How does it work? Without going into much detail a virtualization technique is used that emulates OS subsystems that allow virtualized applications to be run. These applications are run in sandboxes to avoid conflicts to the host system and other applications.

The virtualization technique is not limited to web browsers but can practically run any applications like video players, file sharing tools or Twitter clients. The available applications and web browsers can be started from virtually any modern web browser including Internet Explorer, Firefox or Opera. Firefox users will need to install a Firefox add-on that is provided on site before they can launch any applications.

A click on any web browser listed on the Xenocode website will launch the sandboxing process. This will start a Xenocode executable on the host system and the desired web browser. The core application uses about 25 Megabytes of computer memory and the applications launched in the sandbox use about 25-30 additional Megabytes.

It is a bit strange though that the core process will remain in memory even after closing down the sandboxed web browser. There is no obvious way to close the Xenocode application itself other than killing it in Windows Explorer. A fast computer system is definitely beneficial when running the sandboxed web browsers.

Xenocode provides an interesting way of test driving web browsers. The service could use some additional documentation and a close option for the core program though.

CW Sandbox is a web service with a similar looking frontend like all the other online virus scanners. What sets it apart is the remote secure environment that it uses to execute and analyze the files that get uploaded. It uses a sandbox to execute the file and will log all system activity that is connected to the file launch. The file analysis contains a summary but also detailed changes to the file system, the Windows Registry and network activity plus a technical summary with additional information.

Each report is divided into different categories. The File Changes for example contains categories that list newly created, opened and deleted files and a summary that lists all file operations in chronological order. The network activity analysis will detail connections that have been established including host names, IP addresses and if data has been posted to one of those addresses.

The submit form on the website of the project accepts files with a maximum size of 16 Megabytes. Zip files with up to 50 files can be uploaded to the service as well if the password is set to “infected”. A link to the file analysis will be send to the email address that the user enters when submitting the files.

CW Sandbox is an excellent online service that provides an in depth analysis of submitted files. The only drawbacks are the 16 Megabyte file size limit and that the reports are send to an email address with an undefined wait time. A ticket system on the website directly detailing the place in queue and the estimated wait time would be really helpful for users who are submitting files to the service.

Returnil Premium is a program that can emulate the operating system in a sandbox – a virtual environment – so that changes have no effect on the system itself but only to the sandboxed copy of it. It does not require lots of computer knowledge to run, the only thing that’s out of the ordinary is the (optional) creation of a virtual partition that will be used to store data when the sandbox is active. Here are the steps on how to use the security software:

• Installation: You get some options here most notable to run the system on the hard drive or computer memory. There is also the optional setting to create a virtual partition on the computer system to store data. An alternative would be to use online storage space.
• Running Returnil: You can start Returnil after a restart. Once Returnil is started it will redirected access to the virtual system so that the actual computer system will not be harmed. You can then use whatever application you like. Keep in mind that any changes that have been made to the computer system will be undone after a restart as they have only been made in the virtual system and not the actual one. Here is an example:

  If you bookmark a page while Returnil is running it will show up in the bookmark manager. It will however be gone after a restart of the system.

• Stopping Returnil: The only way to stop Returnil is to reboot the computer system.
• Saving Data: Two ways to save data. The first is to use the virtual partition to store the data on as it will not be erased after a reboot on that partition. The second is by utilizing online storage space. You can sync bookmarks online, save files there, edit Word documents and basically do most things online.

How does Returnil work?

It is obvious that Returnil cannot mirror dozens of Gigabytes of data in the sandboxed environment. There is actually no need to clone the whole system. All that needs to be done is to keep track of the changes to the system and act as a proxy between the computer system and the virtual system.

What are the differences between the free and the premium version of Returnil?

The premium version of Returnil adds quite a few features that make it interesting. The user can choose to cache data in the computer memory or on the hard drive, save sessions to continue working with them at a later point, relocate system folders, to browse and move files between the real hard drive and the virtual drive, shell integration and free customer support.

Returnil Premium adds much needed features to the virtualization software that are missing in the free version. The main benefit of both versions is the simplicity of usage. You only need to press one button to turn the protection on once it has been configured the way you want.

Remember, you can request your Returnil Premium key by following the link on top. Would be still nice to tell us what you think of it.

One small example. Downloading an infected file with your web browser or email client will have no negative impact on the core system. The virus will be executed in the virtual space and once that is purged, either manually or by logging off, it vanishes as if it never was executed in first place.

The software virtualization tool SafeSpace comes with a default set of applications that are always run in the sandbox and provides easy means to add additional applications. Besides that several directories, and their subdirectories, are automatically protected as well. This includes the Windows and Program Files directory among others.

SafeSpace protects the files and registry settings of the operating system by virtualizing any changes made by applications running inside SafeSpace. This means that applications can read the real data of Windows and any programs which are installed. But when applications attempt to make any changes to the real data, a virtual copy is created inside SafeSpace and the changes are made to the virtual data instead to prevent any changes from affecting the real data

SafeSpace provides a very clean and easy to use interface that is divided into a Privacy and Application tab basically. The application tab contains those applications that will run in the virtual environment while the Privacy tab contains folders and their status in the environment. Four statuses are available.

• Virtual: Files can be read normally but write processes are virtualized which ensures that the files remain unchanged
• Private: Applications running in the virtual environment can’t access those folders and files stored within.
• Read Only: Files can be read but no write process is allowed.
• Full Control: Gives virtual applications full control over the files in that folder.

When a software gets launched that is listed in the application list of SafeSpace it is specifically marked with a red border. This is a visual sign for the user that the application is running in a virtual environment.

Any file that gets downloaded from a virtual application will also be run in the virtual environment when it is executed even if it is saved in the “real” part of the hard drive.

The software virtualization application comes with another handy feature, a tool to prevent keyloggers for applications in the virtual environment.

Installation was not a problem at all. Just execute it like any other software and restart the computer at the end. Windows XP users need the Microsoft .net Framework 2.0 if they want to run the software virtualization application.

SafeSpace will have created the sandbox after the restart and applications like Firefox or Internet Explorer will automatically run in it.

All applications running on the system are divided into trusted and untrusted groups. Everything deemed untrustworthy is run in the virtual environment, this includes by default programs like Internet Explorer, Microsoft Outlook, Opera, Firefox, Safari and dozens more. The real beauty of the DefenseWall HIPS concept is that every process started by an untrusted application becomes untrusted as well.

This ensures a minimum amount of user interaction, i.e. popups that ask the user if he wants to trust the application or not. That’s one of the main reasons that those programs are highly unpopular because in their drive to protect the system they lay the burden of decision on the user, and the user, as we all know, is most of the time the biggest security threat of them all..

What is DefenseWall Hips protecting you against ? Basically against everything that is initiated by untrusted applications. It protects against Registry modifications, rootkits, keyloggers, trojans, worms and everything else that would be considered malware.

A new virus for instance downloaded by Internet Explorer can do no harm to the system because it is running in a sandbox. It can actually be terminated with one click of the mouse in the DefenseWall Hips interface. Protection itself is, mostly, policy-based. Thus, DW protects only the sensitive places of the registry as well as file system.

The only responsibility of the user is to add additional applications to the list of untrusted programs which is especially important for applications that have net access. Even if you are using a limited user account instead of an admin account on your computer you will increase the protection of your system because several attack vectors are known to work on this kind of accounts as well.

Folders can also be added to the untrusted group which can be helpful in certain situations. I’m thinking of ftp servers for instance or networks with shared directories.

DefenseWall HIPS runs on all Microsoft operating systems starting with Windows 2000 including Windows XP and Vista. The homepage links to several reviews and comparisons with other HIPS applications, good read if you want to find out more about it first.

As I said earlier ten readers will win a copy of DefenseWall HIPS with one year of free updates and priority support. All you need to do is comment on this article and let me know what you think of this product. Just post your opinion. I will draw the ten lucky ones in 48 hours. I do need to contact you on your email because I need your real name for program registration along with the email.

Sandboxie steps between the application and the system and allows only reads from the system itself but no writes. Writes are only allowed in the sandbox. This is great if you want to run applications without having to worry about system safety at all. It is still a good idea to be careful as usually when working with Sandboxie. If something bad slips through it is intercepted by Sandboxie.

It is a good idea to run applications that are used to attack computers with malware, spyware and viruses inside the sandbox to avoid that they reach your operating system. What can I say, it is a nice uncomplicated way to add an additional level of security to your system.