Many times we download free software but have apprehension if they are secure to install on our operating system. The feature Sandboxing comes to rescue us from such situation. This feature of sandboxing provides us a tightly controlled virtual environment to run and check such software or program. Sandboxes restrict software or programs with fishy codes and give them only restricted permissions they need and not add extra permission that could be abused.

A sandbox is a type of virtual software testing environment that enables the isolated execution of software or programs for independent evaluation, monitoring or testing. In simple word, any process or program run in sandbox stays in the sandbox only and not affecting the host OS.

Apart from testing software sandboxing also helps to prevent damage from any potential infection while browsing or checking dubious e-mails or malicious websites (the most common way of getting infected by malware). Checking a dubious email or visiting a malicious website without isolating them through sandbox can be as bad as installing a malware or virus.

Sandboxing also secure our online monetary transactions by preventing the existing malware (on host machine if any) to steal our login credentials or our online transaction details.

In an implementation, a sandbox also may be known as a test server, development server or working directory. Currently many options are available for sandboxing, Microsoft Windows Sandbox that come with Windows 10 pro and enterprise edition is best among them. We will see it in details but let’s check the other major sandboxing options in brief:

Sandboxing in Browser:

Internet Explorer and Google Chrome run on the OS but don’t have complete access. Instead they run in a low-permission mode. Even if a potential dangerous web page find a security exposure and grapple with it, it would then have to escape the browser’s sandbox to create the real harm.

Every website or web application open in Chrome browser is a separate and independent process. If four different websites open in four different browser tabs, each opened tab corresponds to a separate process. If a tab among the opened tab crashes, the browser and other opened tab don’t get affected because Sandboxing provides a layer of protection around each of these processes. Here sandboxing build a restricted environment around each process in individual tabs. Similarly if we inadvertently click a malicious link or open a malicious website designed in such way to harm the PC, the malicious code is restricted within the sandbox of that particular tab not able to affect other tab. Thus this tab can be easily close without affecting the PC or other Tab.  Google Chrome has developed a sandbox to help thwart any exploit in two of the most popular vectors of attack against browsers: HTML Rendering and JavaScript execution. In Chrome browser the entire HTML rendering and JavaScript execution is isolated to its own class of processes: the renderers. Chrome also ported Flash to more secure Pepper Plug-in API (PPAPI) from Netscape Plug-in API (NPAPI).

Mozilla Firefox doesn’t have such feature.

Comodo Internet Security:

Comodo Internet Security is a free security suite for personal as well as business use. It not only have antivirus and firewall components but also features automatic and manual sandboxing.

Comodo Internet Security detects shady executable files and programs automatically and runs them in the virtual environment. A program can also be run manually within the sandbox.

It can also be use by right-click the program or a shortcut icon.

Avast offers only auto sandboxing in its free version while its paid versions offer both auto and manual sandboxing.

Programs/codes already Sandboxed:

  • Web Pages: Web Browsers sandbox the web pages they loads. These web pages can have codes to access web camera or local files on the computer but sandbox isolation deny such unwanted access.
  • Web browsers: As mentioned earlier web browsers run in restricted sandboxed environment to make it sure that there wouldn’t be much harm even if these browsers get compromised. (Firefox don’t support this feature).
  • Browser Plug-in: Browser plug-ins like Adobe flash or Microsoft Silverlight load content in sandbox. Once the browser gets close the content vanishes. It is therefore advisable to play flash game on browser rather installing it on computer.
  • Documents: Microsoft Office has a sandbox mode to stop insecure macros from harming the computer.
  • Mobile Apps: All mobile platforms run their apps in sandbox. Apps for iOS, Android and Windows run in a restricted sandboxed environment and prevented from many things otherwise permissible to standard desktop applications. These apps have to declare permission for almost access they seek. These apps also can’t trespass each others because of sandboxed environment.

How can we sandbox any program?

Desktop programs aren’t sandboxed generally. So if we want to test a shady program or software we’ve following options:

  • Sandboxie: Sophos finally made sandboxie free and make it to an open source tool. It secures the browsers from malicious software, viruses, ransom-ware etc. It prevents internet websites and programs from modifying data, files or folder on the computer.
  • Virtual Machines: We can create a virtual machine on VMware. In it we can install and check the malicious software in it to analyze the harm it causes, just like in a standard computer. The entire OS in the virtual machine is completely sandboxed and doesn’t have access outside of the virtual machine.
  • Windows Sandbox: Windows Sandbox is a new built-in feature available with Windows 10 May 2019 Update or version 1903. This feature is available for its pro and enterprise edition and not for home edition. It is a lightweight isolated environment from the main OS. Here shady applications can be run and checked. Once checking task completed and the Sandbox get closed everything vanished and next time we launch the Sandbox, it runs a new clean installation.

A detail of Windows Sandbox is given in the next page of this post.

Leave a comment

Your email address will not be published. Required fields are marked *