Windows Sandbox: First Thoughts

Taking advantage of native virtualization in the form of Hyper-V, Microsoft added the Sandbox feature to Windows 10, which provides a mechanism to run software in an isolated environment.

This is a great way to test programs and configurations in a clean environment, but not a good way to determine whether an unknown file is safe, beyond "works" vs. "doesn't work".

That's the only real issue with Windows Sandbox: It's dangerous to advertise it as a security feature. It's a tool that can help with evaluations, but it's easy to fall into the trap of deeming something safe to run.

The announcement is on the Windows Kernel blog here.

What Is Windows Sandbox

Windows Sandbox creates a clean environment with Internet access, but no local network or file access to test potentially harmful files in. According to Microsoft's announcement, Sandbox is

an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.

In testing, that's exactly the case. After installation, I copied a file to the Sandbox, ran it, then closed the Sandbox and noted that the Windows install reverted to a blank installation.

This image is taken from Microsoft's announcement on the kernel blog:

Use Case

The simplest use case is testing a program to see if it works as intended or installs correctly. It's a safe way to play with new software without risk to the programs you rely on to get work done.

But more frequently, I want to know whether an add-in is going to break the associated application or how a new program will interact with everything else that I have installed.

Unfortunately, existing programs aren't available inside of the Sandbox, so there's no way to try out that new application to see how it interacts with everything else.

Attachment Testing

This feature has the potential to create a false sense of security in the form of "I tested this PDF in the Sandbox and didn't see anything, it's OK to open it on my real desktop now".

Lack of applications is the first hurdle in that there's not a good way to see what really happens to the machine when opening that Word document or PDF because the application isn't available when the Sandbox launches.

More importantly, nothing visibly happened isn't a guarantee that the download or attachment was safe - it might just mean nothing happened yet or nothing is going to occur until six hours and two reboots from now.

Recommendations

Overall, this is a great addition to Windows. As the feature matures, I suspect it will gain the ability to persist state, or at least work with the applications installed in the primary OS partition. The challenge is to remember to discuss it in terms of value for testing and de-emphasize the test a PDF that came into my mailbox use case.

In summary:

Do

• Test new application installs to see what changes they make to Windows
• Try new applications to see if they work

Don't

• Rely on Sandbox as a security feature
• Consider applications or files safe after observing "no changes" inside of Sandbox

Test It Yourself

The feature is available in Insider build 18305.1000. If you're planning to test it, there's a current issue with KB4483214 that prevents Sandbox from opening. Until that's resolved, you'll need to remove that KB to use Sandbox.