Virtual Encapsulation (Sandbox, VM, Container, …)

The base protection of the isolation appliance is a hardened Linux operating system.

An additional core security mechanism is the use of nested virtual containers, where vulnerable applications (such as browsers or email clients) are executed within the innermost container. In the event of an attack, malicious code can only take effect within the container in which it was executed — for example, manipulating, encrypting, or deleting data. However, these containers contain no critical company data. Once the user closes the vulnerable application, the container — including all its contents and any malware — is automatically deleted. The next time the user launches the application, a new virtual container with a clean version of the browser or email app is provided.

Files downloaded from the public internet are stored on the isolation appliance. If a user wants to open and view such a file, it is mounted into a container. Any malicious code hidden in the file can only execute within this isolated environment. After editing, the user can save the file back to the operating system level. When the user closes the application, the container is deleted.

This malware protection mechanism is effective against all types of attacks — including active content like WASM, JavaScript, and zero-day exploits. 
 

Escape from Encapsulation

Malware escaping from a virtual container is possible — and not at all uncommon.

If malware breaks out of a virtual container, it still only has very limited permissions. It has read-only access to files outside the app box it escaped from, and therefore cannot cause any damage.

Even in the unlikely event of a breakout through multiple layers of virtual security, the malicious code has no way to cross the physical boundary of the isolation appliance — and thus cannot access the intranet or any company data.