Sandboxie VS Light virtualization for internet browsing

Good evening everyone, I have a question for security experts:
for internet browsing is better to run the browser in sandbox or in light virtualization environment?
in other words, is best to use a software like Shadow Defender or Sandboxie? ..... which method is more secure and why?

 

Sandboxie - app level
Shadow Defender - system level

SD + SBIE can work... but:
1) SBIE - recover files that you want to keep before deleting sandbox
2) SD - commit recovered files, provided they have been included in exclusion list, which raises another point (sorta...)
a) recovered/excluded sections of directories will need protection... BUT, since everything is reverted back to previous after reboot because of SD, it isn't an issue about infection... it is an issue about penetration and acquisition, which can & cannot be covered by these two apps (eg: theft of personal data etc...)

 

For browsing purposes Sandboxie;
For Testing purposes ShadowDefender;

as @marzametal says

this is true with regards to sandboxie it isolate app, so with a few tweaks you can set some restrictions what can run or access internet.

 

I think both ways are very secure but you are a few notches more secure with Sandboxie. For one, Sandboxie doesn't allow programs or installers that run in the sandbox to install drivers or services. That alone keeps a lot of potential problems that you might encounter while browsing away from infecting the PC or the sandboxed environment. Two, Enabling Drop rights in Sandbox settings keeps programs that download in the sandbox and run automatically from installing. They will not install.

Three, if you only allow a few programs to run in the sandbox, only this programs will run. Nothing else. Malware that gets downloaded into the sandbox wont even start or run. Four, Sandboxie is not a firewall but you can set it up so only a few programs have internet access while running sandboxed. This two settings can keep keyloggers from running or phoning home. Five, you can block programs that run in the sandbox from having access to your personal and sensitive files and folders. This helps to keep this files from being stolen.

Bo

 

just a minor tweak to what he said:

1- use SD as first choice to browse/work/test/etc...and eventually Sbie inside SD if you worry about data stealing.
2- create the excluded folders (you won't want loose your works after rebooting)
3- THEN, use Sandboxie (paid) to "force isolate" those folders on the real system ; so if a ransomware or else manage to get into the exclusion folders, they would be isolated by Sbie.

Sandboxie block data stealing if you care of tweaking it a bit in the settings.

 

It's hard to say what is better...in my thinking the purposes of using one of them are quite different:
- Sbie is used to run one or sometime few apps at the same time and no other part of system/data disks is protected...so each one app that is running outside sandbox can damage the rest of system or data on another disk
- SD can't limit the rights of launched apps or control them in any way...but the whole system is isolated by default - or if you want each one of detected disks including removable - and by this way protected against unwanted changes.

 

I always, and I really mean always, use both on every session in my main computer, period.
Why? Already elaborated by others posts above.

 

They complement each other, so why not.

SD + Sbie was one of my old days combo

 

SBIE should already keep the system clean, so I don't see the need for SD. For protection against exploits, SBIE is more secure because most malware will not be able to run correctly inside the virtual sandbox. A tool like Shadow Defender won't interfere with malicious actions if I'm correct, so until you reboot, malware can still do damage.

 

I do. Especially for system drive virtualization cause I like to have my PC in pristine conditions after every restart, independently of malware protection.

 

I meant as protection against exploits. SBIE is clearly the better choice. For other purposes like software testing, SD might come in handy.

 

You can protect those drives with Sandboxie. You could block All sandboxed programs from having access to those 2 drives. You could also for convenience, if you save files to those drives with your browser, you can set it up so only the browser can create files there, the rest of programs running in the sandbox wont have access to the drives.

 

I like them both. I always run Chrome with Sandboxie which has already its own sandbox, and with restrictions it becomes a good anti-executable. I also use SD on demand to test software and when I want extra security (e.g. third party flash drives). Pros: SB is a complete security system. Cons:It needs frequent updates as a consequence of Windows updates and upgrades (although Invincea is offering excellent support). SD pros: Very low learning curve, stable, reliable, and excellent for testing software. Cons: It will not stop key-loggers or data theft. It goes without saying that using both simultaneously, it will provide arguably 100% security...

 

So SD is your best bet.

 

Hi Pete. Too bad you are not sandboxing All programs you run, because the Resource access restriction gives exactly what you want (nothing running under Sandboxies supervision touching those drives).

In my personal case, no matter what activity I am doing with the computer, I am always running under Sandboxie. The only time I don't use SBIE is when the computer is off or idle or I am updating something. I am not sure what you mean by the dark side, but if you are running the browser or any other application, there's no reason you can not use SBIE.

I treat all activities in the computer the same way. I dont care what I am doing, if something its going to run in my computer, its going to run sandboxed no matter what it is.

Bo

 

Yeah..."all sandboxed" means only sandboxed and not all...at all

 

Thats right, All sandboxed means only sandboxed. Thats why I said and have always said that "I treat all activities in the computer the same way. I dont care what I am doing, if something its going to run in my computer, its going to run sandboxed no matter what it is." And, "The only time I don't use SBIE is when the computer is off or idle or I am updating something."

In other words Ichito, whenever I am using the computer, I am using Sandboxie. In my case use, "All sandboxed", means every program that runs in my computer. Thats what you do with SBIE when you want to get every drop of juice out of it. Sandboxies motto is "Trust no program", I am following what that means when I run all programs (untrusted) in a sandbox, no exceptions.

 

So 100% of anything in windows is in the sandbox?

 

Programs and files, Overkill, not Windows. We can say that (with extremely rare exceptions) 100% of the time when programs and files run in my computer, they run sandboxed every time. In the case of files, they run sandboxed during their entire lifetime in the PC, from the day they get created until they get deleted.

Its all done automatically. I click on any file, the file and program run sandboxed automatically in a sandbox. The only question really is in which sandbox they ll run as that depends on the location of the file in the PC. When I run files, it feels exactly the same running them sandboxed as if they ran unsandboxed. Since there is no lag or inconvenience of any kind, in my personal case I see no reason running anything unsandboxed. Specially so since I depend on SBIE.

I combine using the forced programs and forced folders features together with the sandboxed Windows explorer to get the job done. In the case of Windows, you dont want to force Windows as it can create problems but you can use the sandboxed explorer to sandbox Windows for a lot of things. I specifically use the sandboxed Windows explorer for navigating to files that I download that I am not 100% sure what they are and for pictures. I also use it for testing changes in the system to see what the effect of those changes would be in the real system.

The idea is if I sandbox all programs that run in the PC, the only time I am vulnerable is when I run something unsandboxed which pretty much never happens.

Bo

 

You can virtualise all you like but you need restriction to provide the best protection. SBIE gives you that.

SD, while preventing persistence, will never prevent an in session infection stealing data for example. SBIE can if set up properly.

SBIE allows safe changes to be made to the real system without reboot while restricting the behaviour of threatgates. SD does not.

SD can be really useful for testing software or preventing windows permanently storing the multitude of telemetry data and tracking (DNS cache and various tracking data collected) for later transmission (providing you reboot regularly) while SBIE only virtualises that which is generated by the sandboxed app rather than the OS as a whole and is limited in terms of software testing.

Bottom line both are different and compatible. If you have the financial wherewithal to use both I'd suggest to the OP he does just that.

Cheers

 

So if a program doesn't work well or at all sandboxed, you don't keep it installed(i'm assuming)?