You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.