Do you want to check out and test new software programs and Windows features but don't want a potentially risky program or setting harming your current environment? You need a way to safely isolate such programs or changes so they can't interfere with the rest of your operating system. For that, you can turn to the Windows Sandbox, which is available in both Windows 10 and 11.
The Sandbox provides an isolated, temporary virtual environment through which you can download, install, and run unknown and untested apps. The version of Windows accessible in the Sandbox is the same version on your host environment, meaning Windows 10 or 11.
Beyond using the Sandbox to run unknown applications, you can use it to check out websites that seem suspicious, install unfamiliar browser extensions and add-ons, change key settings, and play with other items you might not want to run in your regular Windows environment. You can also use it to install trial software you don't want cluttering up your core Windows system.
If any malware or other dangerous content rears its head, it's restricted to the Sandbox, so the rest of Windows remains safe and protected. After you're done with the application, setting, or other change, simply close the Sandbox, and all is gone and forgotten with no lasting residue.
The Sandbox is lightweight; it takes up only 100MB of storage space. The main downside is that Sandbox is supported by Microsoft only in Windows 10 and 11 Professional and Enterprise. Now, let's dig into the Sandbox.
System Requirements
First, ensure that your PC supports the virtualization required by Sandbox. In Windows 10, right-click the Taskbar and select Task Manager. In Windows 11, press Ctrl+Shift+Esc or click the Search icon, start typing Task Manager, and then select Task Manager from the results.
At the Task Manager window, click the link for More details if necessary. Select the Performance tab and make sure the entry for Virtualization says that it's enabled.
I've been working for PCMag since early 2016 writing tutorials, how-to pieces, and other articles on consumer technology. Beyond PCMag, I've written news stories and tutorials for a variety of other websites and publications, including CNET, ZDNet, TechRepublic, Macworld, Popular Science, Time, Fortune, US News & World Report, and AARP Magazine. I spent seven years writing breaking news for CNET as one of the site’s East Coast reporters. I've also written two books for Wiley & Sons—Windows 8: Five Minutes at a Time and Teach Yourself Visually LinkedIn.
IBM Cloud offers a full complement of cloud-based virtualization solutions, spanning public cloud services through to private and hybrid cloud offerings. You can use it to create and run virtual infrastructure and also take advantage of services ranging from cloud-based AI to VMware workload migration with IBM Cloud for VMware Solutions.In the world of cybersecurity, a sandbox environment is an isolated virtual machine in which potentially unsafe software code can execute without affecting network resources or local applications.
Cybersecurity researchers use sandboxes to run suspicious code from unknown attachments and URLs and observe its behavior. Telltale signs include whether the code replicates itself, tries to contact a command-and-control server, downloads additional software, encrypts sensitive data, and so on. Because the sandbox is an emulated environment with no access to the network, data or other applications, security teams can safely “detonate” the code to determine how it works and whether it is malicious.
Outside of cybersecurity, developers also use sandbox testing environments to run code before widespread deployment.
What is the Purpose of a Sandbox?
In a standard business production environment, a sandbox might be misunderstood or considered a needless expense. But sandboxes are critical for several scenarios in development, cybersecurity and research. Making sure the sandbox is truly isolated and secure is more important in cybersecurity research than in software development because malware actively and aggressively scans the network for exploitable vulnerabilities.
In development
In development, a sandbox usually involves a development server and a staging server. The development server is separated from the production environment but may still require basic network access. Developers use this server to upload code and test it as the codebase changes.
The staging server is designed to be an exact replica of production. This server is where quality assurance (QA) tests code before deploying to production. Because the staging environment is the same as the production environment, code that runs without issues in staging should run without issues in production. After code is tested, it’s deployed to production.
In cybersecurity research
Cybersecurity researchers and analysts use their sandbox environment in a similar way. But in this case, it’s much more critical to ensure that no network resources are available to malware. The sandbox environment has its own network and often no physical connection to production resources. The purpose of the sandbox is to execute malicious code and analyze it. Sometimes, this code could be a zero-day exploit where the malware’s effect and payload are unknown. Because of this, the sandbox must not have any access to critical infrastructure.
With a sandbox, cybersecurity researchers and analysts can understand the way malware works and what can be done to stop it. It’s the first step in designing antivirus software to stop malware from spreading to other systems and to remove it from the already-infected systems.
For complex attacks, sandbox environments are readily available to quickly analyze malware and stop it before it becomes a global issue. Ransomware, for example, can spread globally and crash critical government systems. This makes it important for researchers to have ready access sandboxes to help stop it.
How Does a Sandbox Work?
The way a sandbox functions depends on what is being tested. For instance, a sandbox environment used to test malware is set up and functions differently from a sandbox meant to test code for application updates. For research into potential malware and execution of malicious code, a sandbox requires isolation from production software.
Regardless of how a sandbox is be used, every environment has a few basic features:
- Emulation of an actual device. This could be emulation of a desktop or mobile device. In either case, the application being tested must have access to the same resources as the code being analyzed, including CPU, memory and storage.
- Emulation of the target operating system. Using a virtual machine, the application must have access to the operating system. With a virtual machine, the sandbox is isolated from the underlying physical hardware but has access to the installed operating system.
- Virtualized environment. Usually, a sandbox is on a virtual machine so that it has no access to physical resources but can access virtualized hardware.
Virtualization and emulation are not silver bullets. Some malware writers design code that stays under security researchers’ radar if it senses that it’s running in a sandbox.
Sandbox-detection measures might include looking for user interactions that aren’t consistent with real-world usage. Others might read system settings to look for common virtual machine system configurations. In these cases, the malware lays dormant so that it’s not detected as malicious, activated only after it reaches a real-world target.
In some cases, the malware author might even create exploits to compromise a weakly secured sandbox.
Virtualized environments are also called “jails” because the emulated operating system and hardware resources have restricted network access and file system namespaces. Sandboxes are also included in some applications and cloud hosts where anything running within them is prevented from accessing certain aspects of the host machine.
Benefits of a Sandbox
Like a development testing environment, a sandbox can be used to run any application on a safe resource before deploying it to production or giving it access to production resources. A sandbox lets organizations run programs that could potentially cause issues, whether from malware or unintended software flaws, without bogging down or damaging business-critical resources.
A sandbox is often used as a quarantine for unknown email and attachments. Email filters will detect potential malicious email messages and attachments, but an administrator needs a safe place to view them to detect false positives. Malicious documents may contain macros that exploit flaws in popular productivity apps such as Microsoft Office. An administrator can use a sandbox virtual machine to open attachments and view the macros to see whether they’re safe.
For organizations that do not have specialized cybersecurity staff, a sandbox can be used by any employee to isolate suspicious programs. A sandbox can let workers run unknown code without exposing their systems to new threats.
Sandbox Examples
A sandbox can have both software and hardware components. With hardware restrictions, a sandbox could be on its own isolated network. For very restricted isolation, the sandbox could be on its own Wi-Fi router and ISP connection. This setup would make it physically impossible for a malicious application to access the main network.
Several applications use sandboxes by default to protect the local operating system. Browsers have their own sandboxes to separate malicious applications that run on the web from accessing local machine resources. Languages such as Java have their own sandbox to protect local resources from untrusted code, such as a Java applet running on a web page.
The Windows 10 operating system has a sandbox built in to protect the desktop from untrusted code. While this feature should not be used as a replacement for antivirus, firewall, and anti-malware programs, it adds a layer of security that older Windows operating systems do not have.
HTML5 has a sandbox to protect misuse of its iframe feature. And the Linux operating system has several application sandboxes built on Seccomp and cgroup. Google Sandbox API is available to developers who write C++ code and need to sandbox their code before deploying it to the production environment.
How Do You Set Up a Sandbox Environment?
A sandbox’s purpose depends on the way you set it up. Many cloud platforms have their own sandbox to work with new programs and updates. For instance, if you decide to work with PayPal as a payment processor, the platform has a full sandbox where you can emulate the production environment. Any code using the sandbox is isolated from production, so errors and bugs do not affect the main platform.
If you need a sandbox to test code or potential malware, you can create your own sandbox by installing a virtual machine. VirtualBox is often used to host the virtual environment, also called a virtual machine. Then you just need an installation file to run the operating system within the virtual machine.
Before installing the operating system within the virtual machine, set the hardware resources that will be available to the environment such as memory, CPU, storage capacity, and network adapter. These resources are virtualized and will be unavailable outside of the virtual machine. Conversely, programs running in your new environment will not be able to share memory resources with the main operating system or anything outside of the virtual machine.
Even though a sandbox should be a safe space, attackers always try to break sandbox security. Technology firms will often give large bounties to anyone who can find a flaw in the sandbox that can be exploited. Microsoft Edge developers will pay up to $30,000 to anyone who can find a bypass on the browser’s sandbox. Google Chrome developers paid $60,000 to a someone who was able to execute unsanctioned code on a fully patched machine in 2012.
To do any security research or dive into malware analysis, a sandbox is a must. It will ensure that all resources are unavailable to the virtual machine, including network storage. With a sandbox, you can analyze code without the risk of destroying a production environment.
Webinar: The Phishing Problem - Your Security Sandbox Won't Catch It All
Phishing attacks don’t involve malware, but instead they take advantage of people to steal credentials, rendering your sandbox useless.
Read More
Sandbox Suspicious URLs with Proofpoint Targeted Attack Protection
Get ransomware protection and prevention from Proofpoint's Targeted Attack Prevention (TAP). Stop advanced threats and attacks before they reach your inbox.
Read More
Ransomware Survival Guide
Ransomware is an old threat that won’t go away. Download the Proofpoint 2022 Ransomware Survival Guide to learn what to do before, during, and after an attack.
Read More
What Is Browser Isolation?
Browser isolation is a virtualized browser strategy that is far more secure than traditional methods. Learn what it is, how it works, the benefits, and more.