Excubits offers some free programs to run vulnerable programs in a memory and file sandbox. On our forum @WildByDesign has direct contact with the developers, so when you have questions about releases or features he is the one to ask (although mood and Online_Sword have also played with those programs intensively, so they are also good information sources). Here is some english information on them https://excubits.com/content/en/news.html You can download them from https://excubits.com/content/en/products_beta.html It are actually not programs but drivers, WildByDesign has explained how you install them in this post What is the idea of running programs in containers? Containers and sandboxes are often mixed. In a container a program is blocked access to (critical) parts of the system. By containing file access (PumperNickel) and memory access (MemProtect) of vulnarable programs, you mitigate the impact of infections by malware (including exploits). Those vulnerable programs are only allowed to mess with their own (installation) folders. This is not a tight mitigation but still reduces impact of infections and also reduces the need for rules configuration (so less rule tweaking and more ease of use). Since the ini files are limited in size in the free versions, needing less rules is a nice bonus. Trying it out in simulation mode [#Lethal] When you want to try these free (tiny) drivers, just copy the code below to the ini files of MemProtect and Pumpernickel. After having tested them (the logs are in the Windows directory), you can change the [#LETHAL] to [LETHAL]. Removing the # turns the program from simulation to protection mode. Pumpernickel is by design Default Allow, MemProtect is default allow because I entered [DEFAULTALLOW] in the ini file. Using the log files As you can see, exception rules can be copied from the log (just add and an ! before the C and remove the spaces for and after the >). Have a look at the example below (using log file to allow access to Windows Caache folder). Just use the log to add priority whitelist rules (starting with an !). When your are done, just add an # for logging [#LOGGING], then both drivers stop writing to the log. Pumpernickel This is a kernel level file (access) monitor. In the code example below, Office (Excel, Winword, PowerPoint, etc) and Chrome are not allowed (blacklisted) to change UAC protected folders (Windows and Program Files). So they effectively run with file privileges of a Standard User. I run 32 bit OS, so you have to add C:\Program Files (86) when you use an 64 bits OS. The prority whitelist (rules starting with !) overrule blacklist, so both Office and Chrome are allowed to change their own folder and the Windows cache and temp folders. Code: [#LETHAL] [LOGGING] [WHITELIST] !C:\Program Files\Office\*>C:\Program Files\Office\* !C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\* !C:\Program Files\*>C:\Windows\Temp\* !C:\Program Files\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\* [BLACKLIST] C:\Program Files\Office\*>C:\Windows\* C:\Program Files\Office\*>C:\Program Files\* C:\Program Files\Google\Chrome\*>C:\Windows\* C:\Program Files\Google\Chrome\*>C:\Program Files\* [EOF] MemProtect MemProtect is a kernel level memory (access) monitor using a Windows OS-feature (protected processes) available on Vista and higher, but best used on Windows 8.1 and higher. Same approach with the memory container as the file container. Both Office and Chrome are not allowed to modify the memory of other programs (Blacklist C:\Program FIles\Office\*>*) . I also allow them to print (whitelist access to SPLWOW64). You will recognize the rule patterns (see post #9 below). Code: [#LETHAL] [LOGGING] [DEFAULTALLOW] [WHITELIST] !C:\Program Files\Office\*>C:\Program Files\Office\* !C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\* !C:\Program Files\*>C:\Windows\splwow64.exe [BLACKLIST] C:\Program Files\Office\*>* C:\Program Files\Google\Chrome\*>* [EOF] Bottem Line When you add an Anti-Executable to the mix (or simply use Smartscreen on the desktop on Windows 8 and higher), I can't imagine anything breaking these layers (File access container, Memory access container and Anti-execution). I run them with Software Restriction Policies (as basic user which allows install and update from user folders with "Run as Admin").