Can Microsoft’s Windows Sandbox feature be used to analyse malware?

Microsoft recently released a new feature of their Windows 10 operating system called “Windows Sandbox” as a preview to the Windows Insider program. Windows Sandbox allows users to launch a secure virtual instance of Windows 10 within their existing environment to visit websites, test new apps or work with files. Microsoft describes its newest feature as follows:

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

A malware analysis environment needs to meet the following requirements:

  • Non-persistence
    The environment needs to be in pristine condition at every launch. Changes need to be discarded after analysis has been completed.
  • Isolation
    Malware must not be able to escape the analysis environment.
  • Rich tool set
    Applications required by the malware analyst need to be pre-installed in the environment.
  • Disabled malware detection
    Active malware detection will hamper the analysis.

Non-persistence

A malware analysis environment based on Windows usually consists of a virtual machine running on a hypervisor like Microsoft’s own Hyper-V or Virtual Box. The virtual machine contains an installation of Windows, along with a set of tools the analyst has installed previously. Before running any malware, a snapshot of the virtual machine is created. After analysis, the snapshot along with the malware is deleted. A drawback of this virtual machine based solution is that the guest operating system always needs to be kept up to date seperately from the host operating system.
Windows Sandbox builds on Microsoft’s Windows Container technology. At its core, it is a 100 megabyte dynamic base image which, when launched, will expand to a full Windows 10 installation. The files required to run the virtual operating system exist only on the host but are linked into the sandbox. This way, the sandbox will always have the same version as the host operating system. If the host is kept up to date, so is the sandbox.
DynamicImage

The dynamic image contains links to the host operating system. Credit: Microsoft.com

As soon as the sandbox is closed, it is immediately destroyed.

Isolation

Malware analysis needs to be conducted in an isolated environment. Most hypervisors can be configured in a way that disables any communication between the guest and the host or the network. Windows Sandbox uses configuration files to configure the environment. Options like network access and access to local folders on the host can be configured. It is even possible to configure access to local folders as read-only as a way to transport files into the sandbox and prevent malware to write to the same folder. Unfortunately, it is currently not possible to disable access to the clipboard as this is the designated method of transportation of files between the sandbox and the host. It might allow a malware to use this channel to escape the sandbox.

The following configuration file disables networking.
<Configuration>
 <Networking>Disable</Networking>
</Configuration>

Configuration files have a *.wsb file extension which is assigned to the Windows Sandbox feature. When double clicking a wsb file, Windows Sandbox is started with the respective configuration, which is very handy when working with different configuration files.

Tool set

A malware analysis environment needs a rich set of tools that allow the analyst to dismantle the malware and inspect its components or observe it while the malware is running. While every analyst has his or her own favorite set of tools and many recommendations exist in the blogosphere, to determine if Windows Sandbox is a suitable malware analysis environment all tools can be divided into two categories: tools which do not need to be installed (portable apps) and tools which need to be installed (installed apps).
Here is a very short list of examples from both categories:
Portable apps
Installable apps

 

Portable apps are easy to provide in the sandbox. Once downloaded to the host machine, the folder where the downloaded apps reside can be mounted as a read-only folder into the sandbox by adding the following lines to the configuration file:
<Configuration>
 <Networking>Disable</Networking>
 <MappedFolders>
  <MappedFolder>
   <HostFolder>C:\MalwareAnalysis</HostFolder>
   <ReadOnly>true</ReadOnly>
  </MappedFolder>
 </MappedFolders>
</Configuration>
MountedFolder

A local folder is mounted into the sandbox and placed on the desktop.

Installable apps are more difficult to provide as they need to be installed every time the sandbox is started. Thankfully, Windows Sandbox allows the use of logon commands in the configuration files. That way, even complex tasks can be automated. A powershell script residing in a read-only mounted folder does the job perfectly when configured as a logon command and launched when the sandbox starts.
The following powershell script will install Fiddler silently on a machine:
#Install Fiddler
$program = "C:\Users\WDAGUtilityAccount\Desktop\MalwareAnalysis\Fiddler\FiddlerSetup.exe"
$arguments = "/S"
start-process -FilePath $program -ArgumentList $arguments
This addition to the configuration file will launch the powershell script within the sandbox:
<Configuration>
<Networking>Disable</Networking>
<MappedFolders>
 <MappedFolder>
  <HostFolder>C:\MalwareAnalysis</HostFolder>
  <ReadOnly>true</ReadOnly>
 </MappedFolder>
</MappedFolders>
<LogonCommand>
 <Command>powershell.exe -executionpolicy bypass -file "C:\Users\WDAGUtilityAccount\Desktop\MalwareAnalysis\install-tools.ps1"</Command>
</LogonCommand>
</Configuration>
FiddlerInstalled

Fiddler was installed successfully.

Disabled malware protection

This one is a no-brainer. In Windows Sandbox Windows Defender is turned off by default.
MalwareProtectionOff

Windows Defender is turned off by default.

Closing thoughts

The answer to the titular question is definitively: it depends.

Windows Sandbox is indeed lightweight and free. When it comes out of preview, it will be part of the Professional and Enterprise editionsof Windows 10. While it is not as feature rich as professional sandboxes such as cuckoo or Joe Sandbox, with a little effort towards automation using its scripting support, it can definitively do the job.

One thing to keep in mind is the preconfigured access to the clipboard. I do hope that access to the clipboard can be configured in the same manner that access to local folders can when it comes out of preview. This would give malware analysists complete freedom when deciding how to transport malware into the sandbox.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s