The web is an inherently insecure environment. In many of our articles, we have highlighted the growing tendency of malware authors to insert their dangerous “creatures” not only on “ad hoc” developed sites but also on legitimate and widely known Internet sites.
As we have already explained, for example, in this article, the techniques that are implemented are the most disparate: from the sending of emails containing references to malicious sites to the publication on the Net of false security software which, in reality, if executed, carry out harmful operations, passing through the attacks XSS and SQL Injection, up to the registration and use of domain names that closely resemble those of famous websites but differ in some characters (“cybersquatting“).
The success that the various “social networks’ ‘ are universally enjoying is somehow “ridden” by malware authors who have begun to send users registered with the various services messages referring to harmful web pages.
To protect yourself from attacks, we have previously suggested several tools and methodologies:
- An analysis of present and future cyber threats
- Security: threats, defenses, and technical advice
This article focuses on security software that employs sandboxing techniques to protect the user’s system. A protected and supervised area is called a “sandbox” within which, for example, malicious applications can be executed without actually interfering with the existing operating system.
Although some more modern malware have gotten smarter by being able to recognize the execution within a virtual machine or, in any case, a sandbox (in these circumstances, the loading of any harmful code is avoided so as not to make the scan), While the various virtualization solutions such as VirtualBox, VMware Player and Workstation, and Microsoft Virtual PC, the Parallels software aims to “emulate” a physical machine by running, in a protected environment, any operating system even different from the one installed on the “host” machine, sandboxing techniques aim to defend only known areas of Windows (for example registry and system folders).
A very compact software is Sandboxie. Compatible with all Windows systems starting from version 2000 onwards, the program can run any application within a sandbox, be it the web browser, the command prompt, or the operating system shell itself.
When you run an application with Sandboxie, it is isolated from the rest of the system and cannot alter the configuration of your personal computer. If you run your web browser using Sandboxie, you will be browsing securely, and any files you download will also be kept within the sandbox.
This means that a malicious application (i.e., “malware”) is no longer able to modify the “vital” parts of the operating system: by cleaning up the “sandbox,” the user will be able to eliminate any possible “trace” of the “guest unwelcome” sure you have not caused damage to your Windows configuration.
Any program or process initialized by a program deemed “untrusted” and executed, through the use of Sandboxie, in the “sandbox” will also be executed within the protected area in such a way that its operation will not affect the state of the operating system.
This approach has its advantages and disadvantages. Among the advantages is the impossibility for malware components to intervene in critical areas of the operating system; among the defects, we mention the most obvious: any legitimate file downloaded, for example, via the web browser executed in the “sandbox” will itself be stored in the “sandbox.”
Before installing Sandboxie, we suggest making a backup copy of the entire system, using special tools for disk imaging. Sandboxie installs a driver on your system, forming the application’s heart. As mentioned during the program installation phase, it is strongly recommended to temporarily disable any software present on the system that has the objective of monitoring the behavior of the applications.
The Sandboxie control window, which can also be called up at any time from the Start menu, Windows Programs, lists all the processes inside the “sandbox”. To check or modify the folder on disk where the contents of the “sandbox” are saved, click on the Virtual area menu, Set storage folder.
It is advisable to indicate a removable unit (such as an external hard disk), being careful not to choose identification letters corresponding to CD/DVD units. By right-clicking on the Sandboxie icon, displayed in the tray bar area (generally at the bottom right, next to the system clock), then clicking on DefaultBox and finally on Start a program…, it is possible to launch software in the default “sandbox.” If several different “sandboxes” have been created, select the one you want instead of the default box.
The icon displayed in the tray bar can take two different forms. In the first case, when it is completely yellow, it means that there are currently no applications running inside the “sandbox”; conversely, if the icon becomes enriched with a few red dots, it means that Sandboxie is managing the execution of one or more programs.
As can be immediately verified, from the same menu, it is possible to start the default web browser, the program for managing email, or an application listed in the Windows Start menu. Within the title bar of each program run in the context of the “sandbox,” Sandboxie adds the symbol [#]. In this way, it is immediate to identify at a glance all the software that is started in the protected area.
We started the Firefox browser in protected mode, in this case, using Sandboxie. The SandboxieRpcSs.exe and SandboxieDcomLaunch.exe processes are program operation-related and do not require user intervention. Running your web browser inside the “sandbox,” whenever you download a file, Sandboxie shows a dialog similar to the following:
What does “recovery” mean? As previously mentioned, Sandboxie stores all files downloaded through a “sandboxed” browser instance within its protected area.
Therefore, any new item picked up will not be immediately moved to the system but will continue to reside in the “sandbox.” Through the Immediate Recovery window, you can tell Sandboxie whether you want the retrieved file to be immediately saved on the system, in the specified folder, or in a different location.
The indicated file will remain in the “sandbox” by clicking on Close. For greater security, to prevent the copying of potentially harmful files on the system, it is possible to deactivate the primary restore function: click with the right mouse button on the “sandbox” ( DefaultBox virtual area ) in the Sandboxie main window, choose Virtual area settings, Recovery, Instant recovery and uncheck the Enable instant recovery box.
To recover a file from the virtual area (“sandbox”) and copy it to the system in use, it is possible to use two methods. The recommended one is to start Windows Explorer in “sandboxed” mode: click the right mouse button on the Sandboxie icon, choose, for example, DefaultBox, then Start Explorer. Once the previously downloaded files have been identified, you can copy them from the “sandbox” to the “real” system with a simple copy-and-paste operation.
Suppose you have downloaded with Internet Explorer or Firefox, launched within the “sandbox”, two files on the desktop. Such files will not be visible on the “real” system until they are recovered from the protected area. Starting Explorer with Sandboxie, you will notice the presence of the two files previously downloaded on the desktop. To restore them and extract them from the “sandbox,” it will be possible to drag them into any folder on the system (open outside the protected area).
Alternatively, it is possible to obtain the list of files downloaded within the “sandbox” by clicking on the menu View, Files, and folders ( Sandboxie control window ). By right-clicking on the files of interest, then using the commands Recover in the same folder or Recover in another folder, it will be possible to start the recovery.
Again, clicking with the right mouse button on the “sandbox” from the Sandboxie main window ( Sandboxie control ), then on Quick recovery, the program will display a screen summarizing all the files and folders created in the protected virtual area and which can be restored to the “real” system. The Delete content command, also present in the menu that appears by right-clicking on the Sandboxie icon, allows you to remove all the content of the protected virtual area quickly.