EPM Windows provides a sandboxing mode, a security feature that allows users to run applications in an isolated space on the hard disk. This prevents applications from making changes to the operating system, other software, network, or user data. Sandboxing mode is always associated with the Access List type Isolate. When applications are launched from an Isolate list, they are always executed within a sandboxed environment.
Applicability
Sandboxing mode is designed to increase the security of application execution on endpoints, particularly when handling untrusted or potentially risky software. Its main applications include:
- Running third-party or unknown applications with restricted access to the operating system and user data.
- Preventing applications from accessing or modifying resources outside their sandbox.
- Protecting the endpoint from malware, ransomware, and other malicious behaviors during application execution.
Functionality
When the Isolate Access List type is configured, all applications assigned to this list are executed in sandboxing mode by default. The feature is accessible through the Application module, where the option Execute in Isolated Mode is displayed.
EPM Windows also includes an automated malware analysis system. This system analyzes the behavior of every application executed within the sandbox. If suspicious activity is detected—for example, ransomware execution—the system immediately blocks the application and terminates its execution, even inside the isolated environment.
All executions in sandboxing mode are registered as Isolate actions. Administrators can review these events by navigating to EPM > Reports > Events.
Isolated mode executions are tracked and can be audited through the event reporting system, helping administrators identify potentially malicious activity or non-compliant application use.
Use Case
A system administrator needs to allow users to run an application from an unverified vendor. Instead of granting unrestricted access, the administrator adds the application to an Isolate Access List. When a user starts the application, it runs in a sandboxed environment, with real-time behavioral analysis. If the application attempts unauthorized operations, such as encrypting files or accessing network resources, EPM Windows blocks and shuts down the process automatically. All activity is logged for further review.