Sandbox security versus the evil Web

Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed results

Nobody's perfect

Another important question is, how good is the emulation coverage? Sandbox protection products, by their very nature, don't emulate the entire operating system, as a full virtualization product such as VMware Workstation, Microsoft Virtual PC, or Parallels would. Malware programs are known to infect more than a hundred different Windows attributes, including registry locations, files, folders, startup areas, and more. How many Windows attributes and APIs are covered in the sandbox? The answer is never all. Does the product protect against remote and local buffer overflows, phishing attacks, alternative data stream techniques, file sharing avenues, and so on? Some did, most didn't.

Some of the products provided additional anti-buffer overflow, privacy, or phishing controls. The privacy and phishing controls are often already provided by other installed anti-malware programs, so their inclusion in this class of products may not be necessary (although additional layers of defense-in-depth never hurt).

Each product offered up differing levels of buffer overflow protection. For example, Sandboxie only prevented local buffer overflows if they happened against a protected process. Prevx protected the whole system against both local and remote buffer overflows, but only when they affected a critical system area being monitored.

Most of these products would not detect previously installed malware (Prevx being the exception) unless the malware made additional system modifications to the monitored areas after the products were installed. None of the products provided anti-DoS services, misconfiguration detection, missing patch analysis, or a host of other protections required to make a host system more fully secure.

Every product in this review worked only with Microsoft Windows. Some required Windows XP SP2 or later, although most worked with Windows 2000 and later versions. DefenseWall refused to defend Windows system processes. All worked with Internet Explorer and Firefox, although some of them would work with any program.

All of the products worked by installing one or more monitoring executables and services. Each provided a main executable and a system tray icon. Some of the tray icons changed colors, like a traffic light, to indicate current status (green for everything's OK to red for malware detected). All products displayed an on-screen warning when maliciousness was detected and most created log files. Interfaces ranged from Prevx's all-user elegance to Sandboxie's technical-user sophistication. The install, interface, and alerting for all products was acceptable. Pricing was US$29.95 per copy or less.

Only Prevx had any enterprise capabilities, and even that was minimal. Most of the products were obviously intended for home or personal use. You won't find enterprise-wide reporting, logging, or alerting; or the capability to push out or monitor large-scale deployments. Sandbox defenses are first-generation products, sitting where anti-virus scanners were a decade ago.

Overall, this class of protection products does provide additional defense capabilities that could protect a user against unknown threats. In no case was using the vendor's product worthless, although some need to mature a bit to be ready for widespread use. The biggest question is if the additional protection value is worth the additional outlay of money and ongoing support. A fully patched system (OS and applications) where the user cannot install random programs would probably provide as much protection. How well your organization handles those two requirements will determine if sandbox products are worth investigating.

Tags software applicationsmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?