Sandboxes
Sandboxes are sophisticated programs that monitor activity on your computer and prevent possible malicious activity. Essentially they allow you to limit a program to safe activity. Unfortunately this means that you must often authorize an activity before it can be performed. As the name suggests each program is only allowed to play in its own sandbox and can not access things outside of this defined area. Sandboxes are ultimately an extremely good security tool, but they may require a large amount of user intervention. Three sandboxes are reviewed. I have attempted to present the features and some evaluation of each. I do not have the time or facilities to test each against known attacks so you must judge the effectiveness for yourself. As all software are moving targets the current status of each product may be different now. If possible download a trial version and see if the product meets your needs.
Esafe by Aladdin Knowledge Systems 3.0 is the first all in one suite with combined sandbox, firewall, virus scanner, and internet content filter. It is now discontinued, but a free version is available on the web. The virus scanner has not received good reviews and the firewall is not a competitor for other programs. The internet content filter suffers from the usual problem that it can not distinguish between sites with serious social or medical discussion and porno sites. The sandbox is a competent program with a some unique features. The sandbox allows the user to setup hard drive access rules for each program. The user can create sandboxes and assign specific programs to those sandboxes. Each sandbox has a set of rules which allow programs to only have access to specific folders on your hard drives. Programs can be given or denied read, write, delete, execute access to all the files in a specific folder. The access rules can be specified for specific users or groups of users. In addition a variety of resources are monitored and can not be changed without permission. These include Boot file, WIN.INI, SYSTEM.INI, startup batch file, file associations, task scheduler, VxD files, DLL files, internet settings, DLL added, MS Office macro protections, internet security, script runtime warnings, IE startup page, domain security, autorun settings, special software elements. It is possible to password protect Esafe so that other users can not change the rules. Esafe is a general program which can be used to restrict any program on your system. It does setup a specific sandbox designed to restrict internet browsers. Any program which the browser downloads and attempts to execute has the same restrictions. If you use the default settings it is not very difficult to configure, but setting up a very restricted environment is fairly complicated. To simplify setup Esafe has available a learning mode for a fixed period of time. The learn mode can be terminated for all programs by setting the protection to maximum. It has the annoying habit of sometimes losing its configuration. If you want to use just the sandbox features, you must still load the latest virus definitions, or it will bring up an annoying popup screen until you do so. Some restrictions are a subset of those available with the system policy editor. The system firewall in Esafe has one feature that most of the separate firewalls lack. It works properly for a multi station PC which has more than one monitor, mouse and keyboard. Other firewalls do not properly protect users working on the secondary stations.
Finjian SurfinGuard Pro is a much more limited program, with tighter control over what it protects. It monitors a limited set of commonly used programs and blocks certain features which may be used by viruses and Trojans. It has a module which checks stand alone scripts such as Visual Basic Script to see if they are potentially dangerous, but it does not check imbedded scripts. This feature is also available in recent versions of Norton Antivirus and Script Sentry. SurfinGuard specifically blocks access to the Windows address book so that an E-mail virus can not spread. This also provides a method for detecting viruses. SurfinGuard can be configured to have different restrictions on different URLs. The setup is not very complicated. It provides the largest number of predefined setups of the three reviewed products. It does not have any password protection, so it is not good to use in a multiuser environment. Finjian Software also sells a centrally managed produce with password protection that can be used for multiple users. SurfinGuard Pro is free so the price is right.
Tiny Trojan Trap (TT) from Tiny Software Systems was formerly produced by Secure4U and is now incorporated into their firewall. This shares some features with Esafe. TT can be configured to disallow access to specific files and folders on your hard drive. TT unlike Esafe allows the user to specify what portions of the registry may be accessed by a specific group of programs. A laundry list of various system functions can be restricted. Likewise program access can be specified for specific IP ports and addresses, so it functions as a firewall. It includes an internet content filtering module which can filter URLs, E-mail, and cookies. It will configure some sandboxes for a few commonly used programs such as web browsers and Microsoft E-mail programs. Combined with the ability to restrict programs from spawning other processes TT would appear to provide a high degree of security at the cost of extensive setup. Unlike Esafe TT can not have separate configuration for different users, however it does have password protection so that other users can not change the setup. TT has a learning mode to simplify setup. The user must use all of the desired features of a program during the learning phase. After the learning phase TT will only only allow access to resources used during that phase. In all TT probably provides the greatest possible security if configured properly. Tiny is currently extolling Trojan Trap as part of a suite which includes a virus scanner and a firewall. They are now selling a combined firewall/sandbox as Tiny Personal Firewall. I have seen a number of good reports about it, but my tests find that it is incompatible with Microsoft ICS.
None of the sandboxes have MD5 verification of the image identity. As a result it is possible for a Trojan to masquerade as a legitimate image. Since some of these programs may replace some Windows system files, they can interact with Windows in unpredictable ways. They may have severe conflicts with some other Windows features or programs. The monitoring may consume vital system resources so they may slow your machine considerably.
None of these sandboxes are ideal. Since the extra features such as a firewall, content filter, or virus scanner are generally not very good they can be considered superfluous. The ideal sandbox should include MD5 signature checking to prevent masquerading. Like Trojan Trap they should be highly configurable for the power user, but they should also include a good set of default settings for a large number of commonly used programs. Some special restrictions as in SurfinGuard should also be included to stop specific malicious attacks, such as sending E-mail to propagate viruses. I have not seen any good reviews and tests of the level of security that these sandboxes give your system. As a result I can not recmmend any according to security level. Probably the best sandbox for the average user would be SurfinGuard with its simple setup, but Trojan Trap would be ideal for the power user. Esafe would only be preferred if the ability to configure different restrictions for individual users is important, or the multisession firewall is important. One of the problems with sandboxes is that they can interfere with virus scanners and block automatic updates of virus signatures. From the point of view of making security easy it would be ideal to have a sandbox which is integrated with a firewall and virus scanner. Up to this time a good integrated solution has not yet been achieved.