Sandbox, Virtualization, and Lockdown. Other Antimallware Methods

Sandbox, ]Virtualization], and Lockdown
If you think of a sandbox as a “virtual workspace” the concept has been around a long time. A RAM drive is a virtual workspace, since upon reboot, nothing written to that drive remains.

One of the problems with the early RAM drives was the limitation of 32MB of the windows ramdrv.sys. An interesting product that was used for some time was vRamDir, a virtual ram drive that could be as big as your available free RAM. Also, you could remap directories to it. It was common to load temp and cache directories into RAM on startup. Running applications in RAM was really fast. This was in the days before fast CPUs. We didn’t think of it so much for security, as for speed. For example, I knew programers who compiled in a RAM drive.

In more recent times the technology has been incorporated as a security tool. A virtual PC is like a sandbox - any configuration changes on it have absolutely no effect on the host system, but are based on the host system’s hardware.

A company called SoftGrid has its SystemGuard™ - “because applications bring their own set of configurations and run within a protective virtual run-time ‘sandbox,’ there is no dependency or effect on the configuration of the machine running them.”

Windows Servers include this technology. From my WinServer2003 notes: “The new Software Restriction Policies (SRP) feature creates a virtual ‘sandbox’ that prevents unauthorized code execution.”

Tiny firewall uses sandbox technology.

Another group of programs use the ‘sandbox’ idea to protect the system. Sandbox is usage of a virtual container in which untrusted programs can be safely run.

Sandboxie is a true stand-alone sandbox program. Their site diagrams nicely how it works:

ShadowUser works on a similar principle, where the ‘ShadowMode’ creates a virtual volume:

RollBack Rx claims to write-protect the HD and create ‘Scratch Space’

These programs below uses virtualization. It is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
Returnil uses a powerful virtualization technology that completely mirrors your actual computer setup and it can create a virtual storage disk within your PC where you can save documents, data, and files while using the System Protection feature.

BufferZone’s revolutionary virtualization technology creates an isolated zone on your PC, which separates your operating system and confidential data from unknown programs, downloads and files. Unlike anti-virus and anti-spyware software, BufferZone Free requires no signature updates at all, while protecting your PC against spyware, adware and viruses - even new and yet unknown ones downloaded using your P2P, Web browser or instant messaging software.

The programs below uses lockdown. Lockdown, pertains to a state of containment or a restriction of progression. You could almost say that it freezes time.

Deep Freeze - ‘locks down’ the system but doesn’t use virtualization.Deep Freeze = locked volume content, changes revert on restart, can only change content in a thawed state. Once changed in a thawed state, that’s the content moving forward. Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte.

First Defense ISR = Take system snapshots (akin to snapshots on a VM) and boot to any of them. Any snapshot can be used as a live system. Can revert to any previous snapshot state. Think of it as akin to keeping an online jukebox of system drives and being able to choose anyone you want via a preboot menu. Downside is that the current program is being replaced by the only distributor of the product (Horizon Data Systems) with a version that allows retention of a single snapshot only. More mass market potential. Also, freeze option (similar to deep freeze) is gone on current HDS release. I think they stop selling the full FD-ISR Workstation at the end of this month

Both work. DeepFeeze is designed for a static system with forced restoration on any restart and takes minimal HDD space. FirstDefense-ISR is designed for immediate restoration of a dynamic system in which states are preserved across restarts, but can be bumped by a forced snapshot change or restoration. Snapshots take a bit of space (a few to maybe 10 GB depending on what your machine looks like and how you take a snapshot). Cost per seat is different as well.

These types of programs are becoming popular as the foundation of a security system. Each program works on different principles and levels of restriction.
Some people admit that they run such a program + firewall and little else.

This evening in the AntiMalware by Trustware thread Eyal Dotan, the author & CTO of AntiMalware, wrote:

…what AntiMalware’s BufferZone does is virtualize
untrusted processes “Write” access to FileSystem & Registry

For those who have experienced problems and conflicts with various ‘sandbox,’ ‘lock-down’ or ‘virtualization’ programs, most people using them (ShadowUser and Deep Freeze especially) stress starting with a clean system. I would uninstall all AV/AT etc programs, then install SU, AM, Sandboxie or whatever - use that as the foundation - and then add other programs to see at what point you have conflicts.

Immediate Recovery Softwares VS On Demand Scanners


  1. ISR-softwares is the collecting name for all Immediate System Recovery softwares :
  • DeepFreeze
  • FirstDefense-ISR + clones
  • PowerShadow
  • Returnil
  • RollbackRx + clones
  • ShadowDefender
  • ShadowUser

  • Softwares like Sandboxie, DefenseWall, … don’t belong in this list because they don’t recover an entire system partition.

The main goal of ISR-softwares is to keep your system (partition) UNCHANGED, not your personal data.
Although they use all a different method to keep your system UNCHANGED, the final result is the same : they reset your system during reboot. Some do it even better than others.

  1. An On Demand scanner is any scanner that is used as second scanner. MAIN scanners are not included in this thread.
    Personally, I consider MAIN scanners without a real-time shield also as ON DEMAND scanners. If you don’t agree with me, tell me why.

The main goal of ON DEMAND scanners is to detect/remove any malware, that wasn’t detected/removed by the MAIN scanner.
It doesn’t really matter if it’s an AV/AS/AT/…-scanner, because there is no clear distinction anymore, they all remove something bad, that doesn’t belong on your system and that is important.

To keep it pure, no other security softwares are involved than ISR-softwares and ON DEMAND scanners.
I won’t use ON DEMAND scanners anymore, I call them scanners for the rest of my post.

Vulnerable Period
ISR-softwares have a vulnerable period between two reboots.
Scanners have a vulnerable period between two scans.
Both allow installation and execution of any malware during that period. So there is no difference and that means it doesn’t matter.

Removal of Malware
ISR-softwares remove any CHANGE and that means a complete removal of all bad changes.
ISR-softwares don’t need signatures or heuristics to remove any malware, in other words they remove :

  • any known malware
  • any unknown/undiscovered malware
  • any malware created in the future.

Scanners remove only what they recognize as malware, using signatures, heuristics, packer & suspicious detection on anything else remains on your harddisk.
Each scanner has a different signature database, so only the different signatures makes a scanner special.
This means that ONE scanners, might not be enough. So how many scanners do you need ? One, two, three, … ?
This is a problem in theory. This problem is usually solved in practice by ignoring the theory and make a final choice, but that doesn’t mean the problem is solved.
The bottom line is that scanners and even MAIN scanners, don’t guarantee a complete removal of malware.

Removal Time
ISR-softwares remove malware on reboot, which is usually very short, in my case less than 2 minutes and FDISR is certainly not the fastest one.

Scanner require alot more than 2 minuts to do a full scan. The more scanners you have, the more time you need to run them.

Some users run scanners only one time a week. If this scanner finds a malware, it means that this malware has been on your system during a period of 1 upto 7 days. That is the same as leaving a burglar in your house during 1-7 days to steal whatever he wants or to destroy whatever he wants. So running a scanner one time a week is absurd and only proves that users want to save time, because there is no scanner of 2 minuts.

Since the reboot-time is so short, you can reboot more than one time a day, which means a shorter vulnerable period.

False Positives
ISR-softwares don’t have false positives at all.

Scanners do have false positives, not all the time, but when it happens, these false positives will be removed by less-knowledgeable users, damaging their own system this way. Kind of suicide.


  1. Regarding the vulnerable period, there is no difference.
  2. Regarding removal of any malware, ISR-softwares are clearly the winners.
  3. Regarding removal time, ISR-softwares are again clearly the winners.
  4. Regarding false positives, ISR-softwares are again clearly the winners.

So ISR-softwares are much better than ON DEMAND scanners. You can almost say that ISR softwares put all mallwares in to the “BERMUDA TRIANGLE” literally.

Very interesting post there.
Can I mention Altiris SVS which is an Application Virtualisation utility.

“Altiris® Software Virtualization Solution™ software is a revolutionary approach to software management. By placing applications and data into managed units called Virtual Software Packages, Software Virtualization Solution allows you to instantly activate, deactivate or reset applications and to completely avoid conflicts between applications, without altering the base Windows installation.”

Of Course The more INfo the better. I also want to learn more about the others, That what sharing knowledge is all about.

Thank you for taking the time to write this up ultragunner. Lots of good info. I have been using sandboxie for a couple of months with vista and am mostly happy with it. After reading your post I have also decided to give Deep Freeze a try as well. I tried to find a download for First Defense but the link only goes to an info page and I could not find it for download. No worries, like I said, I’ll just give Deep Freeze a try instead.
On a side note, I have yet to have any compatibility problems between CFP V3 and any other program. I freely admit the problems I have had are mostly my mistakes.


This phrase sounds very familiar… You ErikAlbert, or you copied his post?

the familiar thing, does it include the hidden words behind the red bar too ? ;D

wooooohooooooooo :BNC

hmmm, how do i make the white background ???

Hmm quite interesting. Also newer antiviruses, and HIPS are incorporating virtualization and sandbox concepts. The antivirus i found this most prevalent in is Trustport. Trustport’s multi engine (up to 4 engines and one antispyware engine) uses sandbox technology for web, and file defenses. NOD 32 also uses this now with unpacking archives and running files (yay nod :wink: ).

As for HIPS the new Prevx product, Prevx anti-malware runs everything in a sandbox and scans it while it goes. (Prevx’s anti-malware is a new product so forgive me if its not a HIPS)

So this technology is quite useful. Im looking into ZoneAlarm’s Forcefield, which is a virtualization product. Everything downloaded is ran insite Forcefields little computer, and when you exit the browser everything in it (unless you want to keep it) is deleted.

In theory i could download, and install spyware sheriff (a known rouge application) and when i exit firefox BAM spyware sheriff is gone! Whats also great about Forcefield is when it has phishing protection, and when you download something it forcefield scans the file for viruses and spyware.

Here is the product page ZoneAlarm by Check Point

and hit ‘learn about forcefield’ to get the clear read out.

Old news. Antiviruses have being using those for ages… (okay only a few of them ,but you know what I mean…)

AVs have been using emulation so that they can run suspected malware within this environment. Sanboxing however, similar but different in applicaiton in that you are allowed to browse and all the changes are stored within this sandboxing environment. You are right though, they are similar in theory, but different in technology and implemention. for example: emulators used by AVs emulate the CPU so that an executable file thinks its executing within this emulator getting naked for the AV to see, however sandboxing doesn’t do that. Sandboxing works by redirecting any change requests to your files/registry etc to a temp folder and store it all there and then delete it if you don’t like it

hope this clarifies the difference.


Nope, as Melih said, were talking about two different things.

I’m not talking about emulation (that would be something closer to what ESET has).

I would recommend you check out Bitdefender;s BHAVE, or Norton’s sandbox, neither uses emulation. The former is actually true virtualization described as similar to virtualpc , the later is sandboxing close to sandboxie.