sandbox, virtual machine, etc. for questionable software

[Khamsin]

How reliable is Sandboxie, or similar programs, for verifying that something isn't going to rape your computer? Or at least, at keeping a log of what registry and file changes it makes.

[Killgannon]

not sure what sandboxie is, but a Virtual machine is (should be) fine to use

[Zosi]

Well, I can't say I've used this particular software, but any security software makes your PC only as secure as the software itself. It sounds like they have the right IDEA, but it's hard to say if their sandboxing implementation is as secure as they say, because it's closed-source. Note that I'm not claiming that an open-source version would be automatically more secure or that theirs is necessarily insecure, just that you have to take their word about the security of their programming practices.

Specifically, there's a few issues with using something like Sandboxie as a security tool. For one, it DOES NOT restrict read access at all. Any sandboxed process can read any file on your PC, open network ports and send any data they'd like. In other words, it offers no protection against actual keylogger operation, just keylogger installation. If a keylogger is running from a sandboxed process, it'll still be able to record your keystrokes, take screenshots, search through other process's memory for cached passwords, etc. It just won't survive a reboot or sandbox destruction. Note that that might not apply in Vista with UAC enabled, I don't have much experience with it.

For two, as I mentioned earlier, you're trusting their software to be free from security holes itself. It's not impossible to detect that you're sandboxed, and sufficiently smart programs may be able to exploit Sandboxie itself and gain root access. It's unlikely, but the possibility might go up if sandboxing becomes more widespread.

Lastly, it's just a bad idea to be running anything that you suspect may be insecure, no matter how much protection you think you have. Murphy's Law applies, the one thing that you don't have protection against will just happen to be the method that the malicious program uses. It's always safest to just shift-delete and find a more reliable source.

That all said, it's something that I'll definitely be playing with and possibly using in the future. Even if it's not a "silver bullet", it has its uses, and unless it's really a badly written piece of trash, you're probably more secure using it than not using it. Regarding logging, I really don't know what kind of facilities it has. However, I can recommend ProcMon (downloadable from MS Technet here), which has extremely detailed logging capabilities.

About VMs, they're more secure as they offer a barrier to reading as well as writing. However, the same potential security issues exist, there've been proof of concept attacks that let code "break out" of the VM and access the host system, although it's something that's extremely difficult to do in practice. The downside to VMs is that they take a lot of space and are time-intensive to set up. Once they're set up, they're pretty good, and the snapshot capabilities of something like VMware make rollbacks to "clean state" very easy after you're done testing.