Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Application Isolation: Basics and Directions

Created: 03 Oct 2007 | 6 comments
Language Translations
R-Vijay's picture
0 0 Votes
Login to vote

Application Isolation is the process which ensures that the packages that we create won't interfere with each other by scanning them to determine if they are using only local resources and DLLs. Isolating an application with its support files ensures that your application always uses the version of shared files with which it was installed.

Why isolate an application?

  1. Application isolation is one solution to component versioning conflicts, or DLL hell.
  2. Isolation reduces versioning conflicts by modifying an application so it always loads the versions of components – such as DLLs – with which it was originally developed and tested.
  3. Application isolation provides increased stability and reliability for applications because they are unaffected by changes caused by installation and ongoing maintenance of other applications on the system.
  4. Resolve incompatibilities between different versions of shared components.
  5. Reduce the complexity of the installation by storing COM activation data in a manifest instead of the registry.
  6. Insulate the application from changes to shared components.

How to isolate an application.

Application isolation can be performed using one of these two methods.

  • Assemblies and manifests
  • MSI isolated components

Assemblies and Manifests:

Application isolation using assemblies and manifests is the recommended isolation method for Windows XP. Assemblies are DLLs or other portable executable files that applications require to function, and manifests are XML files that describe either an isolated application or an application's assemblies. These assemblies and manifests provide the same end result as Windows Installer isolated components, but keep all information outside of the registry and do not require the components to be installed in the same folder as the application. This reduces the chance of errors after isolation resulting from how the application was written.

MSI Isolated Components:

Application isolation using Windows Installer isolated components is best applicable for Windows 98 SE, Me, and 2000. It can also be used on Windows XP, but using assemblies and manifests is the better solution. The isolated component method copies shared files (typically DLLs) into an application's folder instead of a shared location. The application then uses these files instead of global ones, preventing modifications made by other applications from affecting the shared files. As a result, the application always uses the versions of these files with which it was deployed.

Application Isolation Using Admin Studio:

To isolate applications within a Windows Installer package (.MSI) or merge module (.MSM) using AdminStudio:

  1. Open AdminStudio and launch the Application Isolation Wizard.
  2. From the Welcome panel, click Next.
  3. From the Windows Installer File Selection panel, specify the Windows Installer package (.msi) or merge module (.MSM) containing applications you want to isolate. Click Next.
  4. From the Isolation Method panel, select the isolation method(s) (discussed above) you want to use.
  5. If you are using manifests, you can click Advanced to configure manifest properties and digital signature information (if required).
  6. Click Next.
  7. From the Summary Information panel, confirm the isolation selections. If you are using manifests, you can click Advanced to configure manifest properties and digital signature information (if required).
  8. If you want to manually configure isolation, click Modify.
  9. Click Isolate.
  10. From the Completing the Application Isolation Wizard panel, click Finish.

Depending on the isolation method used in the Application Isolation Wizard, you can partially or totally isolate an application.

Application Isolation Using Wise Package Studio:

The Application Isolation wizard in Wise Package Studio provides a quick and easy way to isolate applications with their shared .DLL or .OCX files (support files).

The below steps describe how to implement the process using WPS.

  1. Invoke the Application Isolation wizard from the side pane of Wise package studio as shown below.
  2. Browse the .WSI or .MSI file on which the isolation has to be performed.
  3. Choose on the isolation method and the isolation type. The next screens depend on the options selected here.
  4. Choose how the process of isolation has to be taken place.
  5. Isolation is ready to be performed.
  6. The updated Windows Installer file can be either the default MSI file appended with _isolated or a new MSI file or a MST file, as shown here.

Comments 6 CommentsJump to latest comment

robertser's picture

One problem to be aware of with Application Isolation. When patches to system dll's are released your isolated applications that use them are not patched. This means they they are still vulnerable and so even if your OS is patched your system may still be vulnerable giving you a flase sense of security. Now you not only have to patch the OS but every application that is isolated.

0
Login to vote
erikw's picture

I fully agree to this. Patching can be very hazardous when you use a lot of aplikation isolation.
If you have a problem with a software package and you need to choose, SVS is also a very good choice.

Regards
Erik
www.svs4u.nl

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

0
Login to vote
Richard Jeffrey's picture

When the SVS layer is active, if it has a file security vulnerability, then do you treat it any differently to an isolated locally installed application?

I presume you are saying you have to craft your own updating method to patch up the SVS layer directly to replace the vulnerable file. Otherwise I would presume the security vulnerability can still be leveraged from the SVS layer and is no different to the locally installed application.

0
Login to vote
R-Vijay's picture

Thanks for the Valuable input Robert.

I just tried to cover some basic information regarding application isolation in this article. Your piece of info will surely add-in to the packager, when he looks for Application Isolation. :)

Cheers'
Vijay Raj

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

0
Login to vote
Kottadi's picture

Hi Robert, Thank you for your information. I have a small doubt in the step by step process in isolating a component using "Application Isolation Wizard" in AdminStudio. I have seleted the "MSI Isolation Component" option. Then there is a page which will disply all the dlls and in the left hand pane we can see all the exe's present in the application. For isolating a particular dll we have to select the dll, but what needs to be done with the exe's ? What exactly we need to do in this page ? Your reply is much appreciated. Thanks in advance.

Ajith.

0
Login to vote
Sainath K's picture

Hi Everyone,
 

After Isolation how can I check whether my applicaiton is using the isolated DLL or not?

 

Sai.

0
Login to vote