Sandbox & Virtualization & Lockdown Technology Used Personally to Capture Malware.
Sandbox, Virtualization, and Lockdown Technology If you think of a sandbox as a "virtual workspace" the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.
One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product that was used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.
In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system's hardware.
A company called SoftGrid has its SystemGuard™ - "because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them."
Windows Servers include this technology. From my WinServer2003 notes: "The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution."
Tiny firewall uses sandbox technology.
Another group of programs use the ‘sandbox’ idea to protect the system. Sandbox is usage of a virtual container in which untrusted programs can be safely run.
Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:
ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:
RollBack Rx claims to write-protect the HD and create 'Scratch Space'
These programs below uses virtualization. It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
Returnil uses a powerful virtualization technology that completely mirrors your actual computer setup and it can create a virtual storage disk within your PC where you can save documents, data, and files while using the System Protection feature.
BufferZone’s revolutionary virtualization technology creates an isolated zone on your PC, which separates your operating system and confidential data from unknown programs, downloads and files. Unlike anti-virus and anti-spyware software, BufferZone Free requires no signature updates at all, while protecting your PC against spyware, adware and viruses - even new and yet unknown ones downloaded using your P2P, Web browser or instant messaging software.
The programs below uses lockdown. Lockdown, pertains to a state of containment or a restriction of progression. You could almost say that it freezes time.
Deep Freeze - 'locks down' the system but doesn't use virtualization.Deep Freeze = locked volume content, changes revert on restart, can only change content in a thawed state. Once changed in a thawed state, that's the content moving forward. Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte.
First Defense ISR = Take system snapshots (akin to snapshots on a VM) and boot to any of them. Any snapshot can be used as a live system. Can revert to any previous snapshot state. Think of it as akin to keeping an online jukebox of system drives and being able to choose anyone you want via a preboot menu. Downside is that the current program is being replaced by the only distributor of the product (Horizon Data Systems) with a version that allows retention of a single snapshot only. More mass market potential. Also, freeze option (similar to deep freeze) is gone on current HDS release. I think they stop selling the full FD-ISR Workstation at the end of this month
Both work. DeepFeeze is designed for a static system with forced restoration on any restart and takes minimal HDD space. FirstDefense-ISR is designed for immediate restoration of a dynamic system in which states are preserved across restarts, but can be bumped by a forced snapshot change or restoration. Snapshots take a bit of space (a few to maybe 10 GB depending on what your machine looks like and how you take a snapshot). Cost per seat is different as well.
These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.
Some people admit that they run such a program + firewall and little else
I personally use all three technolgy to capture & detain mallware, mostly snadbox & virtualization & lockdown for insurance against the unknown threats.