Microsoft has released a new sandbox that’s built into Windows 10 Pro and Enterprise versions and allows people to run suspicious or untrusted files without needing a virtual machine.
The Windows Sandbox gives enterprise users a simple integrated tool for executing and inspecting files that could be problematic. Each time a user starts that Windows Sandbox, it creates a clean, new image of Windows and once the user closes the sandbox, that image and all of the files associated with it are deleted. There are no traces left behind.
“At its core Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. One of the key enhancements we have made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer, instead of downloading a new VHD image as you would have to do with an ordinary virtual machine,” Hari Pulapaka, a group program manager for the Windows kernel at Microsoft said in a post.
“We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as ‘dynamic base image’: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host.”
Malware analysts, incident response and forensics professionals and others in the security industry routinely use virtual machines to analyze suspicious or malicious files, and VMs are used in any number of other contexts, too. But they’re often separate applications and can require a lot of computing resources. Pulapaka said Microsoft wanted to make the Windows Sandbox small, efficient and simple to use.
“Microsoft’s hypervisor allows a single physical machine to be carved up into multiple virtual machines which share the same physical hardware. While that approach works well for traditional server workloads, it isn't as well suited to running devices with more limited resources. We designed Windows Sandbox in such a way that the host can reclaim memory from the Sandbox if needed,” Pulapaka said.
“Additionally, since Windows Sandbox is basically running the same operating system image as the host we also allow Windows sandbox to use the same physical memory pages as the host for operating system binaries via a technology we refer to as “direct map”. In other words, the same executable pages of ntdll, are mapped into the sandbox as that on the host. We take care to ensure this done in a secure manner and no secrets are shared.”
The Windows Sandbox is integrated with Windows 10 Pro and Enterprise and can be run directly from the Windows Start menu once virtualization is enabled on the host machine.
