Sandbox security versus the evil Web

Five products strive to trap drive-by downloads and other threats in a virtual Web browsing space, with mixed results

Nobody's perfect

Another important question is, how good is the emulation coverage? Sandbox protection products, by their very nature, don't emulate the entire operating system, as a full virtualization product such as VMware Workstation, Microsoft Virtual PC, or Parallels would. Malware programs are known to infect more than a hundred different Windows attributes, including registry locations, files, folders, startup areas, and more. How many Windows attributes and APIs are covered in the sandbox? The answer is never all. Does the product protect against remote and local buffer overflows, phishing attacks, alternative data stream techniques, file sharing avenues, and so on? Some did, most didn't.

Some of the products provided additional anti-buffer overflow, privacy, or phishing controls. The privacy and phishing controls are often already provided by other installed anti-malware programs, so their inclusion in this class of products may not be necessary (although additional layers of defense-in-depth never hurt).

Each product offered up differing levels of buffer overflow protection. For example, Sandboxie only prevented local buffer overflows if they happened against a protected process. Prevx protected the whole system against both local and remote buffer overflows, but only when they affected a critical system area being monitored.

Most of these products would not detect previously installed malware (Prevx being the exception) unless the malware made additional system modifications to the monitored areas after the products were installed. None of the products provided anti-DoS services, misconfiguration detection, missing patch analysis, or a host of other protections required to make a host system more fully secure.

Every product in this review worked only with Microsoft Windows. Some required Windows XP SP2 or later, although most worked with Windows 2000 and later versions. DefenseWall refused to defend Windows system processes. All worked with Internet Explorer and Firefox, although some of them would work with any program.

All of the products worked by installing one or more monitoring executables and services. Each provided a main executable and a system tray icon. Some of the tray icons changed colors, like a traffic light, to indicate current status (green for everything's OK to red for malware detected). All products displayed an on-screen warning when maliciousness was detected and most created log files. Interfaces ranged from Prevx's all-user elegance to Sandboxie's technical-user sophistication. The install, interface, and alerting for all products was acceptable. Pricing was US$29.95 per copy or less.

Only Prevx had any enterprise capabilities, and even that was minimal. Most of the products were obviously intended for home or personal use. You won't find enterprise-wide reporting, logging, or alerting; or the capability to push out or monitor large-scale deployments. Sandbox defenses are first-generation products, sitting where anti-virus scanners were a decade ago.

Overall, this class of protection products does provide additional defense capabilities that could protect a user against unknown threats. In no case was using the vendor's product worthless, although some need to mature a bit to be ready for widespread use. The biggest question is if the additional protection value is worth the additional outlay of money and ongoing support. A fully patched system (OS and applications) where the user cannot install random programs would probably provide as much protection. How well your organization handles those two requirements will determine if sandbox products are worth investigating.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags software applicationsmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?