Sandbox, advantages and limitations for detecting new malware

by Stephane

Sandboxing and how evading malware bypasses it

In recent years, viruses and malware have been appearing in exponential numbers. Every day, cybercriminals develop malware and new techniques to infiltrate servers, websites and e-mail accounts.

The history of malware is both rich and complex! Thanks to technological progress, the creation of a computer virus is now within everyone’s reach. What’s more, many of the IT tools long used to ensure cybersecurity are now being exploited by hackers to carry out mass attacks.

You’ve probably heard of sandboxes. This anglicism can be translated as ” sandbox “. This is a technique used in IT security, based on isolation between software and host operating systems.

The aim of this technique is to detect cyber attacks. This procedure can also be used to create a secure environment for testing software behavior. The term “sandboxing” refers to the protection of software or operating systems from malicious software.

Despite considerable progress in computer security, cybercriminals have managed to create malware capable of detecting sandboxed environments and causing damage.

In concrete terms, what is sandboxing?

The term “sandboxing” is often used by IT security professionals to designate the creation of a secure environment for developing and testing software, usually in an automated fashion.

This environment is used by analysts and cybersecurity researchers to block malware.

The sandbox environment can also be used to test malware and anticipate risks by implementing a range of preventive actions. Potentially dangerous applications can be run safely via the sandbox and on a virtual machine. This process can be automated: execute a file in a virtual environment, then analyze its behavior and interactions with the outside world.

Some people also use the sandbox to surf the web safely. There are even antivirus products equipped with sandboxes to provide users with even greater computer security. In this case, the environment is isolated from the system.

Adding an extra layer of security thanks to the sandbox therefore improves security.

Despite the efficiency and advantages of the sandbox, cybercriminals have managed to create malware capable of evading this level of security. This is known as “sandbox-evading malware”.

What is sandbox-evading malware?

This malware is able to detect the nature of the environment used: real PC, sandbox or virtual machine. This type of malware executes its code only when outside a secure environment. The first malware capable of escaping the sandbox appeared in the late 1980s.

New malware has the ability to avoid detection by sandboxes. Some of them, like “Dyre”, are even able to count the number of processors running to protect themselves against the sandbox. These malwares are increasingly efficient and feature new environmental detection technologies.

Attacks via this type of malware have been on the increase in recent years. These include the 2016 attacks with Locky ransomware, also the 2018 attacks via RogueRobin and the 2019 attack with Hawkball.

What are the different methods of escaping malware from a sandbox?

These malwares use different techniques to detect the nature of the environment in which they exist before attacking hardware, software or web information (passwords, email, bank accounts, etc.).

This type of malware is capable of analyzing the nature of interactions between the user and the system (mouse clicks, scrolling, copy/paste, keyboard use, etc.) as well as the specifics of the environment in which it exists (processor characteristics, graphics card, number of CPU cores running, etc.). Once all the information has been collected, the malware decides whether or not to execute its code and cause damage.

How to detect sandbox-evading malware?

Detection of these malicious programs depends mainly on their mode of operation. Would you like to protect yourself against malware and enjoy optimum protection? As already mentioned, these malwares are programmed to detect system specificities and thus distinguish between the sandbox, the virtual machine and the real system.

Installing a sandbox-based antivirus is a good way of protecting yourself, but it must be used in conjunction with a signature-based system such as conventional antivirus software. As is often the case in IT security, it’ s the complementarity of technologies that enables more detailed analysis and ensures greater security.

It is the combined action of different detection techniques (dictionaries, hashes, heuristic analysis, behavioral analysis, sandboxing, etc.), using various methods and data sources, that will ensure the greatest relevance of your antivirus protection.

Some useful tips for better malware detection

  • Regularly perform a thorough scan of all your files with your antivirus software;
  • Don’t hesitate to use a live-cd from time to time to launch an antivirus program without disrupting the native OS;
  • Prefer antivirus software that uses both a signature-based system and sandboxing;
  • Only download files from reliable sources.

To a lesser extent, Windows is also equipped with a sandbox and virtualization technology. Updates are therefore necessary to keep the system stable and efficient in terms of detection.

Most web browsers use the Windows sandbox (Mozilla, Edge, Chrome…) to block malware. This is why these browsers run in multiple processes (a main process and sub-processes in the sandbox).


Hackers are constantly trying to develop their malware so that it is undetectable by systems and sandboxes. Some malware is more aggressive than others. Fighting new malware requires an optimal protection strategy.

Today’s malware has the ability to hide in harmless files and only execute its code under certain conditions. Contrary to popular belief, the sandbox is not 100% effective against malware. New malware is harder to detect and can lead to considerable financial and data losses. Ensuring IT security therefore requires the implementation of a strategy based on a set of preventive actions, a security based on a combination of analysis technologies.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …