Wine or sandboxie as sandboxes

Question

I'm looking for a sandbox for Windows. I've looked at sandboxie but I don't know if it delivers what it promises. Is it actually safer to run programs inside sandboxie ?

I know a full-blown VM could kill the problem but I was interested in a more light-weight solution to this.

Also, I have another question related to Wine. Is Wine also a sandbox in terms of security or is it just an emulator ?

If these are not viable from a security point of view, what else could I use ? I'm basically interested in helping someone who keeps opening unsafe powerpoint files and binaries on his Windows machine.

Thanks

Answer 1

Virtual Machine are not always foolproof although I do agree that they are pretty useful but there has been cases of whereby the "guest" vm can access to their "host" machine. Read up

For sandboxie, some malware will crash and it will omit an error message when you run it on a sandboxie but it won't when you run it on an environment without the sandboxie.

For someone who just wants to be totally secure, using another physical machine without any internet access and no private and confidential information are stored at that physical machine would be deemed good(although there can be cases whereby malware will spread through thumbdrive).

In your case in wanting to help your friend, I would recommend you to try Windows SteadyState(freeware) if you are on Windows XP or Windows Vista or you can try Deep Freeze (commercial). Basically, it creates a snapshot of your current system configuration, and you can do anything with your computer but when you reboot, the system will revert back to the previous snapshot so your computer will be the same as before you did anything to your computer. Do note that your computer needs to be in a clean state before you create a snapshot that will be restored after each reboot. Otherwise, your computer will still be infected.

Answer 2

In terms of security, sandboxie comes out on top.

To quote wikipedia

Sandboxie is a sandbox-based isolation program developed by Ronen Tzur, for 32- and 64-bit Windows NT-based operating systems.It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying the local or mapped drive.An isolated virtual environment allows controlled testing of untrusted programs and web surfing.

Source: wiki

Wine on the other hand:

Wine is a compatibility layer. It duplicates functions of Windows by providing alternative implementations of the DLLs that Windows programs call, and a process to substitute for the Windows NT kernel. This method of duplication differs from other methods that might also be considered emulation, where Windows programs run in a virtual machine.

Furthermore

Because of Wine's ability to run Windows binary code, concerns have been raised over native Windows viruses and malware affecting Unix-like operating systems. Wine can run most malware, but programs running in Wine are confined to the current user's privileges, restricting some undesirable consequences. For this reason the developers of Wine recommend never running it as the superuser. Malware research software such as ZeroWine runs Wine on Linux in a virtual machine, to keep the malware completely isolated from the host system. Another security concern is when the implemented specifications are ill-designed and allow for security compromise. Because Wine implements these specs, it will also implement any security vulnerabilities they contain.

Source: Wiki

In summary, yes, Sandboxie is (theoretically anyway) safer than Wine. Additionally, Wine is not an emulator, even though it shares emulator characteristics.

Fun fact:

The name Wine initially was an acronym for WINdows Emulator. Its meaning later shifted to the recursive backronym, Wine Is Not an Emulator in order to differentiate the software from other emulators

Edit: It seems like the information regarding memory usage and protections around it is lacking. Based on the following i've read on their FAQ

The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports. For some more information on this, see Sandbox Hierarchy.

Sandboxie also takes measures to prevent programs executing inside the sandbox from hijacking non-sandboxed programs and using them as a vehicle to operate outside the sandbox.

Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program.

It appears that: Memory access is not restricted in any extra-ordinary way and that programs execute and are given the ability to read most data on the system. You might not be able to install persistent malware on a system but i believe malware could run from the memory and perform malicious actions (say for example, sending email from your browser, stealing cookies etc)

Hope that helps!

Answer 3

Choose One:

• Use a Virtual Machine
• Use another computer
• Boot into a secondary OS installation

A "light weight" solution is light weight because of reduced separation between the guest and host session.