The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Microsoft Launches Windows Sandbox

by Dennis Fisher on Wednesday December 19, 2018

Contact Us
Free Demo
Chat

Microsoft unveiled a new sandbox for Windows this week that can allow users to run untrusted software without having to do so in a virtual machine.

Microsoft has released a new sandbox that’s built into Windows 10 Pro and Enterprise versions and allows people to run suspicious or untrusted files without needing a virtual machine.

The Windows Sandbox gives enterprise users a simple integrated tool for executing and inspecting files that could be problematic. Each time a user starts that Windows Sandbox, it creates a clean, new image of Windows and once the user closes the sandbox, that image and all of the files associated with it are deleted. There are no traces left behind.

“At its core Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. One of the key enhancements we have made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer, instead of downloading a new VHD image as you would have to do with an ordinary virtual machine,” Hari Pulapaka, a group program manager for the Windows kernel at Microsoft said in a post.

“We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as ‘dynamic base image’: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host.”

Malware analysts, incident response and forensics professionals and others in the security industry routinely use virtual machines to analyze suspicious or malicious files, and VMs are used in any number of other contexts, too. But they’re often separate applications and can require a lot of computing resources. Pulapaka said Microsoft wanted to make the Windows Sandbox small, efficient and simple to use.

“Microsoft’s hypervisor allows a single physical machine to be carved up into multiple virtual machines which share the same physical hardware. While that approach works well for traditional server workloads, it isn't as well suited to running devices with more limited resources. We designed Windows Sandbox in such a way that the host can reclaim memory from the Sandbox if needed,” Pulapaka said.

“Additionally, since Windows Sandbox is basically running the same operating system image as the host we also allow Windows sandbox to use the same physical memory pages as the host for operating system binaries via a technology we refer to as “direct map”. In other words, the same executable pages of ntdll, are mapped into the sandbox as that on the host. We take care to ensure this done in a secure manner and no secrets are shared.”

The Windows Sandbox is integrated with Windows 10 Pro and Enterprise and can be run directly from the Windows Start menu once virtualization is enabled on the host machine.

Tags: Cybersecurity

Recommended Resources


  • Why EDR is important to your firm's security
  • Analysis of EDR vendor landscape
  • Breakdown of vendor capabilities
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.