What is Sandboxing?

Sandboxing is the practice of isolating an application, a web browser, or a piece of code inside a safe environment. The goal of sandboxing is typically to increase security. Organizations leverage sandboxing for a wide variety of purposes, including application sandboxing, web browser sandboxing, and email security sandboxing.

An application sandbox lets you run untrusted software in a safe location and observe it to detect malicious components. A web browser sandbox lets you run browser applications in isolated environments, to block browser-based malware from spreading to the network. An email security sandbox lets you observe and analyze email-borne threats in an isolated and safe environment.

This is part of an extensive series of guides about hacking.

Sandbox Use Cases

There are three main use cases for running software in a sandbox environment:

  • Application sandbox—there are tools that allow users to run untrusted software in a sandbox, to prevent it from accessing personal data or damaging the device. The sandbox behaves like a complete computer system, so the software cannot detect that it is operating within an isolated virtual environment.
  • Web browser sandbox—you can run a trusted web browser in a sandbox. If a malicious website or file exploits vulnerabilities in the web browser, the damage is limited to the sandbox. The detonation process can also help discover new vulnerabilities and remediate them in real user browsers.
  • Security sandbox—Security solutions  use sandboxes to detect malicious code. Traditional sandboxes use behavior-based analysis which detonates files and links and analyzes the behavior. Next-gen sandboxes leverage advanced technologies which scan content for such threats at the CPU/memory level and detect threats in a deterministic manner.

Application Sandboxing

Application sandboxing isolates a specific application on an end user’s device. Most commonly, the goal is to protect system resources and other applications from malware and other threats that may affect the sandboxed application.

There are two technical approaches for application sandboxing:

  • Wrapping applications with a security policy – adding a management layer on the user’s endpoint that applies controls to the application and limits its communication with other applications.
  • Splitting the application into a container or virtual machine – this provides stronger isolation and improved security, by running the application in a completely separate environment from the rest of the endpoint.

All major operating system providers provide integrated application sandboxing capabilities. Here is how application sandboxing works in three common operating systems. Microsoft provides Windows Sandbox, which runs applications in a virtualized container, while Linux and Apple provide sandbox solutions that use the security policy approach.

Microsoft Windows: Windows Sandbox

Windows Sandbox is a sandbox environment that lets you run Windows applications in an isolated, lightweight desktop environment. It is based on Windows Containers and Hyper-V technologies. Other software on the host is not available to the sandbox environment, meaning that all supporting software must be installed again within the sandbox. The sandbox is non persistent – closing it deletes all software and files.

Linux: seccomp-BPF

seccomp-BPF is an open source Linux sandbox platform. It works by assigning a filter to a process – this allows or disallows system calls by that process. The BPF interpreter inspects system calls using predefined rules, and can kill the process if rules are violated. This enables a configurable level of isolation for processes running an application.

seccomp-BPF is not a full sandbox environment, but can be used to create Linux sandbox environments.

Apple: The Apple Sandbox

The Apple Sandbox provides library functions that initialize and configure a sandbox. It uses a kernel extension based on the TrustedBSD API, which enforces sandbox policies.

Apple Sandbox provides the sandbox_init function, which accepts human-readable policies, passes them to the kernel, and creates a sandbox based on the rules defined in the policies.

Browser Sandboxing

Browser isolation is a security model that physically isolates Internet users’ browsing activity from their local computers, networks, and infrastructure. There are two main browser isolation techniques:

  • Local browser isolation, which typically involves running the browser in a container or virtual machine.
  • Remote browser isolation, which works by running a browser on an organization-hosted or cloud-based server, allowing users to browse the web in a remote virtual environment.

Local Browser Isolation: Virtual Browser

Virtual browsers run in an isolated environment, which act as a protective barrier between web-based threats and end-user machines connected to the corporate network. If the user visits a malicious site or downloads a malicious file, these threats cannot reach the endpoint.

Virtual browsers can improve security, and allow organizations to leverage old, unsupported versions of browsers, which may be required for legacy applications. Their main downside is that it is difficult to synchronize two browsers running in parallel, in terms of browsing history, passwords, and cookies.

Remote Browser Isolation (RBI)

Remote browser isolation can be hosted by an organization, or offered by third-party providers over the cloud. When users need to browse the Internet, the remote server starts a browser in a container.

There are two ways to stream web content from remote browsers to users: pixel pushing, which transmits a visual stream to the user’s device, and DOM reconstruction, which filters out harmful content and reconstructs the page on the user’s browser.

Like local isolation, remote isolation is costly, because it requires allocating resources to run large numbers of containerized browsers, or paying for those resources allocated by an external provider. In addition, pixel pushing introduces high latency which provides a poor user experience, while DOM reconstruction has higher performance, but can break web pages and may not be able to eliminate all security threats.

Learn more in our detailed guide to remote browser isolation.

Security Sandbox

Security sandboxing protects the organization against known and unknown threats including APTs and zero-day attacks.  Email is the number one vector for threat attacks, and a sandbox provides an isolated environment that detects malicious code and malware including ransomware, trojans, spyware, and worms. A security sandbox can also scan files that are uploaded or streamed from applications.

An security sandbox is a secure virtual environment that can simulate the computing resources of the underlying system. Today, sophisticated malware has sandbox evasion capabilities, so next-gen sandboxes use anti-evasion techniques that  “trick” the malware into thinking it is running in a real production environment.

Security sandboxing process works as follows:

  1. Content  is automatically sent or manually uploaded to the sandbox
  2. The file is “detonated”, in an attempt to see its impact in a controlled environment
  3. If the file is deemed to be malicious, it is quarantined. If not, it is allowed for use by organizational users.


Traditional security sandboxing has many downsides as they are costly and resource-intensive. Additional limitations are listed below.

Delayed Execution: A sandbox  can take up to  7 to 20 minutes to analyze a file. In some cases, malware can be programmed to execute after time delay or on a specific date.

Hiding Malicious Code in Password-protected Attachments: The sandbox cannot open the file unless it knows the password.

Data Obfuscation and Encryption: Standard sandboxes do not know how to decipher encrypted traffic.

Remotely Called VBA or Javascript: In this case a  link in a file leads to the download of malicious code only after the file passes sandbox inspection.

Malware Detection of Sandboxes:  Hackers can create attacks that know if the file is being checked by a sandbox and if so, will remain inert.

Perception Point Next-Gen Security Sandbox 

Perception Point’s SaaS solution is powered by 7 layers of patented detection engines and provides a detection rate of more than 99.95%.Dynamically scanning 100% of content, including embedded files and URLs in just seconds, it eliminates security blind spots for the best protection across email, cloud collaboration apps, web apps and web browsers.

The platform recursively unpacks every piece of content and rapidly scans all text, ÿles and URLs with multiple advanced detection engines. The multiple engines leverage state of the art detection algorithms using computer vision, machine learning, and various dynamic and static methods, to intercept every type of threat, from commodity attacks to advanced threats.

One of these engines is the HAP – Hardware Assisted Platform which is a  next-gen sandbox that dynamically scans content at the CPU/memory level. It detects threats in a deterministic manner, at the exploit level, rather than the application level, finding low-level misusage patterns and anomalies – rather than looking for known behaviors that have been previously categorized as potentially malicious.

The HAP outperforms CDRs  and traditional sandboxes, with the following:

  1. Deterministic verdict – by looking at the CPU-level data, the solution provides  a single, clear verdict, without relying on statistical analysis, ensuring better detection and FP rates.
  2. Speed – the HAP’s short scanning time ensures minimal to negligible delay time and optimal user experience.
  3. File usability – Perception Point doesn’t tamper with the file, maintaining its usability
  4. Scale – Perception Point scans 100% of the traffic dynamically leaving no file unscanned and no room for malicious files to penetrate your organization.

Contact us for a demo of our Advanced Browser Security solution.