InvisVM

Run any application safely in an isolated sandbox

Contribute! : InvisVM is an open sourced application. Join us on Github to help improve the application!
Github repository: https://github.com/nuetrino-quantam/InvisVM

What is InvisVM?

InvisVM is a security-focused Linux application that runs programs in isolated containers. It prevents malware from accessing your files, system, or network by creating a virtual wall around suspicious applications. Built using Firejail sandboxing technology and namespace isolation, InvisVM provides proactive protection—trapping threats before they can cause damage.

What can you do with it?

🔒 Sandbox Any Application
Launch files, apps, or downloads in complete isolation. Even if they're malicious, your system stays protected.
🔍 Search & Launch
Search all installed apps (Snap, Flatpak, AppImage, desktop apps) and launch them securely with one click.
📊 Real-Time Monitoring
Track all active sandboxes in real-time. See what's running, kill processes, and view detailed security logs.

How does it work?

Namespace Isolation

InvisVM uses Linux namespaces to create a virtual jail around applications. Sandboxed apps run in their own isolated environment with restricted access to your actual files, network, and system resources.

Firejail Integration

Built on top of Firejail—a proven SUID sandbox program. We leverage its security features while providing an intuitive GUI for easy access. No command-line knowledge required.

Smart Access Control

Intelligent D-Bus filtering automatically detects which apps need system communication (like LibreOffice) and blocks it for others. Network, devices, and capabilities are controlled based on your chosen security policy.

Multi-Policy System

Choose from three security levels: Restrictive (maximum isolation), Standard (balanced protection), or Permissive (maximum compatibility). Tailor security to each application's needs.

Research & Development

🔬 Cross-Platform Analysis
Explored both Windows kernel-level and Linux container-based sandboxing approaches to understand optimal isolation strategies.
Real-time Detection
Developed robust process monitoring that detects sandboxed applications launched from any source—GUI or right-click menu.
🎯 Threat Protection
Testing against simulated malware behaviors—file access, network exfiltration, privilege escalation—to validate isolation effectiveness.
🧪 UI/UX Design
Creating an intuitive interface that makes advanced security accessible to non-technical users through visual feedback and simple controls.

Technical Overview

Core concepts powering InvisVM:

Container Isolation
Uses Linux namespaces to separate process trees, filesystems, and network stacks. Sandboxed applications cannot see or interact with the host system, creating a secure virtual environment.
Proactive Defense
Unlike antivirus that reacts after detecting threats, InvisVM prevents damage by isolating first. Works on zero-day attacks and unknown malware without needing signature updates.
State Management
Tracks all active sandboxes with shared state files. Processes launched from right-click menu or GUI are automatically detected and monitored in real-time across sessions.
Note: InvisVM is designed for Pop!_OS and Ubuntu-based distributions. It leverages Firejail's proven security model while providing a user-friendly interface for everyday protection. Perfect for safely testing unknown software, opening suspicious files, or browsing with enhanced privacy.
Note: Subscribe for updates to receive notifications on new versions, patches, and beta releases.
📘

About

Learn about InvisVM's mission, development journey, and the team behind it.

🔬

Research

Explore the security research, testing methodology, and technical deep-dives.

Features

Discover security policies, app search, real-time monitoring, and integration options.
💡

Help & Support

Installation guides, troubleshooting tips, and usage documentation.
⬇️

Download InvisVM

Get the latest .deb package for Pop!_OS/Ubuntu with one-click installation.