Sandbox security versus the evil Web

Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed results

Concerns about the class

But before reading the individual product reviews, let's discuss sandbox software in general. Sandbox protection products haven't gained a tremendous amount of traction with customers over the years for a number of legitimate reasons.

The first concern is accuracy. Every product failed one or more tests to varying degrees. All of them failed the Adobe Flash clipboard hijack exploit test, and most failed to accurately clean up from the XP Antivirus malware program. This was despite the fact that many sandbox vendors claimed to prevent all known and unknown attacks. You can see the results and failures in the many screen images and video files offered along with this review.

The question is, despite the dubious accuracy, do these products provide additional value? In most cases, the answer is yes. Most sandbox programs attempt to prevent any system modification and don't care whether a particular threat is "recognizable." But this causes a tremendous amount of false negatives, meaning real threats aren't identified as such, and leads to a second problem.

Inherent in many of the products is the idea that end-users must make a trust decision on whether to erase, save, or execute downloaded content. Taken to one extreme, if end-users erase all content after every session, how would their system, applications, or browsers receive upgrades or security patches? Taken to the other extreme, if users save or execute all content, they will end up infected or negate the need for the additional protection. Ultimately, with varying levels of assistance from the product, the end-user must make the key decision on whether or not to save and execute the data from each session.

Detecting what is and isn't malicious is becoming harder all the time. A large majority of malware is coming from innocent, legitimate Web sites (such as favorite news sites, online social portals, blogs, and so on) that are infected with harmful content, and the social engineering pitches to the end-user are getting more persuasive.

Gone are the days when phishing malware was easy to spot due to obvious grammar issues and misspellings. Today's crimeware poses as legitimate vendor patches, online malware removers ("You are infected and need to run this scanner!"), overdue bills, and legal notices. Because of these increasingly blurred distinctions, end-users can't always be sure which Web site content can be trusted and safely executed. And still users are forced to make a trust decision that twenty years of history shows they aren't adept at making. If users could make consistently correct trust decisions, would they need the protection that sandbox products provide in the first place?

Some of the products in this review, notably Sandboxie and SafeCentral, rarely made an attempt to inform the user whether a Web site or download was legitimate or malicious. The user had to make every trust decision. Other products attempted to tell the user which Web sites contained malware and which did not. Prevx did a fairly good job at this, while DefenseWall and ForceField were more hit than miss.

In many products, content downloaded during a browser session must be saved or discarded as a whole (in other words, everything or nothing), while other products, especially Sandboxie and DefenseWall, allow the user to pick and choose between individual objects. I enjoyed the detail Sandboxie showed, as it often allowed me to confirm whether or not something malicious had occurred (such as new files in System32), but it really is only useful for technical users.

Sandboxie and DefenseWall focused on protecting particular applications or sessions, while others fell into the more traditional role of a host intrusion prevention system (HIPS), protecting critical system areas regardless of the attack vector. I was impressed with Sandboxie's ability to ensure that additional child sessions were always launched in protected mode when instantiated by a protected parent process. This is important as the browser is becoming more of a launching point for the rest of our integrated applications. Malware writers are increasingly attacking the applications as operating systems and browsers get more secure.

Join the PC World newsletter!

Error: Please check your email address.

Tags software applicationsmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?