Running NetworkMiner in Windows Sandbox
NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set up a Windows Sandbox that always boots up a fresh install of Windows 10 with the latest version of NetworkMiner installed.
I generally recommend analyzing Windows malware in Linux, or some other non-Windows environment, in order to avoid accidentally infecting yourself (NetworkMiner runs fine in Linux btw). Nevertheless, I still often find myself loading capture files containing malicious network traffic into CapLoader and NetworkMiner under Windows. I have previously demonstrated that this can be a quick and crude way to perform an anti virus scan of files contained in a pcap file.
Windows Sandbox
If you want to analyze malicious traffic in Windows with minimal risk of infecting yourself then you should definitely check out Microsoftâs Windows Sandbox (available in Windows 10 Pro and Enterprise editions). The Windows Sandbox is using Windows containers, so itâs very efficient compared to spinning up a full Windows VM. It also provides features like kernel isolation, so that the sandbox container doesnât use the same kernel as the host, and ensures that a new Windows environment is created every time the sandbox is run. Windows Sandbox also doesn't run any anti-virus, so it won't interfere with the extraction of malicious contents from within the analyzed capture files.
Follow these steps to install Windows Sandbox:
- Run OptionalFeatures.exe, aka âTurn Windows features on or offâ
- Enable the âWindows Sandboxâ feature (check the box)
- Reboot
Or run this PowerShell command as administrator and then reboot:
Then create a sandbox config, which downloads and installs the latest version of NetworkMiner every time the sandbox is started, by creating a file called âNetworkMinerSandbox.wsbâ with the following contents:
  <MappedFolders>
    <MappedFolder>
      <!-- Replace path below with your PCAP dir -->
      <HostFolder>C:\Users\Erik\pcap</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>cmd.exe /C "curl -L https://www.netresec.com/?download=NetworkMiner |
  </LogonCommand>
</Configuration>
Note: Replace âC:\Users\Erik\pcapâ with whatever location your capture files are at
After starting NetworkMinerSandbox.wsb youâll have a fresh Windows machine up and running within a couple of seconds. The latest version of NetworkMiner and your PCAP dir are both accessible from the sandboxâs desktop.

Image: NetworkMiner 2.6 installed in a clean Windows Sandbox environment
Moving files in or out of the sandbox is just a matter of copy and paste (Ctrl+C / Ctrl+V).
VirtualBox and Windows Sandbox

Are you using VirtualBox to run virtual machines on your Windows host and getting an error message saying âFailed to open a session for the virtual machineâ, with details such as âCannot enable nested VT-x/AMD-V without nested-paging and unrestricted guest executionâ or âFailed to get device handle and/or partition IDâ, after enabling Windows Sandbox?
Even though Windows Sandbox doesnât need Hyper-V it still requires a hypervisor, which unfortunately conflicts with VirtualBox. You can disable the hypervisor by running the following command as administrator:
...and then rebooting the computer before starting a VirtualBox VM with ânested VT-xâ enabled. Turning off the hypervisor will unfortunately prevent Windows Sandbox from running, giving an error message saying âNo hypervisor was found. Please enable hypervisor support.â (Error 0xc0351000)

To re-enable the hypervisor, in order to run Windows Sandbox again, youâll need to run
and reboot the host.
Update May 26, 2021
We have now uploaded a simple Windows Sandbox config to our website here:
https://www.netresec.com/?download=NetworkMinerSandbox
This script runs on any Windows Pro machine that has the Sandbox feature active.
Posted by Erik Hjelmvik on Tuesday, 11 May 2021 13:39:00 (UTC/GMT)
Tags: #Netresecâ #NetworkMinerâ #PCAPâ #Windowsâ #Sandboxâ #Windows Sandboxâ #Malwareâ