Trust No Program

Experimental Protection

Starting with version 4.02, Sandboxie is now fully compatible with both 32-bit and 64-bit editions of Windows, and provides all protection. The Experimental Protection setting is no longer needed and was removed.

The Experimental Protection feature is only available on versions of Sandboxe before 4.02.

To Enable Experimental Protection: Open Sandboxie Control > Configure Menu > Experimental Protection (64-bit)

The Problem

64-bit editions of Windows introduce a new security feature called Kernel Patch Protection. This feature aims to protect the core of Windows (the kernel) by regularly performing self-checks to detect changes.

The problem is that a stock Windows kernel does not provide all the facilities necessary to implement a security solution such as Sandboxie. On 32-bit Windows, Sandboxie can dynamically enhance the Windows kernel to provide the missing functionality. This was not initially possible on 64-bit Windows, due to the Kernel Patch Protection feature.

What this means in simple terms, is that Sandboxie was only able to partially monitor the use of some system objects that are used by programs to connect and communicate with each other. In principle, a malicious program that is running under the supervision of Sandboxie could potentially communicate with a service that is running outside the sandbox, without Sandboxie noticing this and blocking the communication.

Mitigation Through the Drop Rights Feature

It should be noted, however, that even with this disadvantage, the 64-bit edition of Sandboxie is still an adequate front line of defense against most types of malicious software.

Additionally, in order to compensate for this disadvantage, the 64-bit edition of Sandboxie enables the Drop Rights setting by default. This setting may need to be disabled before software can be installed into a sandbox.

The New Experimental Protection Feature

Version 3.56 of Sandboxie introduces the Experimental Protection feature, which can provide the missing kernel functionality through semi-official kernel interfaces. This is very similar to what the 32-bit edition of Sandboxie does, and does not circumvent Kernel Patch Protection or diminish its protection in any way.

However, because it uses kernel interfaces which are not completely documented and official, the feature is tagged as experimental. There is a small chance that a future update to the Windows kernel could render the feature inoperable and might even cause system crashes.

Note that system crashes related to Kernel Patch Protection do not generally occur immediately upon system start-up, but some minutes later.

You should generally enable the Experimental Protection mode, unless there is some reason not to do this.

To Enable Experimental Protection: Open Sandboxie Control > Configure Menu > Experimental Protection (64-bit)

Please note that the Experimental Protection feature is not offered in the 64-bit version of Windows 8.

Sandboxie is Copyright © 2004-2015 by Sandboxie Holdings, LLC.  All rights reserved. | Contact Author
This site has been viewed 515,747,208 times since June 2004