Heavily requested passthrough VM guide will be coming up next, subscribe if you're interested.

3:07 is a malware analyst two-sentence horror story "I pressed win + R in my VM. It executed on the host"

imagine youre malware and you get downloaded onto a windows machine, youre excited to finally steal data and fulfill your purpose until you hear "Hello everybody, my name is Eric."

There is one drawback to using a Sandbox to test malicious files. People will test their sus programs in the Sandbox, but the program may have VM detection and not run the payload. The user may assume it is "safe" and execute it on their host, and boom, payloads galore

I appreciate how your videos minimize fearmongering, when discussing topics like this, people often just give blanket warnings and skip over the technical detail. it's really annoying to try to find out the real risks when articles, videos, and professional are so quick to fearmonger in hopes of scaring people away entirely. So many people echo the idea that virus and malware are this magical thing that you can get by opening an email or visting a site. But that's just wrong, it depends on what you download from the email, if the email client was exploited, what did you click or download on the site, what browser are you on, etc. So thank you for providing an object answer while acknowledging the theoretical possibilities but still remaining grounded. It's nice to just have answers sometimes without feeling like people are talking down to you.

Some more recommendations on the user errors part: 1. Avoid storing samples on the host as much as you can. Should you not able to avoid doing so, only store them in encrypted forms and remove the file extensions. Make it as hard and as complicated as possible to detonate a sample on your host. I have been saved by this specific guardrail many, MANY times. 2. Privilege separation, privilege separation, and more privilege separation. Always use low privilege accounts on Windows when it's possible. On your host, this can be the last line of defense. Create a new local account, instead of relying on UAC, as it's NOT a security boundary (said Microsoft themselves). I've never triggered this line of defense, but someone I know had once saved by this. 3. Don't detonate commands unattended. Run files only. If it's a command, produce a batch file. Most malicious commands are going to pull stuff from the Internet, which should by design not going to work at all in the default state of a lab VM. (Lab VMs should only connect to the Internet when its manually enabled. VM NAT adapters are not safe to use.) 4. Make the UI in your VM drastically different from your host. Not just the light/dark modes. Change the desktop background, account names, start menu appearances, etc. Use a different system language in your VM if you speak more than one language. If you use Chrome on your host, maybe try using Edge in your VM. Avoid using VMs in fullscreen mode. It's an easy way to reduce your ability to distinguish your lab environments from your host. Just make the UIs easily recognizable. 5. Avoid installing analysis tools on your host. Just keep the basic ones you need, like sysinternal suites. 6. A good cyber hygiene helps a lot. I practice an extremely strict set of cyber hygiene rules on my host. Most actions I do on my host are whitelisted. (Yes, a WHITELIST, not a blacklist.) Stay safe!

Interestingly, Windows Sandbox does not have a Trusted Installer. Not sure if this means they completely locked down anything Trusted Installer would be able to do, or they just unrestrict those permissions so the basic sandbox admin can do literally anything trusted installer could to your regular PC

Unlike a normal VM, some parts are shared between the sandbox and the host OS. For example, third-party fonts installed on the host OS system-wide show up in the sandbox. I tried installing a font inside the sandbox and it did not get through to the host system, but perhaps there are more shared things, and perhaps one of them mistakenly visible outside of the sandbox…

Finally someone speaks some sense about light mode. I have really sharp vision with glasses, but, dark mode just makes the text look blurry!

i use it to run malware for fun i love watching eric parker videos

Another potentially dangerous source of user error on a VM (probably not Windows Sandbox though) would be accidentally setting a shared folder to be writable. Usually on my VMs, if I need shared folders I will have a special "VM writable" folder that's specifically for getting files out from the VM. If you did something like make your home directory a writable shared folder and ran ransomware, your entire host's home folder would be encrypted.

I am glad you made this because I see so many KZbinrs that says “just install a VM on your computer and run it in there” “it’s completely safe and if nothing happens you know it’s not malware” like there’s so many problems with those claims

Thank you for the mention of light themes being better for accessibility! I have fairly severe astigmatism and dark themes are significantly harder to read even with glasses. It's always annoying when websites or apps decide to only support a dark theme because reading them for a few minutes is bound to give me eye strain. This is especially annoying considering every OS and web browser has frameworks to let users set their preference nowadays.

You know what's really really cool about hyper-v, it runs its own kernel called the secure kernel and its own usermode called isolated usermode, this is a comment section so i can't go into detail but it might be a fun idea to just make a video about hyper-v and its internals

Windows sandbox is basically a VM It cannot escape LOL I forgot to mention that it was a temporary VM

I have Astigmatism and I usually watch your videos in bed without my correction glasses and man is it easier to read thank you

>Can malware escape Windows Sandbox? Yes >Is it Safe? Never give anything you didn't write/audit yourself the benefit of the doubt. Always assume software is unsafe.

Uploaded 1 minute ago while I'm binge watching the channel? I'm in.

I can’t get enough of this-your creativity is on another level!

Eric, your reasoning for keeping the VM in light mode makes me feel like an idiot for not thinking of that sooner. I use different colors for the window accents and taskbar on the handful of computers I use, so I'm not sure why it never occurred to me to just use light mode. It's a shame that Windows considers dark/light mode a personalization option instead of an accessibility setting. I've had more close calls than I care to admit, but so far the worst command I've ever unintentionally executed on my host machine is a reboot. Unfortunately, the host machine was also running the software that let me call clients, so my call dropped too lmao.

2:14 Using dark or light mode may even be an attribute to fingerprinting, although my opinion feels that it is unlikely. There are more useful identifiers than dark or light mode, but it can contribute. I would assume most people utilise the defaults. At the end of the day, you would want to blend in more when doing analysis.

One thing I noticed with VMWare is I could see all traffic heading to my host PC if I performed a packet capture from the VM with the network adapter set to bridged. Thats something VMWare should probably patch.

Please can you install an ad-blocker - the constant moving images are very distracting.

You know, I've been dropping things into virus total, and looking at anyrun for some schtuff and every time I'm like "yeah you know, a few years ago some of this stuff being 'detected' would've totally freaked me out when it's perfectly normal behaviour." I wonder if there is a video in that, or if telling people "this is fine" is something you'd rather not touch because of the .1% chance that someone ignores something actually malicious. Like, "the most common false detections" for benign/harmless but unsigned stuff from github or something. Idk. Could be an evergreen video but might take some work to make sure it's not recommending anything that could backfire.

I have been preaching the good name of Windows Sandbox to people for forever now. Great to see you looking into it and talking about its security, as I get asked that a lot myself. Good stuff Also I had video input enabled this whole time for some reason 😭

2:22 i had no idea this was the case! it explains why ive always felt text was slightly blurred when i use dark mode. making me consider the switch back to light on some applications

One problem I have is it seems hyper V when enabled is running in the background and greatly drops frames in games.

I have two astigmatisms and I've never even considered NOT using dark mode... you're opening my eyes Eric haha

can you check if goodbyedpi is safe i know that this is a random request but i never seen anybody do it with all details and such so if you could do it its would be awesome

Windows Update Minitool is safe ? Can you analyse this please ?

Do we need to see those pop up ads in the videos?

Im still nervous about VMs and Sandbox, How much risk is there if I set up another connection point on my browser that’s not linked to my other devices and used a VM on a old PC I no longer use? (I’m just ultra paranoid, I have never gotten malware on a PC with anything important and I want to keep it that way)

I love so much your videos, they are relaxing and entertaining and we all learn new things that we didnt know they existed. Keep going u one of my fav youtubers❤

Guys wake up eric posted!

Thank you! Just the video I needed

I have a bad case of astigmatism, and it can mainly be corrected along one axis only, not mine though. My eyes are all wonky, but I find dark mode to offer me better contrast, go figure.

I need to download a large file(100GB) in a controlled enviroment but need use all my speed connection, What you would recommend to use?

I do the same with dark mode to tell the host from guest for my unsafe browsing VM. Also, if you wanna be a real gangster wit it, you could use a window rule to add a red border on the VM like how qubes does it. Linux only afaik though and obviously can't record videos like that. If you wanna be a bigger G then you do a poor qubes imitation by using a set of VMs and an isolated VM network. 1. Router VM: NAT network + "LAB" (isolated) network. Runs pfsense or whatever, serves DHCP etc and routes all traffic from LAB to outbound via a VPN. Guests cannot connect to the host or any other LAN hosts since the router routes all traffic through a VPN. Provides a guaranteed killswitch and allows the host to connect to guests. 2. All other VMs: Connected to LAB. 3. Host: Connected to the router via Wireguard. Then, create a guest VM, use waypipe or X forwarding if linux or VNC/whatever if windows and create a window rule to mark the border as red. Iterate on that by making the host immutable and enable SELinux and you've got a solid security posture without the compromises of qubes.

I used it a few times. I can watch youtube vids with it and that by itself is good performance, because older pc cant even run youtube smoothly. The MS Edge inside the Sandbox mirrors the Edge on the host, meaning to keep the Sandbox Edge up to date, first update the host Edge first. Sharing files between host and the sandbox is copy paste really I think the only downside is you can only have 1 instance of Windows Sandbox. Imagine having multiple Sandbox running, that's Qubes at that point.

He sounds like the pc secuiriy guy

Erik can you make a video where you see if NL Hybird is a virus or not?

I enjoy watching these as I find these educational as I am just entering cybersecurity thank you very much sir ❤

lets go, vm escape is a very interesting topic. thank you

Make sure to activate those windows!

Why do you need Wireguard?

Would like to see how it compares against sandboxie-plus.

Hello Can you check if roblox executor: Solara is a malicious program?

I run a sandbox in a VM usually with loads of anti malware and antivirus

Can malware escape from Windows to Linux? Edit: or vice-versa

bro is filiming this and addware is on the way

It can, but it is highly unlikely to ever happen

tldr=yes?

I know no one cares, but i personally use plain QEMU for gpu passthrough vm. Mostly to have "gamer life" separated. Without libvirt there's no cpu pinning etc. but i prefer to learn plain QEMU first before i move forward. Can't wait to see something new in next video.

I used some malware on windows sandbox…

make video about NL Hybrid please!

Just noticed I cannot enable notifications for your channel due to youtube saying its "Content made for Kids". If that's the case, how the hell am I leaving this comment?? (I tried 3 different devices and accounts...)

short answer: yes but not all

I too enjoy DYONK mode.

i am very light sensitive. dark mode is better.

Great video !

can you do a nl hybrid fortnite virus check?

Do hyper v and sanboxie also

"As clean as a new install of windows" so not clean at all? lol

Can you make a video about Minecraft Tlauncher

No, it isn't. Most Winblows security features aren't

hi

Time to grab some snacks and binge another Eric Parker video

different pc + Linux + VM

No adblock and using Edge 🥴 lol

Is it just me or the audio quality is different

Why are you pronouncing Dark mode as Dawenk mode? Is this a joke that I need explaining? AI generated speech? Baby talk? Boston accent? Content creator baiting engagement with low hanging fruit?

The most secure VM seems to be where as much things as possible are emulated, like qemu (non-kvm). There's also another VM escape method, if it's connected to internet, the attacker or virus can hack a wifi router and try to access PC on local network

Nice! New video

that whaaaat i was search for it

I remember this thing needing hyperv or something that i needed to disable for basically every other emulator / vm program idk i forgot the details but it was just annoying

Hi!

yes

Eric discusses Windows Sandbox, a lightweight, isolated Hyper-V-based VM for safely running applications. It offers temporary environments without saving data and uses GPU virtualization for high resolution. While generally secure, it carries risks like user error and rare vulnerabilities. Best practices include disabling clipboard sharing, printers, webcams, and unnecessary networking. For malware analysis, Eric recommends separate non-Windows systems. Advanced GPU passthrough guides are forthcoming.

here at 2 views

Still cant for the life of me hear your intro without some sort of mental distress Hloebdyy Heluhbdy Hlebbddy What are you sayinggggg

hi second

just use Shadow Defender

Can you test Sandboxie?

hi