending on the settings, Sandboxie can block access to the Network, allow full access or access only for certain programs. It is clear that if the malware needs access to the Internet for a normal launch, it must be provided. On the other hand, if you have Pinch lying around on your flash drive, which starts up, collects all passwords in the system and sends them to ftp to an attacker, then Sandboxie with open access the Internet will not protect you from loss confidential information! This is very important and should be remembered.

Initial Sandbox setup

Sandboxie is a great tool with lots of customization options. I will mention only those of them that are necessary for our tasks.

After installing Sandboxie, one sandbox is automatically created. You can add a few more "sandboxes" for different tasks. Sandbox settings are accessed via the context menu. As a rule, all parameters that can be changed are provided with sufficient detailed description in Russian. The options listed in the Recovery, Uninstall, and Restrictions sections are especially important to us. So:

1. You need to make sure that nothing is listed in the "Recovery" section.
2. In the "Remove" section, there should not be any checkboxes and / or added folders and programs marked. If the parameters are set incorrectly in the sections indicated in paragraphs 1 and 2, this can lead to the fact that malicious code infects the system or all data for analysis is destroyed.
3. In the "Restrictions" section, you need to select the settings that correspond to your tasks. It is almost always necessary to restrict low-level access and hardware usage to all running programs to prevent rootkits from infecting the system. But on the contrary, you should not restrict access to launch and execution, as well as take away rights, otherwise the suspicious code will be executed in a non-standard environment. However, everything, including the availability of Internet access, depends on the task.
4. For clarity and convenience, in the "Behavior" section, it is recommended to enable the "Show border around the window" option and select a color to highlight programs running in a restricted environment.

We connect plugins

In a few clicks, we got an excellent isolated environment for the safe execution of code, but not a tool for analyzing its behavior. Fortunately, the author of Sandboxie has provided the possibility of using a number of plug-ins for his program. The concept is quite interesting. Addons are dynamic libraries that are embedded in a sandboxed process and register or modify its execution in a certain way.

We will need a few plugins, which are listed below.

1. SBIExtra. This plugin intercepts a number of functions for a program running in a sandbox to block the following features:
   • overview of executable processes and threads;
   • access to processes outside the sandbox;
   • calling the BlockInput function (keyboard and mouse input);
   • reading the titles of active windows.
2. Antidel. The addon intercepts the functions responsible for deleting files. Thus, all temporary files, the command to delete which comes from source code, still remain in place.

How to integrate them into the sandbox? Since this is not provided by the Sandboxie interface, you will have to edit the configuration file manually. Create a Plugins folder and unpack all prepared plugins into it. Now attention: the Buster Sandbox Analyzer includes several libraries with the common name LOG_API*.dll, which can be injected into the process. There are two types of libraries: Verbose and Standard. The first displays practically full list API calls made by the program, including file and registry accesses, the second is a shortened list. Shrinking allows you to speed up the work and reduce the log, which then has to be analyzed. Personally, I'm not afraid of large logs, but I'm afraid that some necessary info will be carefully "reduced", so I choose Verbose. It is this library that we will inject. To prevent the malware from detecting the injection of a library by its name, we will apply the simplest precaution: change the name LOG_API_VERBOSE.dll to something else, for example, LAPD.dll.

Now in the main window of Sandboxie, select "Configure -> Edit Configuration". A text config will open with all the program settings. Pay attention to the following lines:

• The FileRootPath parameter in the section specifies the common path to the sandbox folder, which is the folder where all the sandbox files will reside. For me, this parameter looks like FileRootPath=C:\Sandbox\%SANDBOX%, it may differ for you.
• The section does not interest us - we skip it and scroll further.
• Then comes a section whose name is the same as the name of the sandbox (let it be BSA). We will add plugins here: InjectDll=C:\Program Files\Sandboxie\Plugins\sbiextra.dll InjectDll=C:\Program Files\Sandboxie\ Plugins\antidel.dll InjectDll=C:\Program Files\Sandboxie\ Plugins\LAPD .dll OpenWinClass=TFormBSA Enabled=y ConfigLevel=7 BoxNameTitle=n BorderColor=#0000FF NotifyInternetAccessDenied=y Template=BlockPorts

The paths, of course, may differ. But the order of injected libraries must be exactly that! This requirement is due to the fact that the interception of functions must be carried out in the specified order, otherwise the plugins will not work. To apply the changes, select in the main Sandboxie window: "Configure -> Reload Configuration".

Now let's configure the Buster Sandbox Analyzer plugin itself.

1. Run the plugin manually using the bsa.exe file from the Plugins folder.
2. Select "Options -> Analysis mode –> Manual" and then "Options -> Program Options -> Windows Shell Integration -> Add right-click action "Run BSA"".

Now everything is ready for work: our "sandbox" is integrated into the system.

Portable version of the sandbox

Of course, many will not like the fact that you need to install something, configure, etc. Since all this does not appeal to me either, I made a portable version of the tool that can be run without installation and configuration, directly from a USB flash drive. You can download this version here: tools.safezone.cc/gjf/Sandboxie-portable.zip . To start the sandbox, it is enough to execute the start.cmd script, and at the end of the work, do not forget to execute the stop.cmd script, which will completely unload the driver and all components from memory, and also save the changes made during the work in the portable.

There are not many settings for the portablizer itself: its work is mainly based on manipulating the Sandboxie.ini.template file located in the Templates folder. In fact, this file is a Sandboxie settings file that is properly processed and transferred to the program, and when it is finished, it is overwritten back to Templates. If you open this file with Notepad, then you are unlikely to find something interesting. Be sure to pay attention to the $(InstallDrive) pattern repeated in a number of path parameters. We are especially interested in the FileRootPath parameter. If it looks like this:

FileRootPath=$(InstallDrive)\Sandbox\%SANDBOX%

Then sandboxes will be created on the disk where the portable Sandboxie is located. If the parameter looks like this, for example:

FileRootPath=C:\Sandbox\%SANDBOX%

In other words, it specifies a specific system drive, then sandboxes will be created on this drive.

Personally, I recommend always creating sandboxes on local drives. This speeds up the work of the tool, and when launched from a USB flash drive, it speeds up by orders of magnitude. If you are so paranoid that you want to run and analyze everything on your favorite media that you carry at your heart, then you can change the parameter, but then at least use portable hard drives so that everything does not brake godlessly.

Practical use

Let's try our tool on a real threat. So that no one reproached me for rigging, I did a simple thing: I went to www.malwaredomainlist.com and downloaded the latest that appeared there at the time of writing. It turned out to be a nice pp.exe file from some infected site. The name alone inspires great hopes, besides, my antivirus immediately yelled at this file. By the way, all our manipulations are best done with the antivirus turned off, otherwise we risk blocking / deleting something from what we are researching. How to study the behavior of a binary? Just click right click on this file and select Run BSA from the drop-down menu. The Buster Sandbox Analyzer window opens. We carefully look at the line Sandbox folder to check. All parameters must match those that we specified when setting up Sandboxie, that is, if the sandbox was named BSA, and the FileRootPath=C:\Sandbox\%SANDBOX% parameter was set as the path to the folder, then everything should be like on screenshot. If you know a lot about perversions and named the sandbox differently or set the FileRootPath parameter to a different drive or folder, you need to change it accordingly. Otherwise, Buster Sandbox Analyzer will not know where to look for new files and registry changes.

BSA includes a lot of settings for analyzing and studying the process of binary execution, up to the interception of network packets. Feel free to press the Start Analysis button. The window will switch to analysis mode. If the sandbox selected for analysis for some reason contains the results of a previous study, the utility will offer to clear it first. Everything is ready to launch the file under investigation.

Ready? Then right-click on the file under study and select "Run in sandbox" in the menu that opens, then specify the "sandbox" to which we attached the BSA.

Immediately after that, API calls will run in the analyzer window, which will be recorded in log files. Please note that Buster Sandbox Analyzer itself does not know when the analysis of the process will be completed, in fact, your click on the Finish Analysis button serves as a signal for the end. How do you know when the time has come? There may be two options.

1. No running process is shown in the Sandboxie window. This means that the execution of the program has explicitly terminated.
2. Nothing new appears in the list of API calls for a long time, or, conversely, the same thing is displayed in a cyclic sequence. At the same time, something else is running in the Sandboxie window. This happens if the program is configured for resident execution or simply hangs. In this case, it must first be terminated manually by right-clicking on the corresponding sandbox in the Sandboxie window and selecting End Programs. By the way, when analyzing my pp.exe, exactly this situation occurred.

After that, you can safely select Finish Analysis in the Buster Sandbox Analyzer window.

Behavior Analysis

By clicking on the Malware Analyzer button, we will immediately get some summary information about the results of the study. In my case, the maliciousness of the file was quite obvious: during execution, the file C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe was created and launched, which was added to autoload (by the way, it was he who did not want to terminate itself), a connection was made with 190.9.35.199 and the hosts file was modified. By the way, at the same time, only five anti-virus engines detected the file on VirusTotal, as can be seen from the logs, as well as on the VirusTotal website.

All information about the analysis results can be accessed directly from the Viewer menu in the Buster Sandbox Analyzer window. The API call log is also nestled here, which will certainly be useful in detailed research. All results are stored as text files in the Reports subfolder of the Buster Sandbox Analyzer folder. Of particular interest is the Report.txt report (called via View Report), which provides extended information on all files. It is from there that we learn that the temporary files were actually executable, the connection went to http://190.9.35.199/view.php?rnd=787714, the malware created a specific mutex G4FGEXWkb1VANr, etc. You can not only view reports, but also extract all files created during execution. To do this, in the Sandboxie window, right-click on the "sandbox" and select "View Contents". An explorer window will open with all the contents of our sandbox: the drive folder contains files created on physical disks"sandboxes", and in the user folder - files created in the profile active user(%userprofile%). Here I found dplaysvr.exe with dplayx.dll library, temporary tmp files and modified host file. By the way, it turned out that the following lines were added to it:

94.63.240.117 www.google.com 94.63.240.118 www.bing.com

Keep in mind that infected files are lying around in the sandbox. If you accidentally launch them by double-clicking, nothing will happen (they will launch in the sandbox), but if you copy them somewhere and then execute them ... hmm, well, you get the idea. Here, in the folder, you can find a registry dump that was changed during work, in the form of a RegHive file. This file can be easily translated into a more readable .reg file using the following command script:

REG LOAD HKLM\uuusandboxuuu RegHive REG EXPORT HKLM\uuusandboxuuu sandbox.reg REG UNLOAD HKLM\uuusandboxuuu notepad sandbox.reg

What the instrument can and cannot do

The resulting tool can:

• Track API calls of a running application.
• Monitor newly created files and registry settings.
• Capture network traffic when the application is running.
• Perform basic analysis of files and their behavior (built-in behavioral analyzer, analysis on VirusTotal by hashes, analysis using PEiD, ExeInfo and ssdeep, etc.).
• get some Additional information by running auxiliary programs (for example, Process Monitor) in the "sandbox" along with the analyzed one.

This tool cannot:

• Analyze malware running in kernel mode (requiring driver installation). However, it is possible to identify the driver installation mechanism (before it is actually implemented into the system).
• Analyze malware that monitors execution in Sandboxie. However, the Buster Sandbox Analyzer includes a number of mechanisms to prevent such tracking.

Thus, you will get sandbox.reg, which contains the lines introduced by the malware during its execution. After performing the analysis, select the Cancel analysis item from the Options menu to return everything as it was. Please note that after this operation, all analysis logs will be deleted, but the contents of the sandbox will remain in place. However, the next time you start the program itself will offer to delete everything.

So we decided to briefly touch on this topic.

In essence, a sandbox is a sandboxed software environment with rigid limited resources to run within this environment program code(simply speaking, program launches). In some way, the "sandbox" is such a stripped-down one, designed to isolate dubious processes for security purposes.

Some of the good antiviruses and firewalls (although, as a rule, in their paid version) use this method without your knowledge, some allow you to manage this functionality (because it still creates excessive resource consumption), but there are also programs that allow implement similar functionality.

We will talk about one of those today.

Unfortunately, it is shareware, but the same free period will help you get to know this type of tool better, which may further push you to a more detailed study, which, for the most part, exists free of charge and provides more features. .

You can download Sandboxie from or, say, . Installation is almost elementary, except for the moment when you need to install the driver (see screenshot below).

At this stage, it is better to disable any protection elements (i.e. the same antiviruses and firewalls), otherwise, if this step fails, and the computer freezes, reboots or goes into, then you may need to boot into safe mode and remove the program without the possibility of further use .

After installation, in fact, the program must be launched. It is possible that you will encounter the notification shown above. There is nothing wrong with it, just click "OK".

Next, you will be offered to take a short course on working with the program, or rather, they will tell you a little about how it works. Go through all six stages, preferably by carefully reading what is written in the instructions provided to you.

In short, in fact, you can run any program within an isolated environment. In the instructions, if you did read it, a metaphor is given quite well on the topic that, in fact, the sandbox is a piece of transparent paper placed between the program and the computer, and deleting the contents of the sandbox is somewhat similar to discarding a used sheet of paper and its contents, with, which is logical, the subsequent replacement with a new one.

How to set up and use the sandbox program

Now let's try to understand how to work with it. For starters, you can try running, say, a browser in a sandbox. To do this, in fact, either use the shortcut that appeared on your desktop, or use the menu items in the main program window: " DefaultBox - Run in Sandbox - Launch Web Browser", or if you want to launch a browser that is not installed as the default browser in the system, then use the " Run any program" and specify the path to the browser (or program).

After that, in fact, the browser will be launched in the "sandbox" and you will see its processes in the Sandboxie window. From this moment on, everything that happens takes place in, as has been repeatedly said, an isolated environment and, for example, a virus that uses the browser cache as an element to penetrate the system, in fact, will not be able to really do anything, because upon completion of work with the isolated environment .. You can clean it up by throwing out, as the metaphor said, the written sheet and moving on to a new one (while not touching the integrity of the computer as such).

To clear the contents of the sandbox (if you do not need it), in the main window of the program or in the tray (this is where the clock and other icons) use the item " DefaultBox - Remove content".

Attention ! Only the part that was written and worked in an isolated environment will be deleted, that is, for example, the browser itself will not be deleted from the computer, but transferred to it .. mmm .. relatively speaking, a copy of the process, the cache created, the saved data ( like downloaded/created files) etc. will be deleted if you don't save them.

To get a deeper understanding of the principle of operation, try running the browser and other software in the sandbox several times, downloading various files and deleting / saving the contents upon completion of work with this very sandbox, and then, for example, launching the same browser or program directly on the computer. Believe me, you will understand the essence in practice better than it can be explained in words.

By the way, by clicking the right mouse button on a process in the process list of the Sandboxie window, you can control access to various kinds of computer resources in bypassing the sandbox by selecting " Access to resources".

Roughly speaking, if you want to take a risk and give, for example, the same Google Chrome, direct access to any folder on the computer, then you can do it on the corresponding tab ( File Access - Direct/Full Access) using the Add button.

It is logical that the sandbox is intended not only and not so much for working with the browser and browsing all sorts of dubious sites, but also for launching applications that seem suspicious to you (especially, for example, at work (where often), launch dubious files from mail or flash drives) and/or should not have access to the main resources of the computer and/or leave unnecessary traces there.

By the way, the latter can be a good element for protection, i.e. for launching any application, the data of which must be completely isolated and deleted upon completion of work.

Of course, it is not necessary to delete data from the sandbox upon completion and work with some programs only in an isolated environment (progress is remembered and there is a possibility quick recovery), but it's up to you to do it or not.

When you try to run some programs, you may encounter the above problem. Do not be afraid of it, it is enough, for starters, to simply click on "OK", and, in the future, open the sandbox settings using the " DefaultBox - Sandbox settings" and on the tab " File Transfer" set a slightly larger size for the file transfer option.

We will not talk about other settings now, but if they are of interest to you, then you can easily deal with them yourself, since everything is in Russian, it is extremely clear and accessible .. Well, if you have any questions, you can ask them in comments on this entry.

On the sim, perhaps, you can move on to the afterword.

Afterword

Oh yes, we almost forgot, of course, that the sandbox consumes an increased amount of machine resources, because it bites off (virtualizes) part of the capacity, which, of course, creates a load that is different from launching directly. But, logically, security and/or privacy might be worth it.

Incidentally, the use of sandboxing, chrooting, or virtualization is partly related to the antivirus-free security methodology that we .

On the sim, perhaps everything. As always, if you have any questions, thoughts, additions, and so on, then welcome to comment on this post.

It is a mistake to assume that the built-in protection of the operating system, antivirus or firewall will completely protect against malware. However, the harm may not be as obvious as in the case of viruses: several applications can slow down Windows and lead to various kinds of anomalies. Over time, the consequences of uncontrolled processes on the part of "amateur" software make themselves felt, and uninstallation, deletion of registry keys and other cleaning methods no longer help.

In such situations, sandbox programs, which this review is dedicated to, can play an excellent service. The principle of operation of sandboxes is partly comparable to virtual machines(Oracle VM VirtualBox and others, VMware Virtualization). Thanks to virtualization, all processes initiated by the program are executed in a sandbox - an isolated environment with strict control of system resources.

This method of code isolation is quite actively used in anti-virus software (KIS 2013, avast!), in programs such as Google Chrome (Flash works in the sandbox). However, one should not conclude that sandbox programs are a complete guarantee of security. This is just one of the effective additional means to protect the OS (file system, registry) from external influences.

The site has already published an overview of the program for creating virtual environment- . Today, other applications will be considered, in a broader sense: these are not only desktop solutions, but also cloud services that improve not only security, but also anonymity, making it possible to run from removable media, from another computer.

Sandboxie

Developer Ronen Tzur compares the action of the Sandboxie program to an invisible layer applied on top of paper: you can put any inscriptions on it; when the protection is removed, the sheet will remain intact.

There are 4 main ways to use sandboxes in Sandboxie:

• Secure internet surfing
• Privacy Improvement
• Secure Email Correspondence
• Keeping the OS in its original state

The last point implies that you can install and run any client applications in the sandbox - browsers, IM messengers, games - without affecting the system. Sandboxie controls access to files, disk devices, registry keys, processes, drivers, ports, and other potentially insecure sources.

First of all, SandboxIE is useful in that it allows the user to flexibly configure sandboxes and privileges using the Sandboxie Control shell. Here, through the context and main menu, the main operations are available:

• Starting and stopping programs controlled by Sandboxie
• Viewing files inside a sandbox
• Restoring the files you need from the sandbox
• Deleting all work or selected files
• Creating, deleting, and configuring sandboxes

To run the program in the sandbox, just drag the executable file into the Sandboxie Control window, into the sandbox created by default. There are other ways - for example, the menu Windows Explorer or notification area. The window of a program running in an emulated environment will have a yellow border and a hash mark (#) in the title.

If, when working with a sandboxed program, you need to save the results to disk, any desired source is specified - the files will be placed in the sandbox folder, while specified address, outside of the sandbox, it won't. To "real" transfer files from the sandbox, you should use the restore option. There are two types of them - quick or immediate, in both cases, before starting the program in the sandbox, you need to configure folders for recovery ("Sandbox Settings - Recovery").

More detailed access settings are located in the "Restrictions" and "Access to resources" sections. They may be required if the application cannot run without certain privileges (requires a certain system library, driver, etc.). In "Restrictions", in relation to programs or groups, access to the Internet, to hardware, IPC objects, as well as low-level access is configured. In "Access to resources" - the appropriate settings for files, directories, the registry and other system resources.

Also in the Sandboxie settings there is an important section "Applications", which contains groups of programs for which access to the specified resources is granted. Initially, all list items are disabled; to apply changes for a specific application, you need to mark it in the list and click the "Add" button.

Thus, it is possible to create sandboxes with different parameters. It is allowed to clone the configuration of an existing sandbox, for this, when creating a new one, from the drop-down list, select the environment from which you want to transfer the settings.

Summary

With the Sandboxie application, you can create virtual environments of any configuration, without user restrictions. Sandboxie provides a large number of settings for both individual applications and sandboxes.

[+] Flexible configuration of each sandbox
[+] Creating rules for a group of applications
[-] You can't create distributions
[-] No setup wizard

Evalaze

It is symbolic that Evalaze originates from the Thinstall 2007 program, currently VMware.

Evalaze is not as well-known as Sandboxie among sandboxing programs, but it has a number of interesting features that distinguish it from a number of similar solutions. Thanks to virtualization, applications can be run in a standalone environment from any computer, regardless of the availability of drivers, libraries, or newer versions of the application being launched. This does not require any presetting, nor additional configuration files or libraries or registry keys.

Evalaze does not require installation, one caveat: you need Microsoft . NET Framework version 2.0 or higher. In the free version, as well as in the professional edition, a virtualization setup wizard and an unlimited number of virtual applications are available. You can download a trial version from the developers' site only upon request (see the developers' email on the site).

The resulting configuration can be saved to a project. From start to finish, the virtual application setup process takes longer than, say, Sandboxie, but is more consistent and straightforward.

It should be noted two additional features Evalaze, which will probably be of interest to software developers, testers: it is working with a virtual file system and a virtual registry. These standalone Evalaze environments can be edited at your discretion by adding files, directories, keys necessary for the functioning of a particular virtual program.

Also in Evalaze, you can set up associations out of the box: the virtual application will immediately create the necessary associations with files in the OS upon startup.

Summary

A program with which you can create stand-alone applications that are convenient to use in all sorts of situations, which in general facilitates migration, compatibility, security. Alas, the free version is practically useless, it is only interesting for a very superficial study of the functions of Evalaze.

[-] Poorly functional trial version
[−] High price Pro versions
[+] There is a setup wizard
[+] Virtual file system and registry

Enigma Virtual Box

The Enigma Virtual Box program is designed to run applications in an isolated virtual environment. The list of supported formats includes dll, ocx (libraries), avi, mp3 (multimedia), txt, doc (documents), etc.

Enigma Virtual Box models the virtual environment around the application as follows. Before starting the application, the Virtual Box loader is triggered, which reads the information that is necessary for the program to work: libraries and other components - and provides them to the application instead of the system ones. As a result, the program works autonomously with respect to the OS.

It usually takes about 5 minutes to configure Sandboxie or Evalaze sandboxes. At first glance, Virtual Box also does not involve lengthy configuration. In the documentation, the use of the program is actually contained in one sentence.

Only 4 tabs - "Files", "Registry", "Containers" and, in fact, "Options". You need to select an executable file, specify the location of the final result and start processing. But later it turns out that the virtual environment needs to be created independently. For this, the three adjacent sections "Files", "Registry" and "Containers" are intended, where the necessary data is manually added. After that, you can click processing, run the output file and check the program's performance.

Summary

Thus, in Enigma Virtual Box there is no OS analysis before and after installing the application, as is the case with Evalaze. The emphasis is shifted towards development - therefore, rather, Virtual Box is useful for testing, checking compatibility, creating artificial conditions for running a program. Virtualization of unknown applications will cause difficulties, since the user will be forced to specify all the program's links on his own.

[-] Lack of convenient setting
[+] The resources used by the program can be determined independently

cameyo

Cameyo offers application virtualization in three areas: business, development, personal use. In the latter case, the sandbox can be used to keep the OS in a "clean" state, store and run applications on removable media and cloud services. In addition, several hundred already configured virtual applications are published on the cameyo.com portal, which also saves user time.

The steps for creating a virtual application are similar to Enigma Virtual Box: first, a snapshot of the system is created before installation, then after it. Changes between these states are taken into account when creating the sandbox. However, unlike Virtual Box, Cameyo syncs with a remote server and publishes the application to cloud storage. Thanks to this, applications can be run on any computer with access to the account.

Through the library (Library) you can download popular system applications (Public Virtual Apps) for subsequent launch: archivers, browsers, players, and even antiviruses. At startup, you are prompted to select an executable file and indicate whether it works stably or not (which, apparently, is somehow taken into account by the moderators of the Cameyo gallery).

Another interesting feature is the creation of a virtual application through . The installer can be downloaded from a computer, or you can specify a file URL.

The conversion process, according to statements, takes from 10 to 20 minutes, but often the waiting time is several times less. Upon completion, a notification is sent to the email with a link to the published package.

Email notification about distribution creation

With all the cloud conveniences, there are two things to note important moments. First: each program is updated from time to time, and there are rather outdated copies in the library. The second aspect is that applications added by users may violate the license of a particular program. This must be understood and taken into account when creating custom distributions. And thirdly, no one can guarantee that the virtual application posted in the gallery has not been modified by an attacker.

However, speaking of security, Cameyo has 4 application modes:

• Data mode: the program can save files in the Documents folder and on the Desktop
• Isolated: the ability to write to file system and no registry
• Full access: free access to the file system and registry
• Customize this app: modifying the launch menu, choosing where to store the program, etc.

Summary

A convenient cloud service that can be connected to on any computer, allowing you to quickly create portable applications. Setting up sandboxes is minimized, not everything is transparent with virus scanning and security in general - however, in this situation, the advantages can compensate for the disadvantages.

[+] Network synchronization
[+] Access to custom applications
[+] Create virtual applications online
[-] Lack of sandbox settings

Spoon.net

Spoon Tools is a set of tools for creating virtual applications. In addition to being a professional environment, spoon.net deserves attention as a cloud service that integrates with the Desktop, allowing you to quickly create sandboxes.

To integrate with the Desktop, you need to register on the spoon.net server and install a special widget. After registration, the user gets the opportunity to download virtual applications from the server through a convenient shell.

Four features brought by the widget:

• Create sandboxes for files and applications
• Tidying up the desktop with shortcuts, quick launch menu
• Safe testing of new applications, running legacy versions on top of new ones
• Undo changes made by the sandbox

Quick access to the spoon.net widget is possible through the keyboard shortcut Alt + Win. The shell includes a search string, in combination - the console. It searches for applications on the computer and on the web service.

The organization of the desktop is very convenient: you can drag and drop to the virtual desktop required files, which will sync with spool.net. New sandboxes can be created in just two clicks.

Of course, in terms of setting up sandboxes, Spoon cannot compete with Sandboxie or Evalaze for the reason that they simply do not exist in Spoon. You can not set restrictions, convert a "regular" application into a virtual one. The Spoon Studio complex is intended for these purposes.

Summary

Spoon is the "cloudiest" shell to work with virtual applications and, at the same time, the least customizable. This product will appeal to users who care not so much about the security of work through virtualization, but about the convenience of working with necessary programs everywhere.

[+] Widget integration with Desktop
[+] Quick Creation sandboxes
[-] Lack of settings to limit virtual programs

pivot table

Program/service	Sandboxie	Evalaze	Enigma Virtual Box	cameyo	Spoon.net
Developer	Sandboxie Holdings LLC	Dogel GmbH	The Enigma Protector Developers Team	cameyo	Spoon.net
License	Shareware (€13+)	Freeware/Shareware (€69.95)	Freeware	Freeware	Free (Basic account)
Adding applications to the sandbox	+	−	−	−	−
Personalization (shortcut creation, menu integration)	+	+	−	+	+
Setup Wizard	−	+	+	+	−
Creation of new virtual applications	−	+	+	+	−
Online synchronization	−	−	−	+	+
Setting Sandbox Privileges	+	+	+	+	−
Analysis of changes when creating a sandbox	+	+	−	+	−

When working on a PC, we launch and download a lot of files: programs, books, articles. This causes malware and viruses to enter the system. Even on official resources there are such files. How to protect yourself from this. Sandboxie will help. it good way get rid of ads, toolbars, malicious software. Let's take a closer look at how to download Sandboxie on a PC and work with it.

What it is

Sandboxie is a specialized software that creates an environment on the PC where the application cannot access the PC settings. If a virus has entered the PC, it will not get access to the system files to change the information in them. When you exit the sandbox, all files will be deleted.

Important» Use Sandboxie to launch suspicious applications.

What is used for

Creates a dedicated environment within the system. Changes related to the operation of the program occur only in a special isolated environment (sandbox). It can be if necessary. Run any application without fear of damaging the OS. For example, run a browser in a sandbox, browse sites without fear of getting a virus.

Sandboxie improves security when visiting sites, especially those with questionable content.

How to download

Sandboxie can be downloaded at: https://www.sandboxie.com/ . Click the "Click here" link. The application is shareware, after thirty days of work it will ask you to switch to a paid use case. Despite this, most of the features of the application will be available for free. Only the multi-isolation feature will be disabled. You can download Sandboxie for Windows 7 and older at: https://www.sandboxie.com/AllVersions.

To work on Windows 10, download Sandboxie v5 or later.

Sandbox for Windows 10

Run the installation "exe" file by double-clicking on it with the left mouse button. Installation will begin. To download Sandboxie in Russian, select the appropriate item in the window that appears.
Installation is simple, will not cause difficulties even for novice users. The application will become available from the "Start" - "Programs" menu. It will also be located in the system tray.
A shortcut will be added to the "Desktop", clicking on which will open the default browser.

Settings

Second way

Right-click on the application shortcut, then "Run".
The application will run in an isolated environment. When hovering over, a colored frame will appear.

Consider a practical example

Recovery

During operation, files are stored in directories. They are not visible until you allow the application to transfer them. This is "Restoration". How to set it up was discussed a little higher in the article. How to recover?

Immediate Recovery

I recommend using this method as the function is called automatically while the files are being created. After saving, the "Immediate Restore" window will appear.

Is there a Sandboxie equivalent? Alternatively, look into programs such as Shadow User and Shadow Defender. But if you need software to control applications, then I don’t see the point of replacing it.

Conclusion

Use Sandboxie to run programs in an isolated environment without harm to the system, and to surf the Internet safely. Unlike an ordinary program launch, an application consumes more system resources. Therefore, the download takes longer, but the security is worth it. The system will not get dangerous components that can harm the work. Use Sandboxie to test and run questionable applications.