When you visit an (unknown) site or you install some (free) tool, you always run a certain risk. For example, secretly malware comes along or the application turns out not to be that stable. By running the software completely separate from the rest of your system, you limit or avoid those risks. This technique is named sandboxing.
To stay ahead of malware, such as viruses and ransomware, you naturally install a solid antivirus tool and keep it nice and up-to-date. Unfortunately, such tools do not always know how to expose or block all malicious sites or software. Especially when you visit unknown sites or want to try out new software, you should therefore take extra security measures.
A proven technique is sandboxing, in which individual applications are isolated from the underlying OS and from other applications. They are, as it were, put in a sandbox from which they cannot (should) escape.
On a more technical level, they also talk about application virtualization because those applications then run in a kind of virtual environment. After all, for the software it seems as if it is operating in your real (Windows) environment, considering it has no knowledge of the definition within the sandbox.
In this article we look at a number of techniques and tools to launch all kinds of applications in such a safe sandbox. If everything turns out to be kosher, then you can record it with confidence in your “real” environment, if you wish.
01 Browsers
It may surprise you, but many browsers already offer a certain amount of sandboxing as standard. This has been the case for some time for Google Chrome and also for Firefox from version 54 onwards. In principle, they start one or more new processes for each web page to execute (the scripts on) that page, which makes it more difficult for potential malware to manipulate browser tabs or files.
Even the good old Internet Explorer offers comparable functionality. You must first switch it on: go to Internet options / Advanced and place a checkmark Enable extended secure mode. However, it cannot be excluded that certain (incompatible) add-ons no longer function correctly.
Further in this article, other solutions are also discussed, such as starting Chrome or Edge within the contours of Windows Sandbox, or in combination with Windows Defender Application Guard.
02 Antivirus
Paid versions of antivirus software often have all kinds of extra security functions. The Internet Security Suites provide both Avast! as Kaspersky both in a sandboxing function. With the latter, a sandboxed browser ensures, among other things, the protection of your online financial transactions.
You will also find a sandbox in the free version of Comodo Antivirus. It not only uses a Chromium-based browser, including sandboxing technology, but you can also launch any application in a sandbox. Click on this Tasks and choose Containment tasks / Start Virtual / Choose and start. Refer to an exe file and launch it: a green frame around the application window indicates that the program is running in a sandbox. You can reset the sandbox (container) at any time with the changes to applications that you have placed therein.
03 Defender Antivirus
Microsoft is also participating in application virtualization and sandboxing. From Windows 10 1703 it offers the possibility to run your own Windows Defender Antivirus in a sandbox. This antivirus tool comes with elevated permissions as standard, which makes it a wanted target of malware. You activate this function as follows. Right click on Windows PowerShell and choose Run as administrator. At the command prompt, run the following command:
setx / M MP_FORCE_USE_SANDBOX 1, after which you restart Windows.
If you then start the Windows Task Manager (Ctrl + Shift + Esc) and press More details / Details click you hear here now too MsMpEngCP.exe to see turning.
04 WDAY
Users of Windows 10 Pro 64-bit 1803 and higher can also activate the built-in Windows Defender Application Guard (WDAG) for use in Edge. Here the exact system requirements. Your browser is then locked into a limited, virtual machine with the help of Hyper-V. This machine, for example, has no access to the clipboard or external files. Enter Windows Powershell as administrator and execute the following command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
After restarting your PC, you start Edge. Depending on your Edge verse, you may have to go first edge: // flags in the address bar and Microsoft Edge Application Guard switch. If all goes well, you now get access to an extra option via the … button: New Application Guard window.
To also use WDAG in Chrome you need a browser extension that you here can download. If the extension also offers you a link to the WDAG Companion app in the Windows Store, then you must also install it. Then restart Windows.
Configure the sandbox
To make the Windows sandbox your own, you need to create a wsb configuration file and adjust the xml instructions manually. You can find more explanation about this here.
Thanks to Sandbox Configuration Manager it could be simpler. Extract the archive file with a double click on the extracted file Windows Sandbox Editor v2.exefile. Bee Basic infos enter the name of your sandbox, as well as the path in which the wsb file must end up. Indicate whether you want a network connection and whether the gpu should also be virtualized (at VGPU status). Go to Mapped Folders and click Browse folder to access a folder from the “real” Windows environment from the sandbox. Through Startup commands You can have commands automatically executed when starting your sandbox. Confirm with Save existing sandbox. To start a sandbox, switch option Run Sandbox after change in, refer via Load existing Sandbox to your wbs file and confirm with Save existing sandbox.
05 Windows Sandbox
Microsoft accelerated the sandboxing technique with the introduction of a real Sandbox tool in Windows 10 1903. This tool is in principle only available for users of Windows Pro and Enterprise (however, see the “Sandbox Home” box text). This technology also makes grateful use of Hyper-V: it provides a virtual Windows environment in which you can safely experiment with unknown sites and software. This “sandbox” is already very close to system virtualization, (see text box “System virtualization”).
You must also enable the Windows Sandbox yourself. Press Windows key + R and enter optional features from. Scroll to the option Windows Sandbox and place a check here. Confirm with OK and restart your system. This must meet certain requirements, such as having a 64-bit processor, virtualization activated in the bios (AMD-V or Intel VT) and a minimum of 4 GB of ram.
If Sandbox has been successfully activated, you only need to be in the program list Windows Sandbox to start up. A moment later a window pops up with a virtual Windows environment. This automatically limits access to the underlying “real” Windows: you notice that immediately when you open the Explorer here, for example. All adjustments also disappear once you close the virtual environment. Keep in mind that other virtualization software, such as VirtualBox, will no longer function until you switch off the Windows Sandbox function again!
Sandbox Home
Windows Sandbox is normally not available for Windows Home, but it is via a detour. Here is the Sandbox Installer.zip file. After downloading and unpacking, right-click on the Sandbox Installer.bat file and choose Run as administrator. After completing the process, confirm with Y, after which your PC will restart. Then you should add Windows Sandbox Windows components have to find it again. You will also find one on the same website Sandbox UnInstaller.zipfile, if you want to get rid of it again.
06 Sandboxie: start up
The freeware tool is an excellent alternative to the Windows Sandbox Sophos Sandboxie, which works under all versions of Windows 7 and higher, including Windows Home. After installation, you will find a sandbox with the name at the first start-up Sandbox Default but then it is empty. You can also change the name from the context menu.
For example, you can run a browser within such a sandbox by right clicking on your sandbox and Run sandboxt / Start web browser to choose. You can easily test the operation: download any file and place it on your desktop. You will notice that it does not end up on your regular desktop, but on the desktop of your sandbox.
07 Sandboxie: operation
Immediately after this download a window pops up with the name “Immediate Recovery”. If you still want the downloaded file from the protected environment on your real desktop, click on the button To recover.
It is also possible to retrieve files from a sandbox afterwards. To do this, open the menu in the Sandboxie main window View / Files and folders. Then navigate to the desired file. From the context menu you can then transfer it to the desired location. Return to the Sandboxie window via the menu Image / Programs.
To run other applications in your sandbox, right click on your sandbox and choose Run sandboxed / Run program or Run from start menu. You create a new sandbox via Sandbox / Create a new sandbox.
To be able to run a program exclusively in a sandbox, right-click on your sandbox and choose Sandbox settings. Open the section Start program and click Forced programs / Add program / Open / select files. Refer to the program file and confirm your choice. To start the program quickly you can right click on it in the Explorer and Perform sandboxt (does not work with all programs).
08 Toolwiz Time Freeze
Also Toolwiz Time Freeze (suitable for Windows XP and higher) is a sandboxing tool, but one that, as it were, puts your entire system in the sandbox. Literally all write operations, at least those of your Windows partition, are redirected to a cache file and after a restart of your system that cache is automatically emptied again. During the installation, a few kernel drivers will be placed on your system, so make sure you first make a system backup.
You can leave the default settings intact during the installation. After restarting your PC you start the tool. Right-click on the program icon in the Windows system tray and choose Show Program, after which you press the button Start Time Freeze pressure. All changes to your system partition will now automatically disappear after a restart. You can test this by, for example, adding or removing some files, or changing the appearance of your desktop.
You can also always end a session by Stop Time Freeze to click on. After your confirmation, Windows will restart automatically and all changes will be ignored.
We would like to mention that in the main window you will go through Enable Folder Exclusion when Time Freeze is ON files outside the protection of Toolwiz Time Freeze. It suffices here via the buttons Add File or Add Folder to add. This data is then retained after a restart.
System virtualization
In the article we focus on application virtualization, but a few tools have clear interfaces with system virtualization, where not only certain applications but almost the entire system is virtualized – think of Windows Sandbox and partly also Toolwiz Time Freeze.
One of the most popular, free tools for system virtualization is Oracle VM VirtualBox. In a nutshell you get started with this as follows.
Download and install the tool. When you launch it, the “virtual machines” (VMs) window is still empty. To add such a vm, click New. Give a name to your vm and indicate in which folder it should end up. Indicate it Type to (for example MS Windows) and the accompanying Version. Press Next one and provide a suitable amount of ram memory for your vm (for example 2048 MB for Windows). click on Next / Create / Next / Next. Assign a suitable size to the virtual disk (for example 50 GB) and confirm with Create. Double click on the new vm and click on the folder icon. Refer to the disk image file (iso) of the intended system. Once you get up Start is that installed. Afterwards you can start and use the virtual system.
