An analogue of a sandbox sandbox. Tools for running applications in a virtual environment

You can endlessly look at fire, water and the activity of programs isolated in the sandbox. Thanks to virtualization, you can send the results of this activity - often unsafe - into oblivion with one click.

However, virtualization is also used for research purposes: for example, you wanted to monitor the impact of a freshly compiled program on the system or run two different versions of an application at the same time. Or create a standalone application that won't leave traces on the system. There are many options for using the sandbox. It is not the program that dictates its conditions in the system, but you show it the way and allocate resources.

If you are not satisfied with the slowness of the process, you can stream virtualization using the ThinApp Converter tool. Installers will be created based on the config you specified.

In general, the developers advise to produce all the indicated preparations under sterile conditions, on a fresh OS, so that all the nuances of the installation are taken into account. For these purposes, you can use a virtual machine, but, of course, this will leave its mark on the speed of work. VMware ThinApp is already quite heavy on system resources, and not only in scan mode. However, as they say, slowly but surely.

BufferZone

• Site:www.trustware.com
• Developer: Trustware
• License: freeware

BufferZone monitors Internet and program activity of applications using a virtual zone, closely approaching firewalls. In other words, rule-driven virtualization is used here. BufferZone works easily in conjunction with browsers, instant messengers, email and P2P clients.

At the time of this writing, the developers have warned about possible problems when working with Windows 8. The program can kill the system, after which it will have to be removed through safe mode... This is due to the BufferZone drivers, which come into serious conflict with the OS.

What gets under the BufferZone radar can be tracked in the main Summary section. You determine the number of restricted applications yourself: the Programs to run inside BufferZone list is intended for this. It already includes potentially unsafe applications like browsers and mail clients... A red border appears around the window of the captured application, which gives confidence when surfing safely. If you want to run outside the zone - no problem, the control can be bypassed through the context menu.

In addition to the virtual zone, there is such a thing as a private zone. You can add sites that require the strictest privacy. It should be noted right away that the function works only in Internet Explorer retro versions. In more modern browsers there are built-in tools to ensure anonymity.

In the Policy section, the policy is configured in relation to installers and updates, as well as programs launched from devices and network sources. In Configurations also see additional options security policy (Advanced Policy). There are six levels of control, depending on which the BufferZone relationship to programs changes: no protection (1), automatic (2) and semi-automatic (3), notifications about the launch of all (4) and unsigned programs (5), maximum protection (6) ...

As you can see, the value of BufferZone lies in total internet control. If you need more flexible rules, then any firewall will help you. BufferZone also has it, but more for show: it allows you to block applications, network addresses and ports. From a practical point of view, it is not very convenient for active access to settings.

Evalaze

• Site: www.evalaze.de/en/evalaze-oxid/
• Developer: Dögel GmbH
• License: freeware / commercial (2142 euro)

The main feature of Evalaze lies in the flexibility of virtualized applications: they can be run from removable media or from a network environment. The program allows you to create completely stand-alone distributions that operate in an emulated file system and registry environment.

The main feature of Evalaze is a user-friendly wizard that is understandable without reading the manual. First, you make an OS image before installing the program, then you install it, make a test run, and configure it. Next, following the Evalaze wizard, you analyze the changes. It is very similar to the principle of work of uninstallers (for example, Soft Organizer).

Virtualized applications can operate in two modes: in the first case, write operations are redirected to the sandbox, in the second, the program will be able to write and read files on the real system. Whether the program will delete traces of its activities or not is up to you, the Delete Old Sandbox Automatic option is at your service.

Many interesting features are available only in the commercial version of Evalaze. Among them - editing environment elements (such as files and registry keys), importing projects, setting the reading mode. However, the license costs more than two thousand euros, which, you must agree, slightly exceeds the psychological price barrier. At a similarly unaffordable price, the use of an online virtualization service is offered. As a consolation, the developer's site has prepared virtual sample applications.

Cameyo

• Site: www.cameyo.com
• Developer: Cameyo
• License: freeware

A quick inspection of Cameyo suggests that the functions are similar to Evalaze, and in three clicks you can "blind" a distribution kit with a virtualized application. The packer takes a snapshot of the system, compares it to the changes after installing the software, and creates an ecosystem to run.

The most important difference from Evalaze is that the program is completely free and does not block any options. The settings are conveniently concentrated: switching the virtualization method with saving to disk or memory, choosing the isolation mode: saving documents to specified directories, prohibiting writing or full access... In addition, you can customize the virtual environment using the file and registry key editor. Each folder also has one of three isolation levels that can be easily overridden.

You can specify the sandbox cleaning mode after exiting the offline application: remove traces, without cleaning, and write registry changes to a file. Integration with Explorer and the ability to bind to specific file types in the system are also available, which is not even available in paid counterparts Cameyo.

However, the most interesting thing is not the local part of Cameyo, but the online packer and public virtual applications. It is enough to specify the URL or upload the MSI or EXE-installer to the server, indicating the bitness of the system, and at the output you get a stand-alone package. From now on, it is available under the roof of your cloud.

Summary

Sandboxie will be the best choice for sandbox experiments. The program is the most informative among the listed tools; the monitoring function is available in it. A wide range of settings and good options for managing a group of applications.

Doesn't have any unique features, but very simple and trouble-free. An interesting fact: the article was written inside this "sandbox", and by an unfortunate mistake all the changes went into the "shadow" (read: astral). If not for Dropbox, this page would have published a completely different text - most likely by a different author.

Evalaze offers not an integrated approach to virtualization, but an individual one: you control the launch of a specific application by creating artificial living conditions for this. There are advantages and disadvantages here. However, taking into account the cut-downs of the free version of Evalaze, and the dignity will fade in your eyes.

Cameyo carries a certain "cloudy" flavor: the application can be downloaded from the website, put on a USB flash drive or in Dropbox - this is convenient in many cases. True, it leads to associations with fast food: one cannot vouch for the quality and correspondence of the content to the description.

But if you prefer to cook according to the recipe, VMware ThinApp - your option. This is the solution for experts who care about every nuance. The set of unique features is complemented by the capabilities of the console. You can convert apps from command line, using configs, scripts - in individual and batch mode.

BufferZone is a sandbox with a firewall function. This hybrid is far from perfect and the settings are relevant, but you can use BufferZone to control Internet activity and applications, protect against viruses and other threats.

It is a mistake to believe that the built-in protection of the operating system, antivirus or firewall will completely protect against malware... However, the harm may not be as obvious as in the case of viruses: several applications can slow down windows work, entail anomalies of various kinds. Over time, the consequences of uncontrolled processes on the part of the "amateur" software make themselves felt, and uninstallation, deleting registry keys and other cleaning methods no longer help.

In such situations, the sandbox programs covered in this review can be a great service. The principle of operation of sandboxes is partly comparable to virtual machines (Oracle VM VirtualBox et al., VMware Virtualization). Thanks to virtualization, all processes initiated by the program are executed in a sandbox - an isolated environment with tight control of system resources.

This method of code isolation is quite actively used in antivirus software (KIS 2013, avast!), In programs such as Google chrome (Flash works in the sandbox). However, one should not assume that sandboxing programs are a complete guarantee of security. This is just one of the most effective additional funds to protect the OS (file system, registry) from external influences.

The site has already published a review of the program for creating a virtual environment -. Today we will consider other applications in a broader sense: these are not only desktop solutions, but also cloud services that improve not only security, but also anonymity, making it possible to run from removable media from another computer.

Sandboxie

Developer Ronen Tzur compares Sandboxie's action to an invisible layer on top of paper: you can write on it any way you want; when the protection is removed, the sheet will remain intact.

There are 4 main ways to use sandboxes in Sandboxie:

• Secure internet surfing
• Improving privacy
• Secure email communications
• Keeping the OS in its original state

The last point implies that in the sandbox you can install and run any client applications - browsers, IM-messengers, games - without affecting the system. Sandboxie controls access to files, disk devices, registry keys, processes, drivers, ports, and other potentially insecure sources.

First of all, SandboxIE is useful in that it allows the user to flexibly configure sandboxes and privileges using the Sandboxie Control shell. Here, through the context and main menus, basic operations are available:

• Start and stop programs controlled by Sandboxie
• Viewing files inside the sandbox
• Recovering the files you need from the sandbox
• Delete all work results or selected files
• Creating, deleting and configuring sandboxes

To run the program in the sandbox, just drag the executable file into the Sandboxie Control window, into the sandbox created by default. There are other ways - for example, the menu Windows Explorer or the notification area. The window of a program running in an emulated environment will be surrounded by a yellow border and a hash (#) in the title.

If, when working with a sandboxed program, you need to save the results to disk, any desired source is indicated - the files will be placed in the sandbox folder, while at the specified address, outside the sandbox, it will not. For "real" transferring files from the sandbox, you should use the restore option. There are two types of them - fast or immediate, in both cases, before starting the program in the sandbox, you need to configure the folders for recovery ("Sandbox Settings - Recovery").

More detailed access settings are located in the "Restrictions" and "Access to Resources" sections. They may be required if the application cannot run without certain privileges (requires a certain system library, driver, etc.). In "Restrictions", in relation to programs or groups, you can configure access to the Internet, to hardware, IPC objects, as well as low-level access. In the "Access to resources" - the appropriate settings for files, directories, registry and other system resources.

Also in the Sandboxie settings there is an important section "Applications", which contains groups of programs for which access to the specified resources is provided. Initially, all the elements of the list are deactivated, to apply changes for a specific application, select it in the list and click the Add button.

Thus, it is possible to create sandboxes with different parameters. It is allowed to clone the configuration of an existing sandbox, for this, when creating a new one, from the drop-down list, select the environment from which you want to transfer the settings.

Summary

With the Sandboxie application, you can create virtual environments of any configuration, without restrictions for the user. Sandboxie provides a large number of settings for both individual applications and sandboxes.

[+] Flexible customization every sandbox
[+] Creating rules for a group of programs
[-] Can't create distributions
[-] Lack of setup wizard

Evalaze

It is symbolic that Evalaze originates from Thinstall 2007, currently from VMware.

Evalaze is not as well known as Sandboxie among sandboxing programs, but it has a number of interesting features that set it apart from a number of similar solutions. Thanks to virtualization, applications can be launched in a stand-alone environment from any computer, regardless of the presence of drivers, libraries, newer versions of the launched application. This does not require either presettingnor additional configuration files or libraries or registry keys.

Evalaze does not require installation, one caveat: you need Microsoft to work. NET Framework version 2.0 or higher. The free version, as well as the professional edition, provides a virtualization setup wizard and an unlimited number of virtual applications. You can download the trial version from the developers 'website only upon request (see the developers' email on the website).

The resulting configuration can be saved to a project. From start to finish, the process of configuring a virtual application takes longer than, say, in Sandboxie, but it is more consistent and straightforward.

Two additional features Evalaze, which is likely to be of interest to software developers, testers: it is working with a virtual file system and a virtual registry. These stand-alone Evalaze environments can be edited at your discretion, adding files, directories, keys necessary for the functioning of a particular virtual program.

Also in Evalaze, you can set up associations out of the box: the virtual application will immediately create the necessary associations with files in the OS at startup.

Summary

A program with which you can create standalone applications that are convenient to use in all kinds of situations, which in general facilitates migration, compatibility, and security. Alas, free version practically useless, it is only interesting for a very cursory examination of the functions of Evalaze.

[-] Low-functional evaluation version
[-] High price of the Pro version
[+] There is a setup wizard
[+] Virtual file system and registry

Enigma virtual box

Enigma Virtual Box is designed to run applications in an isolated virtual environment. The list of supported formats includes dll, ocx (libraries), avi, mp3 (multimedia), txt, doc (documents), etc.

Enigma Virtual Box models the virtual environment around the application as follows. Before starting the application, the Virtual Box loader is triggered, which reads the information that is necessary for the program to work: libraries and other components - and provides them to the application instead of system components. As a result, the program works autonomously in relation to the OS.

The configuration of Sandboxie or Evalaze sandboxes, as a rule, takes about 5 minutes. At first glance, Virtual Box also does not involve lengthy configuration. In the documentation, the use of the program actually fits into one sentence.

There are 4 tabs in total - "Files", "Registry", "Containers" and, in fact, "Options". You need to select an executable file, specify the location of the final result and start processing. But later it turns out that the virtual environment needs to be created independently. For this, the three adjacent sections "Files", "Registry" and "Containers" are intended, where the necessary data is manually added. After that, you can click process, run the output file and check the program's performance.

Summary

Thus, in Enigma Virtual Box there is no OS analysis before installing the application and after, as is the case with Evalaze. The emphasis is shifted towards development - therefore, rather, Virtual Box is useful for testing, checking compatibility, creating artificial conditions for launching a program. Virtualization of unknown applications will cause difficulties, since the user will be forced to specify all program links on his own.

[-] Lack of convenient settings
[+] The resources used by the program can be determined independently

Cameyo

Cameyo offers application virtualization in three areas: business, personal development. In the latter case, the sandbox can be used to keep the OS in a "clean" state, store and run applications on removable media and in cloud services. In addition, several hundred already configured virtual applications are published on the cameyo.com portal, which also saves the user time.

The steps for creating a virtual application are similar to the Enigma Virtual Box: first, a snapshot of the system is taken before installation, then after it. Changes between these states are taken into account when creating the sandbox. However, unlike Virtual Box, Cameyo syncs with the remote server and publishes the app to cloud storage... Thanks to this, applications can be run on any computer with access to the account.

Through the Library, you can download popular system applications (Public Virtual Apps): archivers, browsers, players and even antiviruses. At startup, you are prompted to select an executable file and indicate whether it works stably or not (which, apparently, is somehow taken into account by the Cameyo gallery moderators).

Another interesting feature is creating a virtual application via. The installer can be downloaded from your computer or you can specify the URL of the file.

The conversion process, according to statements, takes from 10 to 20 minutes, but often the waiting time is several times less. Upon completion, a notification is sent to the email with a link to the published package.

Distribution creation email notification

For all the cloud-based conveniences, there are two important points to note. First: each program is updated from time to time, and the library contains outdated copies. The second aspect: applications added by users may conflict with the license of a particular program. This must be understood and taken into account when creating custom distributions. And thirdly, no one can guarantee that a virtual application posted in the gallery has not been modified by an attacker.

However, speaking of security, Cameyo has 4 application modes:

• Data mode: the program can save files in the Documents folder and on the Desktop
• Isolated: the ability to write to file system and the registry is missing
• Full access: free access to the file system and registry
• Customize this app: modifying the launch menu, choosing the program storage location, etc.

Summary

Comfortable cloud servicethat you can connect to on any computer, allowing you to quickly create portable applications. Setting up sandboxes is minimized, not everything is transparent with virus scanning and security in general - however, in this situation, advantages can compensate for disadvantages.

[+] Network sync
[+] Access to custom applications
[+] Creation of virtual applications online
[-] Lack of sandbox settings

Spoon.net

Spoon Tools is a suite of tools for creating virtual applications. In addition to the professional environment, spoon.net deserves attention as a cloud service that integrates with the Desktop, allowing you to quickly create sandboxes.

To integrate with the Desktop, you need to register on the spoon.net server and install a special widget. After registration, the user gets the opportunity to download virtual applications from the server through a convenient shell.

Four possibilities brought by the widget:

• Sandboxing files and applications
• Tidying up your desktop with shortcuts, quick launch menus
• Safe testing of new applications, launch outdated versions on top of new
• Undo changes made by the sandbox

Fast access to the spoon.net widget is possible by combining alt keys + Win. The shell includes a search string, concurrently - a console. It searches for applications on the computer and on the web service.

The organization of the desktop is very convenient: you can drag it to the virtual desktop required filesthat will sync with spool.net. New sandboxes can be created with just two clicks.

Of course, in terms of setting up sandboxes, Spoon cannot compete with Sandboxie or Evalaze for the reason that they are simply absent in Spoon. You cannot set restrictions, convert a "regular" application into a virtual one. For these purposes the Spoon Studio complex is intended.

Summary

Spoon is the "most cloudy" shell for working with virtual applications and, at the same time, the least customizable. This product will appeal to users who are interested not so much in the security of work through virtualization, as in the convenience of working with necessary programs everywhere.

[+] Integration of the widget with the Desktop
[+] Fast creation sandboxes
[-] Lack of settings to limit virtual programs

Pivot table

Lifetime licenses are offered again for home users! Old comment left here for reference.

As of October 9th 2013, the developer has changed Sandboxie from a purchase to a subscription model. You have to pay a recurring fee of currently € 15 yearly. The regular registration (perpetual / lifetime license) is no longer offered for sale.

I understand the reasoning behind it - continued work on the project needs to be supported somehow - but I personally think a subscription model is the worst way to go about this, and significantly lowers the value of the product for paying customers. Why not charge a fee if people want to upgrade to major new versions? By all means, sell an "update subscription" that goes at € 15 a year, so people have the choice. But remotely disabling a software that a customer has at one point paid for is just wrong and disrespectful. The customer "s continued use of an old version that" s no longer updated costs the developer nothing.

It seems a very crummy move to me, potentially inspired by Adobe, who have gotten a well-deserved and massive blow of criticism for doing the same thing to their entire product range (which I believe might yet spell their downfall after some 30 years as an industry leader).

I should add, though, that the free version of Sandboxie is very generous in its functionality. If the paid license expires, it will not break completely, but revert to the unlicensed version, lacking some handy features and displaying nag screens, but remaining functional. That "s generous of the deveoper, and at least the price of the subscription is fair. Still, the new subscription model makes it hard for me to unconditionally recommend the application to friends.

reply

I noticed that too, on my last visit to the site. It seems like they can "t decide what they want, changing licensing models like fashion trends.

On one hand I "m glad that I got my lifetime license while I could, but on the otherhand, using a software that is now only sold as a subscription service leaves a very bad aftertaste. I generally don" t want to support, in any way, developers who use such underhanded tactics.

Maybe their next change of mind is not far away. I would assume that the last time they decided to offer real licenses again, it was also based on customer complaints.