About InvisVM

What is InvisVM?

InvisVM is a security-focused Linux application that provides proactive protection through sandboxing and isolation. Instead of relying on reactive antivirus detection, InvisVM prevents damage by creating virtual walls around applications—trapping potential threats before they can access your files, network, or system.

Built using Firejail sandboxing technology and Linux namespace isolation, InvisVM makes advanced security accessible to everyone. When you launch an application through InvisVM, it runs in a completely isolated container with controlled access to system resources—even if the application is malicious, your data remains safe.

The project originated as a research initiative exploring both Windows kernel-level and Linux container-based sandboxing approaches. Through extensive development and testing, InvisVM has evolved into a functional security tool for Pop!_OS and Ubuntu-based distributions.

The Core Philosophy

InvisVM is guided by principles of proactive security, transparency, and user empowerment. It's designed to make advanced protection accessible to everyone—not just security experts.

How InvisVM Works

InvisVM leverages Linux's powerful isolation features to create secure sandboxes around applications. The process is simple from the user's perspective but technically sophisticated underneath.

Namespace Isolation

When you launch an application through InvisVM, it creates separate namespaces for the process. This means the sandboxed application sees its own isolated filesystem, network stack, and process tree—completely separated from your actual system.

Smart Access Control

InvisVM intelligently determines what each application needs. For example, LibreOffice requires D-Bus communication to function properly, so InvisVM filters D-Bus access. Meanwhile, a suspicious downloaded file gets complete D-Bus blocking along with network and device restrictions.

Policy-Based Security

Choose your security level based on trust. Restrictive mode blocks network and devices entirely—perfect for untrusted files. Standard mode allows network but restricts file access. Permissive mode maximizes compatibility while maintaining core isolation.

Real-Time Monitoring

Every sandboxed application is tracked in real-time. See what's running, when it started, which policy is active, and terminate processes instantly if needed. Detailed logs show exactly what the application attempted to access and what was blocked.

Security & Protection Model

InvisVM provides multiple layers of protection that work together to create a comprehensive security solution.

Filesystem Protection

Sandboxed applications cannot access your documents, photos, or personal files. Even if ransomware executes, it finds no files to encrypt. System directories are read-only, preventing malware from modifying critical components or installing backdoors.

Network Control

In restrictive mode, network access is completely blocked—preventing data exfiltration and command-and-control server communication. Standard and permissive modes allow network but with monitoring, so you can see if suspicious applications attempt connections.

Device Isolation

Camera, microphone, and USB devices are blocked by default in strict modes. This prevents keyloggers, screen recorders, and hardware-based attacks from compromising your privacy.

Process Containment

Sandboxed processes cannot see or interact with other running programs. They can't kill system services, monitor other applications, or interfere with your workflow. When you close the sandbox, all traces disappear—no persistence, no backdoors.

Who Should Use InvisVM?

InvisVM is designed for anyone who values security and wants proactive protection without complexity.

Everyday Users

Open suspicious email attachments, test downloaded software, or browse risky websites safely. Right-click any file and launch it in a sandbox with one click—no technical knowledge required.

Security Researchers

Analyze malware behavior in a safe environment. InvisVM's detailed logs show exactly what the malicious application attempted, helping you understand attack patterns without risking your system.

Developers & Testers

Test untrusted code, debug applications in isolation, or run multiple instances of programs without interference. InvisVM's monitoring helps identify what your application is accessing.

Privacy-Conscious Users

Run browsers, communication apps, or any software in isolation to prevent tracking, data collection, or unwanted access to your personal files. Keep your digital life compartmentalized.

Current Status & Considerations

InvisVM is functional and ready for testing on Pop!_OS and Ubuntu-based systems, with ongoing improvements and feature additions.

Application Compatibility

Most applications work seamlessly in InvisVM's sandboxes. Smart D-Bus detection ensures apps like LibreOffice, Firefox, and file managers function properly while maintaining security. Snap, Flatpak, and AppImage formats are fully supported.

System Requirements

Requires Pop!_OS 20.04+ or Ubuntu 20.04+, Python 3.8+, PyQt5, and Firejail 0.9.64+. Installation is straightforward—simply run the main script after installing dependencies.

Performance Impact

InvisVM has minimal performance overhead. Sandboxed applications run at near-native speed since we use namespace isolation rather than full virtualization. The GUI itself uses negligible resources—only active when you're interacting with it.

Future Directions

InvisVM continues to evolve with new features, improved security, and broader compatibility.