Sandboxie Basics - the virtual environment

Discussion in 'sandboxing & virtualization' started by Sully, Oct 4, 2012.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Sandboxie has often been termed as “Light Virtualization”. Understanding this term could be very beneficial for those who use Sandboxie.

    In the world of computers, virtualization is creating or using something “as if” it were real and physical. It creates a “fake” version of something that appears to be real. There are two types of virtualization that many will be familiar with.

    The first type relates to hardware on the live system. By creating an “image” of a cd or dvd and storing that on your hard drive, it is possible to use software that “mounts” that image onto a virtual optical drive. The OS displays the new drive, and shows the contents as if the cd/dvd were actually in a real drive even though it is virtual.

    The second type of virtualization would be a virtual computer, often generically called a “virtual machine”. The virtual machine software displays what looks like a computer. There is a BIOS and boot screens just like a real computer. You install an operating system within this virtual machine, just like a real computer. Other than the fact that this computer runs within the confines of an application on your computer, it behaves exactly like a completely separate computer.

    The word “environment” is rather important when you speak of things that are virtualized. In this case, you have a real, live, physical environment and a virtual environment. Virtual environments behave like real live environments, but they have limitations or boundries. A virtual drive can be accessed by the real system, but you cannot perform functions like burning that you could on a real optical drive for example. A virtual machine seems to be like a real computer, but it is a separate entity from the real live machine it runs on. Usually the live system and the virtual machine don’t co-exist together. That is, they each believe they are the only live system. They each have a c: drive, and neither can access the others files/folders without some settings specifically allowing this. For all intents and purposes, they are two physically separate machines.

    It is this virtual environment that makes virtualization so attractive. In a virtual environment you can try things out, and see (typically) what would happen on the live machine, without ever actually touching the live machine. It allows testing and experimentation without the mess because the virtual environment behaves as the real live environment would. Because the two don’t interact together, what happens in virtual vegas stays in virtual vegas.

    Who knows where the term “Light Virtualization” came from. It doesn’t matter. In fact, there are likely many definitions of what this really means. For our purpose though, we can assume that Sandboxie uses light virtualization for two reasons.

    First, it is light in the sense that it uses less resources. In order to run a virtual OS within a live OS, it takes a good amount of horsepower. Light virtualization is much “lighter” in this respect.

    Secondly, it is light in the sense that the virtualized sandbox environment is able to see the live system. Normally the separation of a virtual OS from a live OS is well defined. If a virtual OS wants to access the live OS, settings must be changed to allow this. Most of the live OS is just not available to the virtual OS. The same is true of the live OS - it knows nothing of the virtual OS. Sandboxie does not have such strict separations.

    When any given sandbox is virtualized, the only thing being virtualized or “faked” are the changes that would have been made to the live system. The processes running within the sandbox are allowed to read from the live system. One could say that the Sandboxie environment is actually two environments: the live environment and the sandboxed environment.

    When you start an application in an empty sandbox, most of the live environment is used. The application, running within a sandbox, can see and access the live system without limitation usually. If you start Firefox in the sandbox, many files are read and accessed that Firefox needs to run normally. If you use the DropRights feature of Sandboxie, then any area that Firefox accesses that is restricted in the real system will also be restricted in the sandboxed environment.

    If you close Firefox, and nothing was modified, then nothing is saved to the sandbox. That means nothing was virtualized and nothing was saved in the c:\Sandbox directory.

    If however you had modified a preference or something that would normally be saved, then those things that were modified become virtualized. Suppose you open Firefox and then modify your home page and save it. Sandboxie will do its job, which is to keep the real system from being affected. It will create whatever file or setting that would have been made to the real system, and it will place it in the c:\Sandbox directory. It virtualizes this change by NOT changing the live system.

    Here is where the “environment” comes into play. If we have started Firefox in a sandbox, and then change the home page, save it and close firefox, we understand that the live system was not modified, but only the sandbox. If you start Firefox outside of the sandbox, your home page has not changed. Everything about Firefox is the same, as if you had never ran it sandboxed.

    However, if you start Firefox again in the same sandbox, the modified home page will show up. What is happening is that when Firefox is opened in the sandbox, Sandboxie looks at everything Firefox needs to run. If there is a “home page file” in the live system somewhere that states what the home page is, Firefox would normally read that and use it. However, if there is a “home page file” in the c:\Sandbox directory that is a virtualized version of the real live “home page file”, then Sandboxie uses that instead. This way, as you use an application within a sandbox, the sandboxed environment remains both segregated from the real system and remains useable to the sandboxed application.

    It is very important IMO to understand this concept for two reasons.

    First, as a form of security, you must understand that while running Firefox in a sandbox does keep the live system safe, any bug or exploit that is “taken in” while using Firefox stays within the virtualized environment. If you browse to a website that gives you a keylogger, the next time you start Firefox in that sandbox, that keylogger is still there. It doesn’t effect your real system, but it certainly can effect (ie. can run in) the sandbox.

    This is why sandboxes are to be deleted. Sandboxie will prompt you after X number of days to clean it. Some people set it up so that it always deletes after use. This way you “clean out” any files that might be detrimental. This “persistent environment” can be useful though. Some people might have a sandbox for thier media players and never delete its contents so that thier settings never change. It is a case by case basis, but it is important to understand that it is a persistent environment and how that might impact your use of it.

    Secondly, understanding the sandboxed environment is useful for changing settings of the sandbox. This is a little more complicated, but very beneficial to understand.

    When you install Firefox to your real system, there are certain settings that are default. If you start Firefox for real, and modify these settings, they remain that way forever. If you then start Firefox in a sandbox, those same settings are used. As you use Firefox in the sandbox, and you modify settings, those settings are only realized within that sandbox and only until you delete the contents of that sandbox. Once you delete the contents, then any further use of Firefox in that sandbox will once again have the live settings.

    If you were to use Firefox in a sandbox, and modify the home page, then the real system would not be affected by that. But if you later decided to change the home page in the real system (ie. running Firefox NOT sandboxed), then when you start Firefox within the sandbox, those REAL CHANGES would not be seen.

    This is because the sandboxed files are used instead of the real files, if they exist. Although you did change the real file for the home page or something, Sandboxie sees it has a virtualized version of that file, and uses the virtualized version instead.

    This confuses some users. They forget that once Sandboxie virtualizes something, anything done to the original is ignored. If the live home page is changed, the only way to get that change to happen in the sandbox is to delete the virtualized file that the change exists in. Once the file is no longer virtualized, then the real live version will be used and that modified home page will show up when Firefox is run sandboxed. This usually means users delete the entire sandbox, although if you knew which file it was that held this setting, you could just delete that one file itself from the sandbox.

    Another seemingly common scenario is that a user will start Firefox in a sandbox all the time, and updates to Firefox or Flash will be automatically installed. Later the sandbox has issues, things don’t work correctly. The user then deletes the sandbox and starts over. However, they are frustrated that the version of Firefox is old, their preferences are different, and Flash pages don’t work because the version of Flash is too old. They forgot that when things were auto-updating, they only updated within the sandbox, not the real system. When they deleted the contents of the sandbox, all those updates were deleted too.

    It might be beneficial at that point to start Firefox outside of the sandbox, and do all the updates. Then when it is started in a clean sandbox, those updates are also evident in the sandbox. In fact, if you routinely delete the contents of a sandbox, it is a good idea to periodically run Firefox outside of the sandbox and let it auto-update. Alternately you might wish to keep Flash off your real system and only install it in a given sandbox, and you might not delete that sandbox very often.

    Virtualization and environments are important concepts to understand. While not overly complicated, they are foreign to many people. A little study on what they are and how they effect your use of Sandboxie can help you understand why certain things are happening which don’t seem to make sense.

    I used Firefox as an example because it is a common application and it is easy to type. You could insert any program in its place and the effect and meaning would be the same.

    I don’t pretend that I know everything about Sandboxie or computers. I am describing what I see. It may be incorrect in how it is technically applied. However, what I have described I have witnessed myself. Corrections gladly accepted.

    Sul.
     
  2. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Corrections gladly accepted

    ...but not required, I think. Another really helpful description :)

    philby
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, to avoid Firefox problems you can use Firefox Sync feature. This way important data will be always available to both, sandboxed and non sandboxed browser. Granted, program itself and plugins won't be synced, but that can easily be fixed by installing new version. Browser data (bookmarks, passwords etc) are synced.

    I use sandboxed Firefox for online shopping with very high restrictions using Drop Rights setting and also limiting execution of files to only 3 executables from Firefox (browser EXE, plugin container EXE and Adobe Flash EXE). This way chances of something going wrong in there are very small since stuff in the sandbox doesn't have much rights to access anything.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    There are many threads devoted to the many ways to configure security. This was not the purpose of this thread. It is only to try and explain things that are commonly asked by Sandboxie users. As I said, Firefox was used because it is easy to type and everyone has heard of it. I leave the details of what, why and how to configure Sandboxie or the system for another day.

    Sul.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, the same applies to Chrome and Opera as well since they all use syncing features...
     
  6. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,024
    Location:
    USA
    Sul (or any other knowledgeable SBIE user),

    I've been running Sandboxie (free) for the past week and finding it has a major impact on my browser's performance (IE9). My home page (as well as most webpages) takes much longer to open than without Sandboxie! Is this typical? o_O

    Another annoying issue when using Sandboxie is that every so often (usually as soon as I close my sandboxed browser) I get a message box to the effect that IE9 has stopped working! :doubt:

    I would appreciate any suggestions...

    Cruise

    HP dv6t-7000:
    i7 Quad
    750GB HDD
    32GB mSSD (cache)
    8GB RAM
    Win7 SP1 x64
     
    Last edited: Oct 7, 2012
  7. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hi Cruise

    I have 2 machines, both pretty bare 7 64bit set ups with current version of SB installed.

    I have no browser slow-loads at all on either machine (both IE9).

    However, I do get the IE crash on closing sandboxed IE9 on one of the two machines - but have just been living with it. It usually only happens if I've had IE9 open for over an hour though...

    There's nothing in Event Viewer's APP log and I haven't really had time to figure it out by looking elsewhere, or to report to Tzuk. I don't think SB has it's own log that might shed light, but maybe it does and I've just not found it...?

    So, you're not alone with your second issue!

    philby

    EDIT Maybe this should have been a new thread, so as not to detract from Sully's work!
     
    Last edited: Oct 7, 2012
  8. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,024
    Location:
    USA
    Hi philby,

    I believe you're right insofar as starting a new thread - I'll do that...

    Cruise
     
  9. tomazyk

    tomazyk Guest

    Another nice thread Sully. New users can really benefit from this kind of explanations. :thumb:
     
Loading...
Thread Status:
Not open for further replies.