
We are making Sandboxie a free tool, with plans to transition it to open source - tech234a
https://www.sandboxie.com/
======
jpalomaki
May 2019 update of Windows 10 includes Microsoft's version of Sandbox [1].
Requires pro or enterprise version. This is based on the Hyper-V
virtualization.

They also have "Defender application guard" [2] which allows launching
websites to Edge running in Sandbox. There should be extensions available for
also Firefox and Chrome for launching the sandboxed browser, but the browser
running in the sandbox is anyways Edge.

[1] [https://techcommunity.microsoft.com/t5/Windows-Kernel-
Intern...](https://techcommunity.microsoft.com/t5/Windows-Kernel-
Internals/Windows-Sandbox/ba-p/301849)

[2] [https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-application-guard/wd-app-guard-overview)

~~~
stiray
Sandboxie is far better (or different - for its use case it is better). It
doesnt use virtualization but rather hooks the APIs and redirects them to "in
folder structure" where copy-on-write is used to keep local copy of registry,
file system,... Far better and much less resource consuming aproach, its
resource consumption is just a slight (I am talking about % or two) worse than
native software, doing trampoline hook overhead is not worth mentioning, games
will run at same speed. Imagine docker. You delete programs sandbox directory
and all its traces are gone. I was its user for years (untill I have switched
to linux due to some insane microsoft architectural decisions, like manifests
and com junk within kernel32.dll) and was installing all the software into
sandboxie, my base os was clean as "just installed". Give it a try, it is
worth it. And now it is free :)

(Disclaimer: 20+ years development in low level windows world, from DRM to
reversing malware and writting drivers. Dumped the windows completely and
continuing on linux (didnt switch due to linux beeing any better, just windows
got worse) and freebsd.)

~~~
stiray
This one is worth checking, sandboxie vs ransomware:
[https://www.youtube.com/watch?v=RVwflbmBd_A](https://www.youtube.com/watch?v=RVwflbmBd_A)

There are two pieces of software, that I consider a must on windows (and I
miss very much on linux), one is totalcommander and second is sandboxie.

------
cwyers
The website takes me back to a certain era of computing -- the explanation of
how sandboxing works is paired to a bunch of icons mostly of their time, and
the illustration itself looks inspired by the Windows disk defragmenter
utility.

~~~
userbinator
An era when websites were fast-loading, simple, information-dense and
distinctively-styled yet still very readable.

~~~
qwerty1234599
What? The webpage is filled with a useless wall of text, of which maybe 20% is
relevant.

The rest just makes it hard for average people to figure out what exactly the
software is and how to download it.

~~~
kick
"Download" is literally the eighth word on the page, and fourth word on the
navigation bar. If a person can't see that, they're destined for a Darwin
award.

~~~
greenhatman
The text is too small and spans most of the screen. Difficult to read on big
monitors. Reading that grey block on mobile is also really straining. I
actually just gave up and came to read the comments instead.

The word 'download' is exactly the same font as everything else. So it's hard
to find. Why not have a button that stands out? There are 2 links called
'click here'. So you have the read the surrounding text before knowing where
you want to click. I can't think of a good reason not to have a clear call to
action button that stands out from the rest of the page.

Compared to almost any modern site, this is really bad.

~~~
userbinator
_Why not have a button that stands out?_

I've been conditioned to almost subconsciously ignore "big green download
buttons", because the vast majority of them are fake.

~~~
greenhatman
Then you're probably on scammy sites too often.

The only sites I know of that does that are pirate sites.

------
pmoriarty
Are there any Linux equivalents to Sandboxie?

For example, I'd like an easy way to run Firefox in a sandbox under Linux,
without the overhead of running a full VM (which is just too resource
intensive on my old, slow laptop), I'd like to be able to pull out files that
Firefox downloads from the sandbox, and then delete the sandbox when I'm done.
Also, Sandboxie can force particular apps to start sandboxed. All that is
pretty easy to do from Sandboxie and is 99% of what I use Sandboxie for.

~~~
e12e
Firejail is probably what you want. I'd be wary of considering Docker as a
jail - it does some isolation, but I've yet to see any serious effort or
analysis of "safely run arbitrary code as root in docker and avoid escape"
(the scenario being at least a full compromise of the app, with potentially an
elevation to root in the container). Docker is "(shipping) container first"
not "(CIA black site) container first".

Firejail isn't perfect - but it's at least designed to be a jail/sandbox.

There's also the possibility to use lxc via lxd - if you're running xorg you
can forward x11 over ssh to the container (or vm). However access to xorg is
problematic (eg shared clipboard, window/screen access).

Wayland supposedly does "everything x does" \- but I don't know how you
connect displays via the network.

But in the end (even though you requested "not vm") - I'd probably have a look
at qubes os: [https://www.qubes-os.org/](https://www.qubes-os.org/)

Afaik it mitigates the "shared xorg server" via using x-in-x nested servers
(eg xephyr).

Also came across this, which appears to be a little better than "just" docker
- but I'd probably still go with firejail or qubes os:

[https://github.com/mviereck/x11docker/blob/master/README.md](https://github.com/mviereck/x11docker/blob/master/README.md)

~~~
technofiend
CentOS / RHEL has UID and GID mapping backported from the 4.x Linux kernel
which podman supports. You can run as root in the container and still be
remapped to a non-root user outside of it. If you want a locked desktop
combine that with Guacamole docker images.

------
DvdGiessen
As a long time user of Sandboxie, I'm excited to see this announcement and am
looking forward to the open source release and what the community might be
able to do with it.

Sandboxie's technology works extremely well for securely isolating all kinds
of interactive Windows GUI apps, and might thus be be an interesting
alternative to Microsoft's own Windows Container technology which is more
focussed on servers and can't really do GUI's.

I'd love to see some experiments using Sandboxie sandboxes as Docker-style
images/containers. Packaging a complete GUI app including dependencies and
making it easy to run on another Windows machine without polluting it, without
noticeable overhead, neatly integrating like you'd expect of a Windows app
with things like window management or the clipboard, and all that while being
securely isolated from the rest of the machine.

~~~
andai
In high school I used VMWare ThinApp to portably run windows applications
without admin privileges, I think it worked in a similar way.

~~~
_salmon
I miss ThinApp for making portable apps

------
GuB-42
I use it as a dev tool. Mostly to test installers.

For example: Start with a clean slate, install the software, check that it
works correctly, check what it actually installed and what it did to the
registry, uninstall, check that everything is gone. It something goes wrong,
scrap the sandbox and try again. Do it again with an older version installed
in another sandbox, etc...

Maybe I can do it with a VM, but Sandboxie is very convenient and lightweight.

------
retrobox
It’s great news that the source is being released, but I get the impression
this essentially means the company will end active development and put the
onus on the OS community for future updates.

~~~
jve
Which is much better than just declaring end of life and no further updates.

~~~
lamby
> Which is much better than just declaring end of life and no further updates.

Undoubtably true, although I would add that it hardly promotes free software
as a "generally good thing" if the landscape is full of zombie projects like
this, devoid of any community that makes open source what it is.

------
todotask
To think I have forgotten about this for so long, it is unique for web
browsing and web development. It's useful to run untrusted binaries files that
may create lots of garbage and easier to simply wipe temporary data in an
isolated environment.

------
chime
I have a few hundred Citrix VDI users, many of whom need to occasionally
download a WebExLongHash123.exe file. Is there any way to use Sandboxie to
auto-run these downloaded files in the sandbox so that if they are actual
malware, it won't affect the rest of the system?

------
abdj8
We used it at Yahoo! for detecting misbehaving ads . I remember it as a one
man shop, looks like they sold it to Sophos .

------
finchisko
Sandboxie is much better tool then Windows Sandbox. Great to hear it will be
open source.

------
coupdejarnac
Sandboxie seems to have been a good product with bad pricing and bad
marketing. I remember paying for Sandboxie around 2011 and not realizing it
was a yearly subscription. When the year ran out, that was the end of
Sandboxie for me- I didn't want to repay for the same functionality for a home
computer. For corporate use however, an annual fee makes more sense.

------
Endy
I remember when Sandboxie was free before Sophos got involved.

~~~
chipperyman573
I don't know how long ago that was but I used it about 10 years ago and I
remember having to wait 5(?) seconds to launch a program because you had to
pay to remove that restriction.

------
saagarjha
How does Sandboxie actually work?

~~~
ComodoHacker
It virtualizes file IO and registry API calls from running apps and redirects
them to a predefined location, a "sandbox".

~~~
saagarjha
How? Is it running in the kernel, or is it some sort of debugger trick where
any sort of system call gets trapped and handled by a sandboxing coprocess? Or
is it an in-process library? (!!)

~~~
lstamour
[https://community.sophos.com/products/sandboxie/f/forum/1153...](https://community.sophos.com/products/sandboxie/f/forum/115348/anyone-
seeing-occasional-ole-init-hook-failed-errors-from-sandboxie) suggests a
method... [https://vallejocc.files.wordpress.com/2014/12/sandboxie-
proc...](https://vallejocc.files.wordpress.com/2014/12/sandboxie-process-
isolation-with-kernel-hooks.pdf) has more details.

Also [https://malwaretips.com/threads/sandboxie-should-be-
avoided-...](https://malwaretips.com/threads/sandboxie-should-be-avoided-
in-2019-and-above.93426/) and [https://techcommunity.microsoft.com/t5/Windows-
Kernel-Intern...](https://techcommunity.microsoft.com/t5/Windows-Kernel-
Internals/Windows-Sandbox/ba-p/301849)

~~~
saagarjha
Thanks. Does Sandboxie use code patching to hook functions in statically-
linked binaries?

~~~
lstamour
Statically linked binaries aren’t exactly a “thing” on Windows...
[https://reverseengineering.stackexchange.com/questions/2070/...](https://reverseengineering.stackexchange.com/questions/2070/can-
i-statically-link-not-import-the-windows-system-dlls) It appears to patch the
SSDT table to intercept system calls to the kernel, and based on forum thread
titles, has been caught by PatchGuard in Windows before, but I haven’t
investigated myself.

From what I can tell, once a privileged process like a kernel driver, starts
messing with memory it doesn’t own, like SSDT tables and loaded user-land
DLLs, well, game’s over as far as system integrity’s concerned. PatchGuard
does integrity checking, but I presume given how common it is, there are known
ways to fool it or disable it, perhaps by poisoning whatever it uses to check
the SSDT memory.

Interesting variations on this technique might be
[https://github.com/tandasat/DdiMon](https://github.com/tandasat/DdiMon) and
[https://github.com/tandasat/SimpleSvmHook](https://github.com/tandasat/SimpleSvmHook)

In terms of defense, there’s
[https://github.com/IgorKorkin/MemoryRanger](https://github.com/IgorKorkin/MemoryRanger)

And for an organized list of far too many examples for me to feel safe,
there’s [https://github.com/ExpLife0011/awesome-windows-kernel-
securi...](https://github.com/ExpLife0011/awesome-windows-kernel-security-
development) (Note: over half of the links I clicked at random had Chinese
github commit text or readmes, presumably the list author is either searching
Github by function calls or understands Chinese...) Less organized for obvious
reasons, but this list of 199 starred projects might also be worth a look
[https://github.com/dmaynor?tab=stars](https://github.com/dmaynor?tab=stars)
which in turn pointed me to [https://github.com/Hack-with-Github/Awesome-
Hacking](https://github.com/Hack-with-Github/Awesome-Hacking)

And if you like this, you’ll probably also like:
[https://news.ycombinator.com/item?id=21481598](https://news.ycombinator.com/item?id=21481598)

------
m1sta_
Can this be used to install applications that require admin access, when you
don't have admin access (eg. Corporate devices)?

~~~
emayljames
I would err on the side of no. These sandboxes are not a system in a system,
like a virtual machine.

------
thih9
Is there a comparable mac os product?

Alternatively, are there plans for a mac os version?

------
vardump
I'm really curious how Sandboxie defends against simply bypassing all DLLs
altogether (including ntdll.dll), and performing direct Windows kernel
syscalls?

------
ww520
This is great. Sandboxie is a fantastic sandboxing product.

------
badrabbit
I tried appguard for Edge,it works ok but virtualbox stopped working as a
result due to hyper-v being active. Is this the case with sandboxie?

------
gabia
When I opened the site, my S8 reported that Firefox had been detected using
the camera permissions. No idea why.

------
narnianal
Is there something a linux user should take note of? Or is it Sandboxie an
attempt to reproduce features like kvm/qemu to windows world? Looks like a
cool tool but currently not sure what I would do with it besides of what I do
with Linux already.

------
erikpukinskis
How neat is that!

------
wiradikusuma
Does it work for Windows 10?

~~~
arthurfm
Yes.

