By Lincoln Spector
Every time you launch a new program, visit a website, or open a suspicious e-mail, something terrible could happen — even with honest software.
Even legitimate and malware-free software can insert itself where you don’t want it, dumping hundreds of entries into the Windows Registry — and malicious software will do much worse. Sandboxing can reduce your risk.
Isolating applications and files within Windows
A sandbox is an enclosed, controlled area of Windows in which a program can play without hurting anything outside the enclosure. Typically, a program you install inside a sandbox exists only there. It may proceed as if it were putting a file into a particular folder or changing the Registry, but those changes don’t exist outside the box.
You don’t have to confine your use of a sandbox to new, suspicious programs. You might reasonably trust your browser and your e-mail client but still find it prudent to run them in a sandbox occasionally. After all, you certainly can’t trust everything that comes through them.
Some antivirus programs, including Avast Antivirus and Comodo Internet Security, come with sandbox capabilities. But these features — especially in the free programs — are usually limited. For instance, the free version of Avast can automatically run new, untrusted programs in a sandbox, but you can’t run your existing browser or any other trusted program in one. I don’t recommend that you switch AV programs just to get an AV program’s sandboxing function.
Instead, I’ll tell you about the two best ways to sandbox programs. Neither of them completely passes the free-and-easy test. One costs money; the other takes time to set up.
Sandboxie: The best all-around sandbox tool
If you’re really serious about running programs in a safe environment, try Ronen Tzur’s Sandboxie (info). Designed solely for this purpose, it lets you create and run multiple sandboxes, launch any program within a sandbox, and control what happens to the files downloaded, saved, or created within a sandbox.