CIO

Windows 10 new sandbox: soon you can safely run untrusted apps

  • Liam Tung (CSO Online)
  • 20 December, 2018 08:36

Microsoft has announced a new feature called Windows Sandbox, a small Windows environment dedicated to running potentially dodgy apps that can’t touch the host operating system or the kernel. 

The feature arrived in the just released Windows 10 Insider preview of 19H1, the next version of Windows 10 following the October 2018 Update, or version 1809. 

Windows Insiders in the Fast ring can try out the Windows Sandbox feature on certain hardware by installing 19H1 build 18305. 

Windows Sandbox has a simple but potentially very useful proposition: run any software without worrying about potential malware persisting on the device. The feature could be a time-saver since it obviates setting up a virtual machine to assess untrusted software.

“Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted,” Microsoft’s Dona Sarker and Brandon LeBlanc explained

Microsoft and Google have long used sandbox restrictions in their respective Edge and Chrome browsers to limit the ability of attackers to exploit vulnerabilities in other software, like Adobe Flash, to install malware on the host operating system. 

The new feature lowers the barrier to using hardware-based virtualization to test potential malware, leveraging Microsoft’s Hyper-V hypervisor to run a separate kernel that isolates Windows Sandbox from the host machine. 

However it’s still a feature for advanced users that requires the machine is based on AMD64 architecture and that virtualization capabilities have been enabled in BIOS. It also requires users have Windows 10 Pro or Enterprise editions of Windows 10. 

Microsoft describes Windows Sandbox as a “lightweight virtual machine” that needs an OS image to boot from. A key advantage of using it is that users don’t need to download a virtual hard disk normally required for a virtual machine. The setup relies on a copy of an installed version of Windows 10. 

On physical hardware, after enabling virtualization in BIOS, users will need some PowerShell commands to expose a Windows Sandbox and then check it. After this, the user will be able to see Windows Sandbox in the Start menu, run it and then copy the suspect executable files from the host machine. They’ll be able to run the executable in the sandbox to see what happens. After closing the Windows Sandbox contained application, the sandbox’s contents will vanish. 

Microsoft notes there are a few bugs in the current implementation, including "significant CPU and disk activity for a minute or so" after installation and every servicing event, slugging Start menu response times, a lack of support for installers that require reboot, and that it doesn't work so well with high resolution screens or multi-display setups.

To achieve a clean Windows environment that can handle some file changes, Microsoft built a “dynamic base image”, a build of Windows that has fresh copies of files that can change, but links to files in the operating system image that cannot change.   

“We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as “dynamic base image”: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host. The majority of the files are links (immutable files) and that's why the small size (~100MB) for a full operating system. We call this instance the “base image” for Windows Sandbox, using Windows Container parlance,” explains Hari Pulapaka Microsoft