Internet Internet Security Software Technology

Windows Sandbox-How to Configure for Malware Analysis

2 years ago
by prodigitalweb
Windows Sandbox-How to Configure for Malware Analysis
Written by prodigitalweb

Wanted to use new software programs and test them? But during this, a potentially risky program can cause danger to your device and its current Windows environment, which you never want. In this case, you are required to isolate programs in such a way that these won’t interfere with other software in your System. It is why you need Windows Sandbox developed by Microsoft in the Windows 10 May 2019 Update.

It offers an isolated and temporary virtual environment where you can download, install, and run unknown apps. Along with running the anonymous apps, this can be used to check out suspicious sites, browser extensions, and add-ons. Besides, you may use this to run in the regular Windows environment. It is also useful for installing trial software.

It is very lightweight and consumes a maximum of 100MB of storage space. The disadvantage is that it is only compatible with Windows 10 Professional and Enterprise. People who are Windows 10 Home users can’t use it.

What is a Windows Sandbox?

Windows Sandbox is an application and a virtual machine. This allows you to spin up a virtual clean OS image from the recent state of the System. It helps you to test different files, documents, programs, etc., in a secure environment. As soon as the app is shut down, it finishes that state.

Are You Running the May 2019 Update?

Hence, your first task should be to check whether you have the May 2019 Update. Now, you have to head towards the Settings option. Then, go to the System and then move to the About option. After that, you must scroll the page down to go to the section for Windows Specifications. When you find 1903 as the version number, ensure that you are set.

If the Windows 10 May 2019 Update is not available to you, it is possible to check this by navigating to the Settings. Then, you are required to move to the Update & Security option and then to the Windows Update. Next, you have to tap on the button to Check for Updates.

As soon as the update is available for the PC, an entry appears in front of you asking about the Feature Update to Windows 10 having Version 1903.

Properties:

Part of Windows: It is available with Windows 10 Pro and Enterprise. You are not required to download a VHD.

Pristine: This feature is clean as a brand-new installation of Windows.

Disposable: Your System has nothing left. All the data is removed when you shut down the app.

Secure: It uses hardware-based Virtualization for kernel isolation. It depends on the hypervisor of Microsoft for running a separate kernel. It is the kernel that isolates Windows Sandbox from the host. 

Efficient: Integrated kernel scheduler, smart memory management, and virtual GPU are used. 

Prerequisites to use:

  • Windows 10 Pro or Enterprise Insider was built 18305 or later
  • AMD64 architecture
  • Virtualization specifications in BIOS.
  • It should have at least 4GB of RAM (but we recommend using 8GB).
  • Your device needs at least 1 GB of free disk space (it is advisable to use an SSD).
  • It comes with a minimum of 2 CPU cores. However, you need four cores for hyper threading.

How Do You Get Windows SandBox?

As we have told before, it needs Windows 10 Professional or Enterprise, not suitable for Windows 10 Home users.

Ensure Virtualization is Turned On:

Your first task is to ensure that you have enabled the Virtualization in your System’s BIOS. Usually, it is set by default, but a simple way is there to check. You have to tap on the Ctrl+Shift+Esc buttons and fire up the Task Manager. After that, your job is to move to the “Performance” tab. Ensure that you have selected the “CPU” category on the left side. At the right portion, it will say “Virtualization: Enabled.”

If you don’t enable Virtualization, you have to enable this in the BIOS settings of your computer before you continue.

 Power on Nested Virtualization:  

Whether you have already tested out the Insider build of Windows in a virtual machine and are willing to test the app in the device, you are required to power on the nested Virtualization.

In this case, you need to fire up the PowerShell in the Windows version. Then, you have to use the command:

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

It allows the Windows guest version to expose the virtualization extensions so that the app can use these.

Turn on the Windows Sandbox Feature:

When you ensure that you have enabled the Virtualization, you need to power on the Windows Sandbox feature.

  • If you are willing to do this, then your first task is to move to the Control Panel. Then, you need to go to the Programs option and then to the Turn Windows Features On or Off option.
  • When you open the Windows Features window, you are required to enable the “Windows Sandbox” checkbox.
  • Tap on the “OK” option and then allow your System to restart Windows.

Fire It Up:

The Windows sandbox option is available on the Start Menu when your windows restart. In this case, you are required to write “Windows Sandbox” into the search bar, or you can dig through the menu. After that, tap two times on the icon. If it asks any, give permissions to have administrative privileges.

Hence, a near replica of a current operating system appears before you.

Those virtual operating systems are created dynamically from the main Windows OS. Therefore, it runs the same Windows 10 version you use. The OS always needs to be updated. If you use a traditional VM, it takes time to update the OS on its own.

How to Configure for Malware Analysis Windows SandBox?

Here, we have given the process to use this. It is very simple. You are merely required to follow the steps.

  • Navigate to the Start menu and open it.
  • Then, you need to look for the Windows Sandbox and then tap on the top result. After tapping on this, you have to choose the Run as administrator option.
  • Now, you have to tap on the app installer on your device, which you are willing to test. Then, you have to choose the Copy option.
  • Tap on the desktop option that is available inside the Windows Sandbox experience. Choose the Paste option after that for transferring the executable.
  • Suppose you cannot drag the main installation and drop it into Windows Sandbox to transfer files. However, you can download the app files with the help of Microsoft Edge.
  • Tap two times on the installer (.exe, .msi, etc.) to start installing.
  • You should then follow the directions seen on display to finish the installation.
  • After completing the steps, begin to use untrusted applications like other apps. Besides, if you are willing, you may use the Ctrl + Alt + Break (or Pause) keyboard shortcut to go to the full-screen mode and exit from there. Whether you’re willing to use high contrast mode inside the virtualization experience, use the Shift + Alt + PrintScreen keyboard shortcut so that you can enable the high contrast.
  • When you complete testing the app, tap on the X button that is available in the top-right corner. Then, you should hit the OK button to shut down this. As soon as you terminate this, the virtual machine, along with its content, will be deleted from the device permanently. It doesn’t affect the device installation of Windows 10.

Open Windows Sandbox:

You can use the command as this app is ready now for use. If you want to open the app, you need to hit the Start button. Then, you have to scroll down the list of apps and open it for Windows Accessories. In this case, you need to write ‘Sandbox’ by going to the search field. After that, you must tap on the app, and then you should choose the option to Run as administrator.

The app opens its window with a new environment. Here, the default apps can be available only, such as Mail, OneDrive, Microsoft Edge, Microsoft Store, and Photos.

Installing Windows Sandbox Using Control Panel:

If you are willing to install the app through the Control Panel, then it is essential to enable a specific Windows feature.

  1. First, you need to tap on the Start menu and then write appwiz.cpl. When you write the action, you can see the appwiz.cpl option available in the Start menu. Tap on the option for opening Programs and Features.
  1. Hit the option Turn Windows Features on or off link by navigating to the menu available on the left side of the window.
  1. After that, your job is to scroll the Windows Features dialog box down until you find Windows Sandbox. As soon as you find the option, choose it and then tap on the OK option.

As soon as you enable the Windows Sandbox feature, a window pop-up message appears in front of you. This pop-up message finds the necessary documents, files and tries to install these. The process of installation will finish after a few minutes.

As soon as it is completed, you need to tap on the Restart to start the PC again.

Installing Windows Sandbox With  The Help of PowerShell:

You can also turn on Windows 10 sandbox mode through PowerShell, a similar way of using the command line.

  • If you are willing to use PowerShell, then open it first as an administrator.
  • After that, your task is to run this command Enable-WindowsOptionalFeature cmdlet (given below) for enabling the Windows Sandbox feature. Here, you can find the All parameter that asks the cmdlet to install all parent features of the optional feature.

Enable-WindowsOptionalFeature -FeatureName “Containers-DisposableClientVM” -All -Online

  • An overlay with a progress bar appears in front of the display. It indicates that the command you have entered is running.
  • While it prompts, you have to tap on the Enter option for restarting the PC and applying the changes.
  • You need to prompt this to restart the computer after enabling Windows Sandbox.

How Does Sandbox Work?

The Sandbox leverages multiple technologies when you make isolated environments.

A dynamic Base Image:

Windows Sandbox creates a sandbox taking the help of virtual machines. Each virtual machine needs an OS to work. If you are willing to make new OS-installed VMs repeatedly, use the app. The reason is that it helps to create a dynamic base image. Besides, every Sandbox is a clean copy of the real host OS. It has a clean registry and file system that is comparable with a fresh OS installation.

Snapshots:

It turns the boot process quicker than a process of a whole operating system. This app boots a sandbox one time only. After that, it uses snapshots to save memory and the state of your System to use it subsequently. Thus, it becomes beneficial for the environment to restore memory except starting another boot procedure.

Kernel-Based Memory Management:

The host can claim memory from the app again. It is a direct memory map that permits using the same memory pages that the host accesses.

Integrated Scheduler:

The Operating System that is hosting uses visual processors like process threads. It indicates that the Operating System manages the app like a process, not a traditional VM.

Graphics:

The app uses hardware-accelerated rendering, but it is for GPUs that have a 2.6 WDDM version and higher. It helps in improving the performance and the app’s responsiveness. Besides, the app is useful in allocating graphic resources dynamically throughout the host and environments.

Windows Sandbox Architecture:

Dynamically Generated Image:

Try not to use separate copies of Windows while you boot the Sandbox. It creates pointers dynamically to separate OS images. You can share files with the sandbox environment here. But some operating system files are also there, which you can not share. It is when the app generates clean copies of these files.

The combination of shared files (immutable) and copies (mutable) generates a complete image. You can use this for booting a sandbox environment. The image packaging is done first, and then it is stored as a compressed file. All the things are done before installing the environment. After completion of installing the environment, the image consumes about 500 MB of disk space.

Memory Sharing:

As we have said before, a “direct map” technology allows both host and image to share similar physical memory pages. Thus, it makes sure that these use less memory and don’t compromise host secrets.

WDDM GPU Virtualization:

The app takes the help of DirectX and Windows Display Driver Model (WDDM). These enable the sandbox-based programs to compete against each other for GPU resources.

If you are willing to use the feature, you should have a GPU and graphics drivers. In this case, the graphics drivers must be compatible with WDDM 2.5+.

Battery Pass-Through:

The app is very conscious about the state of the battery of the host operating system. It allows the app to optimize power consumption. However, you should know that these processes are ideal for laptops and depend on battery life.

How to Configure:

The app offers easy configuration files which allow you to customize ten parameters in each sandbox environment. It is compatible with Windows 10 build 18342 or other new versions.

You can format the configuration file as XML. Besides, the .wsb file extension files relate to configuration files with Sandbox.

The ten customizations achieved with a configuration file are as follows:

Virtualized GPU (vGPU):

This feature allows you to turn on or turn off the vGPU. You should ensure that if you turn off vGPU, this app will use WARP.

Networking:

Using this, you can turn on or turn off the network access.

Mapped Folders:

Mapped folders enable you to share host folders and give write or read permissions. But make sure that you have done this very carefully because malware can perform unauthorized actions if you expose host directories.

Logon command:

When the app starts, the command is executed.

Audio Input:

It allows you to provide the host’s microphone input with the Sandbox.

Video Input:

Using this, you can share the webcam input of the host.

Protected Client:

This feature includes extended security measures on RDP or remote desktop protocol sessions.

Printer Redirection:

This helps to share host printers.

Clipboard Redirection:

It allows you to share the host clipboard. With the help of this configuration, you are capable of pasting text and files between the host and Sandbox.

Memory in MB:

It enables you to define the memory in each Sandbox. Hence, the memory is in megabytes.

How to Adapt Sandbox for Everyday Use:

It can work as a bonus layer of security for those who poke about the web. If you are a Windows 10 user, you can find a hidden secure browser, Windows Device Application Guard, etc. But the problem is that these enable you to download merely files to its secure environment. When you use this app, it allows you to copy files between Sandbox to the computer.

You should note that browsers like Microsoft Edge and Google Chrome come with their sandboxing elements to protect the computer. However, a few people are there who are not willing to use any specific site. They can use Edge, but hence it is required to make a sort of “sandbox within a Sandbox.” Then, they can open the site.

The app doesn’t have any access to what you see. But the internet provider you use has a theoretical record of all your visited sites. However, using VPN can be useful hence. If you destroy the Sandbox, all the browsing records will be deleted. Have you downloaded something about which you are not too sure? Then, test it to identify if the app is malicious.

The usage of the Sandbox completely depends on you. You should know that some third-party sandbox apps are there that can be used. For example, you can use both free and paid versions of Sandboxie, ShadeSandbox, BitBox ( designed for browsing), etc. Each app comes with its benefits and drawbacks.

Sandbox Apps for Windows 10:

BitBox (Browser in the Box):

The standard form of the app is “Browser in the Box.” It allows you to use both different browsers, Chrome and Firefox. The primary purpose of designing the app is web browsing.

It is much similar to a Virtualbox instance of Linux designed specifically for browsing, which means it needs more memory-than other options on this list.

You can easily download files to the original computer or laptop using the application. Therefore, whether you set up this properly or let it happen depends upon you. It helps to disable your microphone and monitor all host-BitBox interactions.

BufferZone:

This one is an endpoint sandbox tool. It means if you’re heading to use with the Internet that may be a bit dangerous to your computer security, or someone hands you a USB stick that you don’t entirely trust (that happens to everyone, right?), it may be a good idea to run those through BufferZone.

Users can add different programs for running this through BufferZone. In this case, you can use each major web browser.

Hence, you are not required to do much tinkering to get this up and running. It is one of the benefits of the tool. It helps to keep the necessary activities in a secure Virtual Zone. Thus, it becomes impossible for web-based malicious software to harm a computer or laptop whatever you use. The app only allows you to run. “read-only” Mode

Sandboxie:

It is a very famous app that most Sandbox users use. The tool weighs very light and can be used freely. Using the app, you can install and run almost any Windows software. When you install software inside the tool, you can run any program you have installed already. Hence, you are required to choose Sandbox and select the

Default Box option. Then, you have to choose Run Sandboxed and then the Run Web browser option. If you are willing to run another app, then you should select “Run Any Program.”

If you run any program, a thick yellow border can be seen around your window. This border indicates that you are in the environment of the app. The app offers both free and paid versions to use. If you use the free version, you will not enjoy some essential features such as forced programs, the capability of running multiple sandboxes, etc. However, if you are a regular home user, the free version is sufficient.

SHADE Sandbox:

The app is famous and free to use. It comes with a user interface that is easy to use. If you are a beginner, the tool is a perfect choice for you.

Hence, you merely have to drag an app and drop this into the window of Shade Sandbox. As a result, when you launch the app next time, it will go there automatically.

If you use the tool, ensure that all browsing history, temporary files, cookies, Windows registry, system files, etc., are isolated. Files that you have downloaded previously are stored in the Virtual Downloads folder. You can access the files from within the Shade interface. It is an ideal solution for people who want to use an app with an easier UI.

Toolwiz Time Freeze:

Compared to other apps, the working process of Toolwiz Time Freeze is entirely different. If you install the Toolwiz Time Freeze in your System, it will generate a copy of the whole system settings and files. Then, it will save the state of the System. When you use the app for testing, you are only required to reboot the system. After that, it is restored automatically. If you want to test a program thoroughly with no limitations, it is the perfect one. But make sure that you don’t make any changes to the host OS.

Conclusion:

The Windows 10 Sandbox mode is a default path through which you can quickly bring up isolated Windows instances to test untrusted software. In this case, users don’t have to use additional software, due to which it is simple to set up.

Frequently Asked Questions: 

  • Is Windows Sandbox safe?

If you use this, it offers protection to your device from malware. In case, If you were to run a piece of ransomware in a sandbox, the files inside the Sandbox would probably be encrypted, but your Operating System would remain untouched.

  • Is there a Sandbox in Windows 10?

Microsoft introduced this and made it available with the Windows 10 May 2019 Update. It offers a virtual environment also.

  • Can you download Windows sandbox?

It is a batch file that can be run on Windows 10 Home devices. It can meet all the needs that are required to unlock the app on the System. You can download the file by going to the Deskmodder website. Then, you have to unpack the archive and tap two times on it.

You may also like

About the author

prodigitalweb

View all posts