When you visit an (unknown) site or install some (free) tool, you always run a certain risk. For example, malware secretly comes along or the application turns out not to be that stable. By running the software completely separate from the rest of your system, you mitigate or avoid those risks. This technique is called sandboxing.
To stay one step ahead of malware, such as viruses and ransomware, you naturally install a solid antivirus tool and keep it up-to-date. Unfortunately, such tools do not always detect or block all rogue sites or software. It is therefore a good idea to take extra security measures, especially when you visit unknown sites or want to try out new software.
A proven technique is sandboxing, which isolates individual applications from the underlying OS and from other applications. They are, as it were, put in a sandbox from which they cannot (should) escape.
On a more technical level, people also talk about application virtualization because those applications then run in a kind of virtual environment. After all, for the software it seems as if it operates in your real (Windows) environment, since it is not aware of the demarcation within the sandbox.
In this article we look at a number of techniques and tools to start all kinds of applications in such a safe sandbox. If everything turns out to be kosher, then you can safely incorporate it into your 'real' environment afterwards, if you wish.
01 Browsers
It may surprise you, but many browsers already offer some degree of sandboxing by default. This has been the case for Google Chrome for some time, for example, and also for Firefox from version 54. In principle, they start one or more new processes for each web page to execute (the scripts on) that page, which makes it more difficult for potential malware to manipulate browser tabs or files.
Even good old Internet Explorer offers similar functionality. You must first enable it: go to Internet Options / Advanced and put a check next to Enable Enhanced Protected Mode. However, it cannot be ruled out that certain (incompatible) add-ons no longer function correctly.
Other solutions are also discussed later in this article, such as starting Chrome or Edge within the contours of Windows Sandbox, or in combination with Windows Defender Application Guard.
02 Antivirus
Paid versions of antivirus software often have many additional security features. For example, the Internet Security Suites provide both Avast! as Kaspersky both in a sandboxing function. With the latter, a sandboxed browser ensures, among other things, the protection of your online financial transactions.
You will also find a sandbox in the free version of Comodo Antivirus. Not only does it use a Chromium-based browser, including sandboxing technology, but it also allows you to launch any application in a sandbox. Click on Tasks and choose Containment tasks / Start Virtual / Choose and start. Point to an exe file and run it: a green frame around the application window indicates that the program is running in a sandbox. You can reset the sandbox (container) at any time with the changes of applications you have placed in it.
03 Defender Antivirus
Microsoft is also participating in application virtualization and sandboxing. As of Windows 10 1703, it offers the option to run the native Windows Defender Antivirus in a sandbox. This antivirus tool runs by default with elevated permissions, making it a popular target of malware. You activate this function as follows. Right click on Windows PowerShell and choose Run as administrator. At the command prompt, run the following command:
setx /M MP_FORCE_USE_SANDBOX 1, after which you restart Windows.
If you then start the Windows Task Manager (Ctrl+Shift+Esc) and click More details / Details click you can hear it here too MsMpEngCP.exe to see it run.
04 WDAY
Users of Windows 10 Pro 64-bit 1803 and above can also activate the built-in Windows Defender Application Guard (WDAG) for use in Edge. Here are the exact system requirements. Your browser is then locked in a limited virtual machine using Hyper-V. For example, this machine cannot access the clipboard or external files. feed Windows Powershell as administrator and run the following command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
After a restart of your PC, start Edge. Depending on your Edge verse, you may need to edge://flags type in the address bar and Microsoft Edge Application Guard switch. You should now have access to an extra option via the … button: New Application Guard window.
To also use WDAG in Chrome, you need a browser extension, which you can download here. If the extension also offers you a link to the WDAG Companion app in the Windows Store, you'll need to install that as well. Then restart Windows.
Configure sandbox
To customize the Windows sandbox you need to create a wsb configuration file and manually modify the xml instructions. More explanation about this can be found here.
The Sandbox Configuration Manager makes it easier. Extract the archive file with a double click on the extracted file Windows Sandbox Editor v2.exe-file. Bee Basic infos enter the name of your sandbox, as well as the path in which the wsb file should end up. Indicate whether you want a network connection and whether the gpu also needs to be virtualized (for VGA status). Go to Mapped Folders and click Browse folder to be able to access a folder from the 'real' Windows environment from the sandbox. Through Startup commands you can have commands run automatically when you start your sandbox. Confirm with Save existing sandbox. To start a sandbox, toggle option Run Sandbox after change in, refer you via Load existing Sandbox to your wbs file and confirm with Save existing sandbox.
05 Windows Sandbox
Microsoft accelerated the sandboxing technique with the introduction of a real Sandbox tool in Windows 10 1903. In principle, this tool is only available for users of Windows Pro and Enterprise (see also the text box 'Sandbox Home'). This technology also makes grateful use of Hyper-V: it provides a virtual Windows environment in which you can safely experiment with unknown sites and software. This 'sandbox' is indeed very close to system virtualization (see text box 'System virtualization').
You also have to enable the Windows Sandbox yourself. Press Windows Key+R and enter optionalfeatures from. Scroll to the option Windows Sandbox and put a check mark here. Confirm with OK and reboot your system. That must meet certain requirements, such as having a 64-bit processor, virtualization activated in the bios (AMD-V or Intel VT) and at least 4 GB of ram.
When Sandbox is successfully activated you only need to enter the program list Windows Sandbox to start up. A little later a window pops up with a virtual Windows environment. This automatically limits access to the underlying 'real' Windows: you will notice this immediately when you open the Explorer here, for example. All adjustments also disappear as soon as you close the virtual environment. Keep in mind that other virtualization software, such as VirtualBox, will no longer function until you disable the Windows Sandbox function again!
Sandbox Home
Windows Sandbox is not normally available for Windows Home, but it is available in a roundabout way. Here is the file Sandbox Installer.zip. After downloading and extracting, right click on the file Sandbox Installer.bat and choose Run as administrator. After completion of the process, confirm with Y, after which your PC will reboot. After that, you should add Windows Sandbox to Windows Components have to find it again. On the same website you will also find a Sandbox UnInstaller.zipfile, in case you want to get rid of it.
06 Sandboxie: Boot
An excellent alternative to the Windows Sandbox is the freeware tool Sophos Sandboxie, which works on all versions of Windows 7 and above, including Windows Home. After installation you will find a sandbox with the name Sandbox Default on, but it will be empty. You can also change the name from the context menu.
For example, you can run a browser within such a sandbox by right-clicking on your sandbox and Run Sandboxed / Launch Web Browser to choose. You can easily test the operation: download any file and place it on your desktop. You will notice that it does not land on your regular desktop, but on the desktop of your sandbox.
07 Sandboxie: how it works
Immediately after this download, a window called “Immediate Recovery” pops up. If you still want the downloaded file from the protected environment on your real desktop, click on the button To recover.
It is also possible to extract files from a sandbox afterwards. To do this, open the menu in the main Sandboxie window View / Files and Folders. Then navigate to the desired file. You can then transfer it to the desired location from the context menu. Returning to the Sandboxie window is done via the menu Image / Programs.
To run other applications in your sandbox, right click on your sandbox and choose Run sandboxed / Run program or Run from start menu. You can make a new sandbox via Sandbox / Create new sandbox.
To be able to run a program exclusively in a sandbox, right-click on your sandbox and choose Sandbox Settings. Open the section Start program and click Forced Programs / Add Program / Open/Select Files. Refer to the program file and confirm your choice. To start the program quickly, you can right-click on it in the Explorer and Run sandboxed (doesn't work with all programs).
08 Toolwiz Time Freeze
Toolwiz Time Freeze (suitable for Windows XP and higher) is also a sandboxing tool, but one that puts your entire system in the sandbox, as it were. Literally all write operations, at least those of your Windows partition, are redirected to a cache file and after a reboot of your system that cache is automatically emptied again. A few kernel drivers will be added to your system during the installation, so make sure to make a system backup first.
You can leave the default settings untouched during the installation. After a restart of your PC, start the tool. Right click on the program icon in the Windows system tray and choose Show Program, after which you press the button Start Time Freeze Busy. All changes to your system partition will now disappear automatically after a reboot. You can test this by, for example, adding or removing some files, or changing the look of your desktop.
You can also end a session at any time by Stop Time Freeze to click. After your confirmation, Windows will restart automatically and all changes will be ignored.
We would like to inform you that in the main window via Enable Folder Exclusion when Time Freeze is ON files outside the protection of Toolwiz Time Freeze. It suffices here via the buttons Add File or Add Folder to add. This data is then retained after a reboot.
System Virtualization
In the article we focus on application virtualization, but a few tools clearly have common ground with system virtualization, virtualizing not only certain applications but just about the entire system – think of Windows Sandbox and partly also Toolwiz Time Freeze.
One of the most popular free system virtualization tools is Oracle VM VirtualBox. In a nutshell, this is how you get started.
Download and install the tool. When you start it up, the 'virtual machines' (VMs) window is still empty. To add such a VM, click New. Give a name to your VM and indicate in which folder it should go. indicate it Type on (for example MS Windows) and the accompanying Version. Press Next one and provide an appropriate amount of ram for your VM (for example 2048 MB for Windows). click on Next / Create / Next / Next. Assign an appropriate size to the virtual disk (for example 50 GB) and confirm with Create. Double click on the new VM and click on the folder icon. Point to the disk image (iso) file of the target system. as soon as you click Start it will be installed. Afterwards you can boot and use the virtual system.