Using start exe is the name of the sandbox program. Antivirus sandboxes. Introduction

Many users install this or that software from third-party sources, which could in theory harm your computer. Unfortunately, modern antivirus software some malware not able to immediately identify.

But you shouldn't take risks and run potentially dangerous software on your computer without any protection. V this case Sandboxie provides the ability to run programs in a special environment where you can see how the program will behave.

How does this program work

Principle Sandboxie works is to create system disk a certain limited space with a simulation of the system. This space is closed from the main system, which makes it possible not to carry out all the changes in it outside of it. Upon completion of work with files in the "sandbox", all information is cleared, so do not be afraid that a virus will remain on your computer somewhere, albeit in a closed disk space.

Sandboxie can run executable EXE files, installation files, and documents. There are some exceptions, but they are not so critical to work. You can view statistics on the operation and behavior of certain files. Also, before closing the sandbox, you can configure which files will be deleted and which ones will be left until the next launch. By default, closing automatically deletes all files and stops processes.

Let's consider the work in the program in more detail.

File menu

By default, the sandbox interface is pretty uninteresting. Control elements are located only in the top menu. Let's consider in more detail the parameter "File"... By clicking on it, a context menu appears with the following parameters:

"Close All Programs"... Forcibly terminates the activity of all programs and processes opened in the sandbox. It may be relevant if some malicious file is actively starting its activity and it needs to be urgently suspended;
"Deny generated programs"... This button is responsible for the ability to launch programs that open in the "sandbox" by default, in the normal system mode. Standard settings imply the launch of such a program for no more than 10 seconds in normal mode. This should be enough to see how the software behaves outside the sandbox. Settings can be changed;
"Window in the sandbox"... It is needed to determine where this or that program is open;
"Resource Access Monitor"... Allows you to trace what computer resources a program launched in the "sandbox" has access to. Can be useful for detecting suspicious activity;
"Output"... Closes Sandboxie.

View menu

By pressing the button "View" you will get access to the items responsible for displaying elements in the program interface (menu items "Programs" and "Files and folders").

Also on the menu "View" there is a function "Restore Record" responsible for finding and deleting files that were accidentally recovered from the sandbox.

Sandbox element

The main functionality of the program is concentrated here. This menu item is directly responsible for working with the sandbox. Let's consider its contents in more detail:

"DefaultBox" Is a sandbox in which all programs run by default. When you move the mouse cursor over this menu item, a drop-down window appears where you can select additional environments for launching a particular program. For example, run the software in "Explorer" Windows, browser, mail client etc. Additionally, you can perform the following actions:
- "Complete all programs"... Closes all running programs;
- "Fast recovery"... Responsible for the ability to get all or some of the files from the sandbox and transfer them to regular disk space;
- "Delete content"... Closes and removes all programs, files and processes inside the isolated space;
- "View Content"... Allows you to learn about everything that is contained in the "sandbox";
- Sandbox settings... A special window opens, where you can customize the selection of the window in the interface in one color or another, configure the recovery and / or deletion of data, permissions for programs to access the Internet, etc.
- Rename Sandbox... Allows you to give it a unique name consisting of Latin letters and Arabic numerals;
- "Remove Sandbox"... Removes all isolated disk space allocated for a particular sandbox along with all data running in it.
You can create a new sandbox using the corresponding button. By default, all settings from the already created "sandboxes" will be transferred, which you can adjust to suit your needs. Additionally, the new isolated space will need to be given a name.
By clicking on the context menu item "Set storage folder", you will be able to select the location of the isolated space. By default, this is C: \ Sandbox.
Additionally, you can customize the order in which the sandboxes are displayed. The standard display is alphabetical, to change it, use the menu item "Set location and groups".

Item "Configure"

As the name implies, this menu item is responsible for configuring the program. It can be used to configure the following:

"Start programs warning"... When you open certain programs selected by the user in the "sandbox", you will receive a corresponding notification;
"Integration into Windows Explorer"... Opens a window with settings for launching programs via the context menu of a shortcut or executable file;
"Program compatibility"... Not all programs may be compatible with your operating system and / or a sandbox environment. Using this menu item, compatibility settings are set, which allows you to run more programs;
Block with configuration controls. There are already settings for more experienced users, some of which should be set in the form of special commands.

Advantages and disadvantages of the program

The program has its advantages, but not without its disadvantages.

Advantages

The program has a good reputation, as it was able to perfectly recommend itself;
The setting elements are conveniently located and named, which will allow even inexperienced user understand them;
You can create an unlimited number of "sandboxes" by specifying each setting for a specific type of task;
The program is perfectly translated into Russian.

disadvantages

The program interface is outdated, but this has practically no effect on usability;
In this sandbox, it is impossible to run programs that require the installation of additional drivers or other components. This problem is not unique to Sandboxie.

How to run a program in a sandbox

Let's consider the operation of the program using the example of launching another program in its environment, which has in its installation file unwanted software:

Thus, you have learned the main features of the Sandboxie program, and also understood how to use it. This article did not cover all the options for using the program, but this data is enough for you to be able to check a particular program for the presence of malware / unwanted software.

The Internet is just teeming with viruses. They can be disguised as useful programs, or they can even be built into the working program you need. (You can often find it in hacked programs, so hacked programs should be treated with suspicion, especially if you download from suspicious sites). Here you put the program and something else was put into your computer as a bonus (at best, programs for hidden surfing or miners) and at worst, warriors, backdoors, stealers and other dirty tricks.

There are 2 options if you don't trust the file.
- Running a virus in a sandbox
- Using virtual machines

In this article, we will look at the 1st option - sandboxing for windows.

Sandbox for windows is a great opportunity to work with suspicious files, we'll take a look at how to get started using the sandbox.
If you use antivirus software, sandboxes are often built into them. But I do not like these things and I think the best is to download the sandbox on the site www.sandboxie.com.

The program allows you to run a file in a specially designated area, beyond which viruses cannot escape and harm your computer.

You can download the program for free. But, after 2 weeks of use, when you turn on, a sign about the offer to buy a subscription will appear, and the program can be launched in a few seconds. But the program still remains fully functional. Installation is straightforward. And the interface itself is pretty simple.

By default, the program will start itself when you turn on the computer. If the program is running, a tray icon will appear. If not, you should run in Start-All Programs-Sandboxie-Manage sandboxie.
The easiest way to run a program in a sandbox is to right-click on the launch file or on the shortcut of the program you need, and in the menu you will see the inscription "Run in sandbox" click and run. Select the desired profile in which to start and click OK. Everything, desired program works in a safe environment and viruses will not escape the sandbox.

Attention: some infected programs cannot run in sandboxes and virtual machines, forcing to run right like that. If you encounter such a reaction, it is best to delete the file, otherwise run at your own risk.

If the launch in the sandbox does not appear in the context menu (when you right-click), go to the program window, select Configure - Integration into Windows Explorer - and put a tick on two items under the words "Actions - run in the sandbox.

You can create different sandboxes. To do this, press Sandbox - create a sandbox and write the name of the new one. You can also delete old ones in the sandbox section (recommended).

There is nothing more to consider in the program. Lastly, I want to say - Protect your data and your computer! Until next time

Deleting Undeleteable Files on Your Computer Virtual machine for windows. Program overview and setup Windows 10 disable tracking

The so-called sandbox is a relatively new feature in shareware packages antivirus Avast! Pro and Avast! Internet Security... It is a special security model that allows a user to visit websites and run a variety of applications while in a secure environment. This function helps to avoid viruses when accidentally switching to potentially. When it gets to a malicious resource, the browser will be automatically placed in a "sandbox", and therefore infection of the computer will be prevented.

V free versions antivirus Avast! There is no sandbox.

You can also launch the new function yourself when you enable third-party programs that seem suspicious or unreliable to you. Just run the program in the sandbox and you will find out if it is really dangerous, or if your fears are unfounded. When checking the program, your system will be protected by Avast. The "sandbox" is often used when checking software downloaded from the Internet.

How to use the sandbox

In order to launch a questionable application or access the Internet through the "sandbox", click on the request "start a virtualized process". After that, go to the program you need on your computer. The browser or application will launch in a new special window, surrounded by a red frame, indicating that the program has been successfully launched from the sandbox.

In the "advanced settings" tab, you can assign applications that do not need to be virtualized, as well as those that should always be launched from the sandbox.

A characteristic feature of the "sandbox" is the ability to be embedded in the context menu. To enable this option, in the "Parameters" window, check the box next to the "embed in the context menu launched by the right mouse click" column. The option can be made available for all users as well as for users with administrator rights. With its help, you can run any application in the "sandbox" by just right-clicking on the shortcut and choosing the "run with" command.

Please note that if you right-click on an application placed in the sandbox, in the context menu that opens, you can select the command to run once outside the sandbox or remove the application from it.

Internet and Computer techologies completely captured modern world... Now almost every person has an electronic device with the help of which he can find the necessary information on the Internet at any time and anywhere or chat with friends. But do not forget that sometimes there is a hidden threat behind this - viruses and malicious files created and launched into the global network to infect user data. In addition to standard antivirus Sandbox programs have been created to help prevent them from accessing the computer.

Purpose and principle of the program

Sandbox programs are designed to keep your computer safe while surfing the Internet or executing a variety of programs. Speaking more simple language, we can say that this program is a kind of limited virtual space in which all user actions are carried out. The program that was launched while the sandbox is running works only in this environment and, if it is a malicious virus, then its access to system files blocked.

Pros of the "sandbox"

Perhaps the first advantage of this application can be taken out from the paragraph above - it restricts the access of malicious files to the system. Even if viruses, for example, Trojans or worms, were picked up while surfing the Internet, but at that time the user was working with the sandbox enabled, the viruses will not penetrate anywhere else, and when the sandbox is cleared, they will be completely removed from the computer without a trace ... In addition, such programs help speed up your computer. Since most of the activities of the "sandbox" are related to working in browsers, each time you launch it ( Google chrome, Opera, Mozilla Firefox), the user will open a completely clean and as if anew installed browser, which usually does not have a lagging garbage - "cache".

Cons of the "sandbox"

These are also available, and the most important thing is to delete personal data, be it bookmarks, pages saved while working on the Internet, or even history. The program is not configured to recognize what exactly is harmful to the device, therefore, when cleaning it, absolutely all data is irretrievably deleted from it. The user must take this into account and, if necessary, synchronize the necessary bookmarks or use special applications designed to save such data.

At the moment, there are many names of such programs, among the well-known ones can be distinguished such as Sandboxie, Comodo Internet Security, etc. Everyone chooses the one that is more convenient and understandable to him. In any case, do not forget about the disadvantages of these programs and use them carefully.

Then we decided to briefly touch on this topic.

Essentially, a sandbox is a sandboxed environment with tightly constrained resources to run within that environment. program code(simply speaking - launching programs). In a way, the "sandbox" is a kind of stripped-down, designed to isolate questionable processes for security purposes.

Some part good antivirus software and firewalls (albeit, as a rule, in a paid version) use this method without your knowledge, some allow you to manage this functionality (because it still creates excessive resource consumption), but there are also programs that allow you to implement such functionality.

We will talk about one of them today.

Sandboxie - overview, setup and download

As you understood from the title and subtitle, we will talk about the program Sandboxie.

Unfortunately, it is shareware, but the same free period will help you to get to know this type of tools better, which, perhaps, in the future will push you to a more detailed study, which, for the most part, exists in a free form and provides more opportunities ...

Next, you will be offered to take a short course on working with the program, or rather, they will tell you a little about how it works. Go through all six steps, preferably by carefully reading what is written in the instructions provided to you.

In short, in essence, you can run any program within an isolated environment. In the instructions, if you have read it, a metaphor is given well enough on the theme that, in fact, a sandbox is a piece of transparent paper placed between the program and a computer and deleting the contents of the sandbox is somewhat similar to discarding a used sheet of paper and its contents. with, which is logical, subsequent replacement with a new one.

How to set up and use a sandbox program

Now let's try to figure out how to work with this. To begin with, you can try running, say, a browser in a sandbox. To do this, in fact, either use the shortcut that appeared on your desktop, or use the menu items in the main program window: " DefaultBox - Run in Sandbox - Run Web Browser", or, if you want to launch a browser that is not installed in the system as the default browser, then use the item" Run any program"and specify the path to the browser (or program).

After that, in fact, the browser will be launched in the "sandbox" and you will see its processes in the window Sandboxie... From that moment on, everything that happens in, as has been said more than once, in an isolated environment and, for example, a virus that uses the browser cache as an element to penetrate the system, in fact, will not be able to really do anything, because upon completion of work with the isolated environment .. You can clear it by throwing away, as the metaphor said, the written sheet and moving on to a new one (while in no way affecting the integrity of the computer as such).

To clear the contents of the sandbox (if you don't need it), in the main window of the program or in the tray (this is where the clock and other icons are) use the item " DefaultBox - Delete content".

Attention! Will be removed only that part that was written and worked in an isolated environment, that is, for example, the browser itself will not be deleted from the computer, but transferred to it .. mmm .. relatively speaking, a copy of the process, the created cache, the saved data (like downloaded / created files), etc. will be deleted if you do not save them.

To get a deeper understanding of how it works, try running the browser and other software in the sandbox several times, downloading various files and deleting / saving the content upon completion of work with this very sandbox, and then, say, launching the same browser or program directly on the computer. Believe me, you will understand the essence in practice better than it can be explained in words.

By the way, by clicking on right button mouse on the process in the process list of the window Sandboxie You can control access to various computer resources bypassing the sandbox by selecting " Access to resources".

Roughly speaking, if you want to take a risk and give, for example, the same Google Chrome, direct access to any folder on your computer, then you can do this on the appropriate tab ( File Access - Direct / Full Access) using the " Add".

It is logical that the sandbox is designed not only and not so much for working with the browser and walking on various kinds of dubious sites, but also for launching applications that seem suspicious to you (especially, for example, at work (where often), they run dubious files from mail or flash drives) and / or should not have access to the main resources of the computer and / or leave unnecessary traces there.

By the way, the latter can be a good element for protection, that is, for launching an application, the data of which must be completely isolated and deleted upon completion of work.

Of course, it is not necessary to delete data from the sandbox upon completion and work with some programs only in an isolated environment (progress is remembered and there is a possibility of quick recovery), but whether to do it or not is up to you.

When trying to launch some programs, you may encounter the above problem. Do not be afraid of her, enough, for a start, just click in " OK", and, in the future, open the sandbox settings using the" DefaultBox - Sandbox Settings"and on the" Transferring files"set a slightly larger size for the file transfer option.

We will not talk about other settings now, but if you are interested in them, then you can easily figure them out on your own, since everything is in Russian, it is extremely clear and accessible .. Well, if you have any questions, you can ask them in comments on this post.

On this, perhaps, you can move on to the afterword.

Afterword

Oh yes, we almost forgot, of course, that the sandbox consumes an increased amount of machine resources, because it bites off (virtualizes) part of the capacity, which, of course, creates a load that is different from running directly. But, it makes sense that security and / or privacy might be worth it.

By the way, the use of sandboxes, chroot or virtualization, partly refers to the anti-virus security methodology that we are.

On this sim, perhaps, everything. As always, if you have any questions, thoughts, additions and all that stuff, then welcome to the comments on this post.

In the process of publishing the last part of the series of articles "Lies, Big Lies and Antiviruses", the catastrophic lack of education of the Habr audience in the field of antivirus sandboxes, what they are and how they work, became clear. The funny thing about this situation is that there are almost no reliable sources of information on the Internet. this issue... Only a bunch of marketoid husks and texts from someone else in the style "one grandma said, listen to syudy." I'll have to fill in the blanks.

Definitions.

So, the sandbox. The term itself did not come from a children's sandbox, as some might think, but from the one used by firefighters. This is a tank of sand where you can safely work with flammable objects or throw something already burning there without fear of setting something else on fire. Reflecting the analogy of this technical structure to the software component, one can define a software sandbox as a "rights-controlled sandbox". This is how a Java machine sandbox, for example, works. And any other sandbox too, regardless of its purpose.

Moving on to anti-virus sandboxes, the essence of which is to protect the main working system from potentially dangerous content, we can distinguish three basic models of isolating the sandbox space from the rest of the system.

1. Isolation based on full virtualization. Using any virtual machine as a protective layer over the guest operating system, where a browser and other potentially dangerous programs are installed through which the user can get infected, gives enough high level protection of the main working system.

The disadvantages of this approach, in addition to the monstrous size of the distribution and heavy resource consumption, lie in the inconvenience of exchanging data between the main system and the sandbox. Moreover, you need to constantly return the state file system and the registry to the original ones to remove the infestation from the sandbox. If this is not done, then, for example, spambot agents will continue their work inside the sandbox as if nothing had happened. There is nothing to block them with the sandbox. In addition, it is not clear what to do with portable storage media (flash drives, for example) or games downloaded from the Internet, in which malicious bookmarks are possible.

An example of an approach is Invincea.

2. Isolation based on partial virtualization of the file system and registry. It is not at all necessary to carry a virtual machine engine with you; you can push duplicate objects of the file system and registry to the processes in the sandbox, placing the application in the sandbox on the user's working machine. An attempt to modify these objects will only change their copies inside the sandbox, real data will not be affected. Rights control makes it impossible to attack the host system from inside the sandbox through the operating system interfaces.

The disadvantages of this approach are also obvious - the exchange of data between the virtual and real environments is difficult, you need to constantly clean up virtualization containers to return the sandbox to its original, uninfected state. Also, breakdowns or bypassing this type of sandboxes and the exit of malicious program codes into the main, unprotected system are possible.

Example Approach - SandboxIE, BufferZone, ZoneAlarm ForceField, Sandbox Kaspersky Internet Security, Comodo Internet Security sandbox, Avast Internet Security sandbox.

3. Isolation based on rules. All attempts to modify objects of the file system and registry are not virtualized, but are considered from the point of view of a set of internal rules of the protection. The more complete and accurate such a set is, the more protection against infection of the main system the program provides. That is, this approach represents a kind of compromise between the convenience of exchanging data between processes inside the sandbox and real system and the level of protection against malicious modifications. Rights control makes it impossible to attack the host system from inside the sandbox through the operating system interfaces.

The advantages of this approach also include the absence of the need to constantly roll back the file system and registry to its original state.

The disadvantages of this approach are the software complexity of implementing the most accurate and complete set of rules, the possibility of only partial rollback of changes inside the sandbox. Just like any sandbox operating on the basis of a production system, it is possible to break through or bypass the protected environment and the exit of malicious codes into the main, unprotected execution environment.

Example Approach- DefenseWall, Windows Software Restriction Policy, Limited User Account+ ACL.

There are also mixed rules-based and virtualization-based approaches to isolating sandboxing processes from the rest of the system. They inherit both the advantages and disadvantages of both methods. Moreover, the disadvantages prevail due to the peculiarities of the psychological perception of users.

Examples of approach are GeSWall, Windows User Account Control (UAC).

Methods for deciding on placement under protection.

Let's move on to methods for making a decision about placing processes under the protection of a sandbox. There are three basic ones:

1. Based on the rules. That is, the decision-making module looks at the internal base of rules for launching certain applications or potentially dangerous files and, depending on this, starts processes in the sandbox or outside it, on the main system.

The advantages of this approach are the highest level of protection. Both malicious program files that came from potentially dangerous places through the sandbox and non-executable files containing malicious scripts are closed.

Disadvantages - there may be problems when installing programs that came through the sandbox (although white lists greatly facilitate this task), the need to manually start processes in the main, trusted zone to update programs that are updated only within themselves (for example, Mozilla FireFox, Utorrent or Opera).

Examples of programs with this approach are DefenseWall, SandboxIE, BufferZone, GeSWall.

2. Based on user rights. This is how Windows Limited User Account and SRP and ACL based protection work. When a new user is created, he is given access rights to certain resources, as well as restrictions on access to others. If necessary, programs of work with prohibited for given user resources, you must either re-login in the system under a user with a suitable set of rights and run the program, or run it alone under such a user, without re-logging the main working user (Fast User Switch).

The advantages of this approach are a relatively good level of overall system security.

Disadvantages are the non-triviality of protection management, the possibility of infection through the resources allowed for modification, since the decision-making module does not track such changes.

3. Based on heuristic approaches. In this case, the decision-making module "looks" at the executable file and tries to guess from indirect data whether to run it on the main system or in the sandbox. Examples - Kaspersky Internet Security HIPS, Comodo Internet Security sandbox.

The advantage of this approach is that it is more transparent to the user than rule-based. Easier to maintain and implement for the manufacturing company.

Disadvantages - inferiority of such protection. In addition to the fact that the heuristic of the decision module can "miss" on the executable module, such decisions demonstrate almost zero resistance to non-executable files containing malicious scripts. Well, plus a couple more problems (for example, with installing malicious extensions from within the browser itself, from the body of the exploit).

Separately, I would like to draw attention to the method of using the sandbox as a means of heuristics, i.e. launching a program in it for a certain period of time with subsequent analysis of actions and making a general decision about malware - this approach cannot be called a full-fledged antivirus sandbox. Well, what is this antivirus sandbox that is installed only for a short period of time with the ability to completely remove it?

Modes of using antivirus sandboxes.

There are only two main ones.

1. Mode permanent protection... When a process starts, which can be a threat to the main system, it is automatically sandboxed.

2. Manual protection mode. The user independently decides to launch an application inside the sandbox.

Sandboxes that have the main mode of operation as "real-time protection" can also have manual mode launch. As well as vice versa.

For sandboxes with rule-based isolation, it is common to use real-time protection because the exchange of data between the host system and processes within the sandbox is completely transparent.

For heuristic sandboxes, it is also typical to use the real-time protection mode, since the exchange of data between the main system and processes inside the sandbox is absolutely insignificant or is reduced to it.

For non-heuristic sandboxes with isolation based on partial virtualization, a manual protection mode is characteristic. This is due to the difficult exchange of data between processes inside the sandbox and the main working system.

Examples:

1. DefenseWall (sandbox with rule-based isolation) has the main mode of operation "constant on the rules". However, manual launch of applications inside the sandbox, as well as outside it, are present.

2. SandboxIE (Sandbox and Isolation Based on Partial Virtualization) has a "manual" main mode of operation. But when you buy a license, you can activate the "always on rules" mode.

3. Comodo Internet Security sandbox (sandbox with isolation based on partial virtualization) has a main mode of operation "always heuristic". However, launching applications manually inside the sandbox, as well as outside it, is present.

These are basically the basics any self-respecting professional should know about antivirus sandboxes. Each individual program has its own implementation features, which you yourself will have to find, understand and evaluate the pros and cons that it carries.