Sandboxes and virtual machines are two different technologies that share enough characteristics to make them easily confused.
Let’s look at the three scenarios: the default case without either, a sandbox, and a virtual machine.
Become a Patron of Ask Leo! and go ad-free!
First, a caveat for the knowledgeable: this is, of necessity, an over-simplification. I’m not trying to define exactly how these technologies work at a bits-and-bytes level. This is a high-level overview meant to convey the concepts for a basic understanding, nothing more.1
Windows on its own
Let’s start with a conceptual view on how Windows and Windows applications operate (at a very high level).
Applications running in Windows interact with the machine (and with you) through Windows.
Windows manages access to the files and on-disk resources; it also manages access to the hardware through the device drivers that are installed for your machine’s specific hardware configuration.
A sandbox under Windows
In a sense, a sandbox is a container placed around an application running within Windows.
One of the three applications in this example is drawn as being within a sandbox, including a portion of the “Files & Settings” used by that application.
Therein lies the magic.
When you run an application inside a sandbox, it continues to have access to everything that it would were it not sandboxed. The primary difference is that anything created or changed by the sandboxed application is:
- Not visible outside of the sandbox; other Windows applications don’t see it.
- Not saved when the sandboxed application exits.2
The best example is simply that any malware that might have been downloaded and “installed” by the sandboxed application is discarded when the application exits.
A virtual machine under Windows
A virtual machine, or VM, is an application running under Windows that creates an environment simulating a completely separate computer.
In this diagram, the application on the left is a VM running a completely separate copy of Windows. In a sense, it’s a “machine within a machine.” Windows running on the actual PC is often referred to as the “host” operating system, while any VMs running on it are referred to as “guest” operating systems.
Within a VM, applications continue to access the world around them through that VM’s copy of Windows. That “world” includes that VM’s own virtual hard disk, on which files and settings are stored.
The VM also includes its own set of virtual device drivers that behave as if they’re interfacing to actual hardware. In reality, they’re mimicking the presence of actual hardware and talking to the host copy of Windows to gain access to the real hardware.
Everything that happens in the VM stays within the VM. It behaves exactly as if it were a completely separate physical machine.
That implies that any downloads, changes, updates, installations created or saved within the virtual machine is only accessible from within the VM in some way.
And if you delete the VM, it’s like getting rid of a PC. Everything on the virtual hard disk is erased.
Multiple virtual machines
One of the best ways to demonstrate virtual machine technology is a scenario such as this one.
This illustrates a single PC running three virtual machines.
- The PC itself is running Windows 7
- One VM is running Windows XP, and would appear as a window within the host Windows 7 machine.
- One VM is running another copy of Windows 7, and would appear as a window within the host Windows 7 machine.
- One VM is running Ubuntu Linux, and would appear as a window within the host Windows 7 machine.
One physical machine runs three different virtual machines simultaneously.
Each virtual machine is completely separate — as if it was on completely separate hardware — except that it’s not.
This is actually more common than you might imagine. For example, so-called “cloud servers” are nothing more than virtual machines. As I write this, the Ask Leo! website is hosted on a modest virtual machine on a virtual hosting provider. I have no idea what the underlying hardware actually is; the virtual machine can’t look “out” to its host. My assumption is that it’s a fairly beefy piece of hardware on which several virtual machines are hosted.
Pros and Cons
Sandboxing doesn’t require much in the way of additional RAM or disk space, and is fairly easy to set up and use. I say “fairly” because there are complexities, most notably about how to preserve desired changes outside of the sandbox.
For example, if your browser is sandboxed (the most common scenario), getting a downloaded file that you want to use outside the sandbox may take a few extra steps. Other changes you might want to preserve while you’re in the sandbox can also be slightly complicated to retain.
Virtual machines can be resource hungry. Among other things, you’ll need to allocate disk space to the virtual hard drive and choose how much of your computer’s RAM to dedicate to the VM while it’s running.
When discussing the characteristics of a virtual machine, the phrase that keeps coming up is “just as if it were a separate physical machine”. And when looking at what a VM can and cannot do, and what it takes to set one up, that’s the best rule of thumb to remember.
Setting up a VM typically involves installing an OS from scratch. In the multiple-VM example above, each virtual machine would need to be set up — just as if they were separate physical machines.
A virtual machine and its host are effectively isolated from each other. A common way to copy files to and from the virtual machine is to set up network access on that machine — just as if it was separate physical machine.
As you can see, a VM is perfect if you want a completely isolated “virtual” second (or third, or fourth) machine. It’s also perfect if you want that machine to run a different operating system than its host. For example, I no longer have a physical machine that has Windows XP installed on it, but I have a virtual machine I can fire up at will on my primary desktop (currently running Windows 10) that provides me a copy of Windows XP to work with.
One of the most popular sandboxing tools is called “Sandboxie“. Originally developed as a Sandbox for IE (hence the name), it’s grown into a powerful and flexible general purpose sandboxing solution. Unfortunately, it’s not free.
These days I use VirtualBox, a free and open-source VM solution for both Windows and Mac. I have clean installs of Windows 10 Home, Pro, Windows 7, and as mentioned above, Windows XP, that I can run as needed on my primary machine (which itself runs Windows 10 pro).
For many years, I used Parallels Desktop to run many of those same incarnations of Windows on my Mac Pro.
Finally, VMWare is another popular VM provider. There are many pre-configured VMWare “appliances” you can download and run. For example, you can download a ready-to-run VMWare appliance that is Ubuntu Linux without having to go through the steps of setting up the operating system.
Microsoft confuses terminology — again
Some editions of Windows 10 now include a feature called a “sandbox”. Naturally, it’s not a sandbox as I’ve described above. While not a full-fledged virtual machine, it’s close. When you run the Windows 10 sandbox, you’re running a lightweight but separate instance of Windows itself.
It’s convenient, since other than enabling the feature in Windows and running the tool, there’s little to set up.3 It can be a quick way to set up a safe environment to test items in isolation from your primary operating system.
Full-blown virtual machines such as VirtualBox aren’t for everyone. However, if you know it’s what you need and you have the hardware to support it, it’s incredibly cool technology. I use it almost every day.
Sandboxing tools are easier to use, and many people swear by them. Particularly if your Windows 10 edition supports it and your computer meets the hardware requirements, the Windows 10 sandbox might be worth investigating as an additional tool in your security toolbox.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: In other words, no nit-picking, please.
2: Specific sandbox implementations may provide mechanisms to transfer or save data out of the sandbox, but the important concept here is that, unless such steps are taken, any changes made by the sandboxed application are lost.
3: Unfortunately, it does seem to conflict with VirtualBox.