Running NetworkMiner in Windows Sandbox

NetworkMiner can be run in a highly efficient Windows Sandbox
in order to analyze malicious PCAP files in Windows
without accidentally infecting your Windows PC.
This blog post shows how to set up a Windows Sandbox
that always boots up a fresh install of Windows 10
with the latest version of NetworkMiner installed.

I generally recommend analyzing Windows malware in Linux,
or some other non-Windows environment, in order to avoid accidentally infecting yourself
(NetworkMiner runs fine in Linux btw).
Nevertheless, I still often find myself loading capture files containing
malicious network traffic into
CapLoader and
NetworkMiner under Windows.
I have previously demonstrated
that this can be a quick and crude way to perform an anti virus scan of files contained in a pcap file.

Windows Sandbox

If you want to analyze malicious traffic in Windows
with minimal risk of infecting yourself then you should definitely check out Microsoft’s
Windows Sandbox (available in Windows 10 Pro and Enterprise editions).
The Windows Sandbox is using
Windows containers,
so it’s very efficient compared to spinning up a full Windows VM.
It also provides features like kernel isolation,
so that the sandbox container doesn’t use the same kernel as the host,
and ensures that a new Windows environment is created every time the sandbox is run.
Windows Sandbox also doesn’t run any anti-virus, so it won’t interfere with the extraction of malicious contents from within the analyzed capture files.

Follow these steps to install Windows Sandbox:

  1. Run OptionalFeatures.exe (the “Turn Windows features on or off” window)
  2. Enable the “Windows Sandbox” feature (check the box)
  3. Reboot

Then create a sandbox config, which downloads and installs the latest version
of NetworkMiner every time the sandbox is started, by creating a file called “NetworkMinerSandbox.wsb”
with the following contents:

      <!– TODO replace path below with your PCAP dir –>
    <Command>cmd.exe /C “curl -L | tar -C C:\Users\WDAGUtilityAccount\Desktop\ -xf -“</Command>

Note: Replace “C:\Users\Erik\pcap” with whatever location your capture files are at

After starting NetworkMinerSandbox.wsb you’ll have a fresh Windows machine up and running within a couple of seconds.
The latest version of NetworkMiner and your PCAP dir are both accessible from the sandbox’s desktop.

Windows Sandbox

Image: NetworkMiner 2.6 installed in a clean Windows Sandbox environment

Moving files in or out of the sandbox is just a matter of copy and paste (Ctrl+C / Ctrl+V).

VirtualBox and Windows Sandbox

VirtualBox error message Cannot enable nested VT-x/AMD-V without nested-paging and unrestricted guest execution

Are you using VirtualBox to run virtual machines on your Windows host
and getting an error message saying
“Cannot enable nested VT-x/AMD-V without nested-paging and unrestricted guest execution”
after enabling Windows Sandbox?

Even though Windows Sandbox doesn’t need Hyper-V
it still requires a hypervisor,
which unfortunately conflicts with VirtualBox.
You can disable the hypervisor by running the following command
as administrator:

bcdedit.exe /set hypervisorlaunchtype off

…and then rebooting the computer before starting a VirtualBox VM
with “nested VT-x” enabled.
Turning off the hypervisor will unfortunately prevent Windows Sandbox from running,
giving an error message saying
“No hypervisor was found. Please enable hypervisor support.”

Windows Sandbox error message No hypervisor was found. Please enable hypervisor support.

To re-enable the hypervisor, in order to run Windows Sandbox again,
you’ll need to run

bcdedit.exe /set hypervisorlaunchtype auto

and reboot the host.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: