Why can I casually bypass Windows 10 Hyper-V's sandbox and download to my host PC?

Question

I'm by no means a cybersecurity expert but I'm very interested in security and privacy protection for my own good.

I use Windows 10 Pro and there's this cool feature called Hyper-V, which is a Windows native VM so that you can run Windows 10 machine within Windows 10.

I use this Hyper-V VM a lot when I have to access some dubious sites or some sites that demand me to install bloatware in order to proceed. I'm basically expecting to keep them all in a single isolated sandbox so that something malicious in the VM can never affect my host PC that I really care about.

However, I noticed that I can easily download a file to my host PC's C:, which is weird because I thought they were supposed to be separated and unreachable.

So I think there are a few possible reasons for this:

1. Hyper-V never actually isolates your environment and virus/malware can still penetrate through Hyper-V VM to your host PC.
2. My Hyper-V setting is wrong.
3. It's a bug.

I'm guessing that 1 is the most plausible scenario because 2. my settings are mostly default and 3. Microsoft has maintained Hyper-V for like a decade.

Cybersecurity-wise, is it a bad idea to rely on a Hyper-V VM as a sandbox? I even bought an extra Windows 10 license for this.

Answer 1

It sounds like you are misunderstanding what exactly Hyper-V is and does.

Enabling Hyper-V does not convert your currently running system into a core "host" and safe "guest" system.

Hyper-V is a virtual machine platform, in the same way that Virtualbox and VMWare Player are VM platforms. These programs and services provide the virtual "computer" that surrounds a virtualised CPU, including things like the network hardware, display, and other emulated I/O devices.

If all you did was "enable" Hyper-V then you have not done anything that would confer any kind of virtual machine protections on your system. You would have to configure a VM within the Hyper-V Manager, download a Windows ISO image, attach it to your VM and then install as you would any other computer. You would also need to purchase a Windows licence for that virtualised operating system, Windows licences to not grant unlimited VM use.

When you right click the running machine and select "connect" you should expect to have a Window within your Windows system, something like this:

If you did not do that then you do not have any kind of "sandboxed" system. Any actions you perform in your computer outside of a specifically created VM are on your actual computer.

If you are wanting a throw-away sandbox style system without needing to buy additional Windows licences the you might want to look into the Windows Sandbox feature which creates an incredibly streamlined copy of your existing Windows system inside a virtual machine that is completely discarded the moment you close the sandbox. It acts very much like any normal VM, but is much lower profile. It is not really "secure" though as it has the same access to your network (and any shared devices) as your main machine and malware could potentially scramble or encrypt devices on your network, though your local disk is not directly visible. I do not know what other security implications it may have. It requires Windows 10 Pro as a minimum.

When enabled (see the page I linked above) you will end up with a "Windows Sandbox" application that you run whenever you want a lightweight "computer" to mess about with things. Bear in mind that it is 100% volatile and the moment you close the Sandbox then everything you did within it is lost.