In fact, the Brothersoft link specifically states “Sandboxie 3.46 – Tested by 3 antivirus solutions; this software does not contain any kind of trojans, spyware or viruses.”

But, just curiosity’s sake, using a virtual machine with PC Armor (which tracks and can completely reverse ALL installs), I traveled to the Brothersoft link in question and downloaded Sandboxie 3.46. According to PC Armor, no drive-by install was attempted or succeeded. Then, I uploaded the Sandboxie file to VirusTotal.com, where it got a clean bill of health from all 42 anti-malware products. See link below:

http://www.virustotal.com/analisis/8e6cace5c716902733adc1508e5898cff36136709d3093089c2c6c5d52332ec6-1278837896

These improvements just have to filter out to the wider software community.

IL’s could also provide security by removing the ability to interact with important files or configuration items, by placing the browser at the lowest of integrity levels. I’ve only covered the basics here, because IL’s can go much further…

Microsoft is not promoting this technology to any degree, and as I hear, Firefox is a pain to make it work at low level.

Google is clearly attentive! Now if they can just get the hang of dealing w/ non-US govts!

It’s not. They’ve hacked it. Microsoft has literally hacked this thing into a hodge-podge of nothing but “we have security, but it’s optional” as is clearly the case.

The problem is that it’s too damn easy for someone to exploit a privileged account in Windows because it’s originally a single-user OS, not a multi-user OS.

It’s a target – a big red target. Nothing will ever change that until Microsoft takes the Windows design back to the drawing board and is open to risk breaking backwards compatibility with legacy applications by forcing them to secure themselves instead of making it an “option,” which is what it should do.

Look at what they did with my favorite games that only ran in XP or even 98 – can’t run Neverwinter Nights in Vista reliably, nor can I use the expansions.

It appears the priorities at MS are somewhat…backwards?

•“Opt-In” – In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP. This is the default configuration for client operating systems such as Windows XP and Windows Vista.
•“Opt-Out” – In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP. This is the default configuration for server operating systems such as Windows Server 2003 and Windows Server 2008.
•“Always On” – In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not.
•“Always Off” – In this mode of operation DEP is always disabled for all processes.

You cannot just turn on DEP for all programs (except by forcing Always On by changing the boot.ini). Each program has to be made compatible by its developer. What is really interesting is if you are brave enough to set DEP to Always On. I don’t know anyone who has been able to run XP for more than a few minutes with Hardware DEP set to Always On which means ALL processes always run with DEP applied. Plus, the only options for DEP in Performance Options in System Properties is either Opt In or Opt Out. You CANNOT turn on Always On there. You have to do it manually by altering the boot.ini file.