How to Bury Risk in the Sand? Configure Windows Sandbox for malware analysis

Half app, half virtual machine, Windows Sandbox creates an isolated, temporary desktop environment in which “sandboxed” software can run separately from the host machine. Because the sandbox is temporary, all the software and files and the state are deleted when the sandbox is closed.

The environment is secured using hardware-based virtualization for kernel isolation, which relies on Microsoft’s hypervisor to run a separate kernel that isolates Windows Sandbox from the host. For optimal efficiency, Windows Sandbox uses integrated kernel scheduler, smart memory management and virtual GPU.

Windows Sandbox is useful when you are in a situation which requires a clean installation of Windows, but don’t want to set up a virtual machine. It’s also a handy tool to pull out of the box when you want to test some legitimate software but have concerns about its compatibility with your other applications.

Using a sandbox can protect your machine from malware. If you were to run a piece of ransomware in a sandbox, the files inside the sandbox would probably be encrypted but your primary operating system would remain untouched.

But while malware executed within the sandbox cannot directly access the drives of the primary operating system, it can still communicate with other devices on your network. Because of this, Windows Sandbox is unable to provide network-level isolation.

When correctly configured, the Windows Sandbox on Windows 10 PRO or Windows 10 Enterprise (versions 19.04 or later) can be used  to analyze malware. But only if the CPU virtualization is enabled in your computer’s BIOS.

Watch the full video to find out how to correctly install and configure Windows Sandbox.

Ready to take really advanced action? First, take the pentesting training with Paula J.