Using Software “Sandboxes” to Combat Malware
We’ve all noticed the trends lately which suggest that new malware is being written at an ever-increasing pace. It seems like each day a new threat is discovered by security professionals. However, anti-malware products seem unable to keep up with the pace set by the malware programmers. So, what can be done to combat this discrepancy? Have you heard of software “sandboxes”? Read on and we’ll discuss some options available to help you fight in the war against malware.
A recent study suggests that some Anti-Virus programs only catch up to 50% of malware. While this type of study is nothing new, the numbers reported are staggering. The data reinforces the notion that in the battle of good vs evil, good is lagging behind. Anti-malware companies are failing to keep up with the constant stream of new or modified malware being written every day.
So what can be done to help prevent malware from succeeding when anti-malware software reliability is deteriorating? There are several steps one can take to decrease the likelihood that malware will infect a PC. First, ask your self , “Does everyone in your organization need access to the Internet?” More than likely a malware infection that arrives in an organization came directly from the Internet, either through someone visiting a website that is malicious or visiting a valid website with a compromised advertisement. Since it may not be desirable to cut off Internet access for users, another option to consider is to use “sandboxes.” No, I’m not talking about the fun-on-the-beach type of sandboxes, but rather software “sandboxes.”
The idea for software sandboxes is simple -run programs in an environment separated from the operating system. In a sense, sandboxes are like software virtualization, in that all changes made to the software while running inside a sandbox are never saved to the local operating system; instead, they are saved inside the sandbox. While software sandboxes are nothing new, they now are being considered more seriously, due to the rise in anti-malware software failing to capture new threats.
Let’s look at an example scenario. Let’s say I visit a website with an Internet browser that is running inside a sandbox and this website is compromised and tries to install a malicious file to monitor key strokes. When I visit this site and it downloads and tries to install this malicious file, the install will fail. It fails not because the Anti-Malware software caught the file, but because anything that comes from the sandboxed Internet browser is also sandboxed and will not be allowed to interface directly with the operating system. Another nice feature is that if a website was able to compromise my Internet browser while it was running inside a sandbox, I could easily delete or restore to a previously saved point for my sandbox and all actions that website took on my browser would be undone. I could also delete the sandbox and all changes would be deleted as well.
Software sandboxes can be used to sandbox any type of software, not just Internet browsers. However, Internet browsers are the type of softwares that stands to benefit the most from sandboxes. As with any software that has advantages there are disadvantages too. The disadvantage to sandboxes is that they are disruptive and can impede legitimate uses of software. In the example above that describes using a sandbox to protect an Internet browser, depending on what sandbox software is used, users may find it difficult to download legitimate files to their desktop. The reason is the same as above; the sandbox would keep the file from being downloaded directly to the desktop since the Internet browser is running inside a sandbox.
As with any new software, it is best to research and evaluate it thoroughly before deploying it to your network. Software sandboxes are great tools to prevent malicious software from unfettered access to a host system but they are not without their own disadvantages. As we have said before, a single piece of software will never be able to secure your network 100%. Your best defense is to rely on regularly applying patches, keeping anti-malware programs up-to-date, educating your users, and pursuing new technologies to help combat the growing threat of malware.
For your reference, here are a few sandbox software utilities that we tested while writing this blog:
- Sandboxie (http://www.sandboxie.com/)
- Virtual Sandbox (http://www.fortresgrand.com/products/vsb/vsb.htm)
- DefenseWall (http://www.softsphere.com/)
Related Links