How to Keep Your PC Safe with Sandboxing

Setting up your PC to run important apps in a sandbox can help you avoid malware infections. Here's how to do it.

If viruses and malware are a regular problem for you, or if you're simply worried that your antivirus program isn't sufficient, you can add an extra layer of defense to your PC by setting up a sandboxing application. A properly sandboxed set of Windows programs can protect you from malware that your antivirus utilities miss, keeping your PC and your personal data more secure while you're shopping online, say, or visiting potentially dicey Web sites.

Sandboxing is a form of software virtualization that lets programs and processes run in its isolated virtual environment. Typically, programs running within the sandbox have limited access to your files and system, and they can make no permanent changes. That means that whatever happens in the sandbox stays in the sandbox.

You can find programs dedicated to sandboxing, but some antivirus programs also feature sandboxing; I'll explore both in this article. The exact sandboxing functionality varies between programs, but here are some of the common uses:

  • Automatically or manually run unknown programs in the sandbox in case they contain viruses, spyware, or other malware.
  • Run your Web browser within the sandbox to prevent damage from any infections you pick up while browsing, which is the most common origin of malware.
  • Run your browser within the sandbox to stop any existing malware on your computer from capturing your site login credentials or your online-shopping payment details.

Most sandboxing tools, such as the ones I'll discuss here, can run programs inside the sandbox right alongside your other programs in Windows. Generally speaking, programs running inside the sandbox will appear normal. But some tools load a separate environment, and have a different look and feel--and they may even require you to reboot the PC when you exit the sandbox.

Sandboxing in Comodo Internet Security

Comodo Internet Security is a free security suite for both personal and business use. In addition to antivirus and firewall components, it features automatic and manual sandboxing.

CIS automatically detects untrusted executable files and programs, and runs them in the virtual environment. You can also manually run any program within the sandbox; simply select a program to run via the main CIS application window (under the Defense+ tab).

Alternatively, you can right-click a program anywhere in Windows and select Run in COMODO Sandbox. However, the option doesn't appear when you right-click a shortcut icon; you must right-click the actual executable program file, which can be a pain.

The sandboxing functionality in CIS is best for automatic protection, or for the occasional manual running of suspicious downloads. If you'd like sandboxing for Web browsing, consider another utility such as Avast or Sandboxie, both of which I'll discuss on the next page.

Sandboxing in Avast Antivirus

Avast provides a free antivirus program for personal use, as well as premium versions with additional features or for commercial use. Avast Free Antivirus offers only auto sandboxing, while Avast Pro Antivirus and Avast Internet Security offer both auto and manual sandboxing.

Like CIS, each Avast product automatically runs suspicious programs in the virtual environment; by default, the utility will prompt you before doing so. Within the Avast settings, you can specify programs you want to exclude from being sandboxed automatically.

Manually running programs inside the sandbox with the Avast premium products is similar to using CIS. You can select a program to run via the main Avast program window (under the Additional Protection, Sandbox tab).

If you prefer, you can right-click a program anywhere in Windows and select Run in Sandbox or Always Run in Sandbox. Unlike CIS, Avast gives you the sandboxing options even when you right-click a shortcut rather than just the executable program file itself. Additionally, you can specify that a program always run sandboxed even when you open it normally. Avast also gives you more sandboxing settings to customize, such as limiting which sandboxed applications can access the Internet.

Avast Free Antivirus is great for automatic sandboxing, but if you want manual sandboxing or Web browsing protection, consider upgrading to the Avast paid products or using another utility. The premium editions of Avast are good for manual sandboxing, but you still might want to try another application, such as Sandboxie, for advanced customization and use.

Using Sandboxie

Sandboxie is a shareware utility offered free for personal use, though if you don't pay for it after 30 days you'll get nag screens. It allows you to open your Web browser, email client, and any other program inside customizable sandboxes.

Sandboxie lets you create multiple highly customizable sandboxes, each running in its own virtual environment and retaining its own data. For example, you might use one sandbox for running questionable programs and browsing on potentially dangerous sites, and another sandbox for performing sensitive activities such as online banking or shopping.

Sandboxie will create one default sandbox for you. To add more, you open Sandbox Control, click Sandbox, and select Create New Sandbox.

Unlike the sandboxing features of some antivirus programs, Sandboxie doesn't automatically sandbox unknown programs. But it does provide several ways to open programs within the sandbox.

  • Open your Web browser: Click the Sandboxed Web Browser shortcut on your desktop or Start menu to open your default browser within a sandbox.
  • Open any program via Sandboxie: Click Start, All Programs, Sandboxie, Run any program Sandboxed. Select the sandbox to launch in, and then browse for the program.
  • Open any program via Windows: Anywhere in Windows, right-click a program and select Run Sandboxed.
  • Open items from the Start menu: Click Start, All Programs, Sandboxie, Sandboxie Start Menu, and then select the sandbox to launch in. Choose a program from the Sandboxie list of your Start menu desktop shortcuts.

The registered version of Sandboxie also lets you specify any programs that should be sandboxed automatically, even when you open them normally: To set this up, open Sandboxie Control, right-click the desired sandbox, select Sandbox Settings, choose Program Start, and then select Forced Programs.

By default each sandbox retains any data associated with the programs you run inside the sandbox. For example, if you run a Web browser, it saves your browsing history and temporary Internet files. However, you can delete the sandbox data contents at any time: Open Sandboxie Control, right-click the desired sandbox, and select Delete Contents.

When you download files within a sandboxed browser or save files from any sandboxed program, Sandboxie prompts you to recover them. This action lets you save the items outside of the sandbox onto your regular drives. If you choose not to recover files when prompted, you can always view and recover them later: Open Sandboxie Control, right-click the desired sandbox, and select Quick Recovery.

Sandboxie is great if you plan on using sandboxing on a daily basis, or even just occasionally when you're Web browsing. But for automatic protection against possible malware, consider using an antivirus suite that includes sandboxing, such as Comodo Internet Security or Avast.

Eric Geier is a freelance tech writer; follow him on Twitter to keep up with his projects. He's also the founder of NoWiresSecurity, which helps homes and businesses easily protect their Wi-Fi networks with enterprise (802.1x) security.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies