Sandbox Evasion
Techniques used by malware to detect when it is being analysed in a controlled security environment and to alter or suspend its behaviour to avoid detection.
Also known as: analysis evasion, virtualisation detection, anti-sandbox
Last reviewed: 1 June 2026
Security researchers and automated threat-analysis platforms often execute suspicious files inside a 'sandbox' — an isolated virtual environment instrumented to record every action the software takes. Malware authors counter this by building in sandbox evasion techniques that detect the analysis environment and either go dormant, perform benign-looking actions, or terminate before revealing their true payload.
Common evasion methods include checking for tell-tale signs of virtualisation (specific CPU features, the absence of mouse movement, very small disk sizes), delaying execution for several minutes or days to outlast short sandbox timeouts, checking whether a real user is present by monitoring keystrokes or mouse clicks, and inspecting system metadata such as username or installed applications for values typical of analyst machines.
Sandbox evasion means that even sophisticated security tools may clear a malicious file as safe if the malware successfully hides. It underscores the importance of layered defences — sandboxing is one tool among many, not a complete solution on its own.
Examples
- A malicious email attachment checks whether a real user has moved the mouse in the past two minutes before executing its payload, allowing it to pass automated sandbox scans undetected.