Understanding Antivirus Sandbox limitations

The most advanced antiviruses fight against malware with different techniques, like signature-based detection and heuristic analysis. In case those two are bypassed by the malware, there is still the Sandbox environment which executes the malware in a safe environment in order to detect suspicious behaviours.

Let us now suppose that a malware in some way fools the AV Sandbox avoiding runnig the malicious code.

At this stage, is the malware the winner by executing the malicious code in the system?

Is the AV capable of doing something outside the Sandbox, or it is impossible to detect the malware at this stage??

What’s the best way to present a sandbox world to your players?

In my sessions, I let my players play in a sand-box world. There is a main story that I always plan that they could follow, and I have no problems with them doing so.
However, I would like my players to fully realise this is a big, breathing world that they can fully explore however they like.

I have already shown them the map of the whole globe, given some standard lore about important places and told them that they can go wherever they like.
I’m hoping to be able to let go of the main story and let them wander around the world, but I’m afraid they’ll remain passive until I throw some encounters towards them, instead of them looking for adventure.

The party is currently level 6, and I would prefer it most if they would gradually expand their influence over the world.

What would be a good way to achieve this? How can I best present a sand-box world to my party, who’ve never done something similar before?

We’re playing D&D 3.5 if that changes anyone’s answer.

Is Windows Sandbox a viable alternative to conventional VM solutions considering its design?

The idea of having a fast, disposable VM at the palm of my hand appeals to me very much. It makes adding an extra layer of security to any thing I want to do so easy – just launch the sandbox application in a matter of seconds and you’re done. Of course, that is considering the VM actually does the job it’s supposed to do…

A little disclaimer beforehand – I’ve read the article Beware the perils of Windows Sandbox at Magnitude8, describing how the Windows Sandbox comes with a NAT pre-enabled and thus any malware running on the guest would still get a direct access to your intranet, which is already a large problem. But for the purpose of this question, let us just consider the host-guest scenarios.

Windows Sandbox claims to “achieve a combination of security, density, and performance that isn’t available in traditional VMs”, by leveraging a different approach to memory and disk management. If I understand things correctly, everything that in theory can be safely shared between the host and the guest, gets shared. According to the official documentation, the Sandbox shares both the host’s immutable system files, as well as the physical memory pages.

Despite that, Microsoft seems to remain confident that their solution is secure as implied by one of bullet points mentioned in the Sandbox overview:

Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.

This obviously raises a lot of questions, because at the first glance, all this resource sharing should increase the attack surface greatly, leaving more space for exploits to be found. Also, even the most sophisticated technology, which changes only the implementation and not the design, does ultimately make the discovery of an exploit only more time and resource consuming, but not less possible, doesn’t it?

So, my question is

Would you consider Windows Sandbox to be a viable alternative to conventional VM solutions in terms of security, or do the shortcuts used to achieve the performance undermine the VM’s core principles too much? Or am I just not understanding the technology and all of what the Sandbox is doing is technically safe?

An extra question: Does the situation change when we’re talking about a web-based attack, such as opening a malicious site in a browser from within the Sandbox, or does it come down to the same situation as running an infected executable? (disregarding the extra layer of sandboxing done in the browser itself)

Should I activate Windows 10 and/or Office for a sandbox system?

I’m building a Windows 10 malware analysis sandbox. I’m debating activating Windows or not: I can think of arguments for both:

  • For activation: Malware might check the Windows activation status
  • Against activation: If I connect this system to a dedicated internet connection, I’ll need to disable the Windows Update services, which could also be a tell for malware

What approach do you recommend?

Why not sandbox websites instead of using Same-Origin-Policy?

Why do Browsers implement a Same-Origin-Policy (SOP) to prevent open websites in the browser from executing scripts that may access / modify data of other open websites in the used browser?

Another more ‘usual’ approach would be to simply sandbox each open website, i.e. every website ‘thinks’ to be the only website on the browser. This approach is in my opinion more familiar to prevent an attack of e.g. evil.com accessing data from bank.com.

Is there any advantage in using SOP with respect to sandboxing?

What’s the safest tool for running not safe soft – VirtualBox vs Windows Sandbox vs Hyper-V

I’d want to ask what’s the safest environment to run potentially not safe software?

I’m aware that this question may be very tricky, because every of those may have its flaws, but generally speaking which of those 3 sounds like safest option?

Hyper V – Windows 10 as host & guest

Virtualbox – Windows 10 as host & guest

Windows Sandbox?

Ubuntu 19.10 – How to sandbox Chromium installed via SNAP

In Ubuntu 19.04, I’ve installed firejail, and I’ve also installed Chromium from the apt repository.

When I’m browsing the web, I see no reason for my web browser to have access to every file on my file system, so I run Chromium like this:

firejail chromium-browser 

Doing it this way, Chromium only has access to the Downloads folder.

In Ubuntu 19.10, Chromium is no longer being installed via the apt repository. Instead, it is installed from the snap repository.

Firejail cannot sandbox the Chromium browser if Chromium was installed via snap.

I was hoping that snap itself would allow me to install Chromium in a manner where I can control the degree of sandbox isolation. However, it appears that the developer of the snap package has total control of this, and I cannot override their decisions to increase the isolation-level.

How can I achieve the same level of sandboxing as before, when running Chromium via a snap installation?