Bryan Lam

Level 3
Verified
It depends on the situation and malware in question. There are certain crypters which are developed to bypass programs such as Sandboxie and VMware/VirtualBox. Most of these are obsolete or extremely rare though. Non-Executable archives won't 'leak' malware. Although, file name extensions being spoofed is certainly a possibility.
 
Last edited:

Atlas147

Level 30
Verified
Trusted
Content Creator
Hackers are writing new code everyday and finding new ways to exploit the system, there have definitely been successful attempts in bypassing sandboxes and VMs although with those methods, patches are often uploaded by the sandbox and VM providers immediately.

But you never know if they've found a new way to exploit them until the malware lands in the hands of researchers or AV vendors. So tread carefully if you want to test malware, but if you are just browsing the web with a VM I doubt you'll be that unlucky to run into a malware that would be able to escape the sandbox or VM.
 
Exploits via memory or it gaining access to the network would be the two places you would want to watch and protect when executing and running malware inside a Virtual Machine.

This will also depend on how you set up your VM as well. If it is fully isolated from the Host by disabling drag and drop ect, if your running NAT or Briged, or Host Only network, if you install the VM tools ect.
 

Winter Soldier

Level 25
Mainly about sandbox leak I got a few actual news of real impact ( but this doesn't mean it is not happened ) but if we consider drivers and application, we know there are some ways to communicate with applications, services or drivers in sandbox/host context.

Basically drivers and applications should be crafted so that the application send an output to the driver and the driver hold (pend) that request until it needs it. This achieve the possibility that a driver sends a request to a application even if the request is not really "driver initiated".

Of course this could be a very difficult task in malware/sandboxing context because it would possibly require a lot of synchronization mechanisms to keep pending request.
 
Top