A sandbox testing method, a sandbox system and a sandbox device. Said method comprises: initializing a virtual machine and saving an initial state of at least one from among a core file, a registry and a memory of the initialized virtual machine, wherein said core file is a file in a predetermined file set, and said memory comprises a processed module and a thread (310); running a sample program in said virtual machine (320); acquiring a current state of at least one from among the core file, the registry and the memory after running said sample program (330); obtaining a comparison result by means of comparing the initial state of at least one from among the core file, the registry and the memory and the current state of at least one from among the core file, the registry and the memory in the virtual machine, said comparison result indicating whether said core file, registry and memory are altered after running said sample program (340); according to said comparison result, determining whether said virtual machine is infected by said sample program (350); resetting said virtual machine if the virtual machine is infected by said sample program (360); omitting the step in which said virtual machine is reset if the virtual machine is not infected by said sample program, and running a next sample program by means of the virtual machine (370). The present method may increase the efficiency of sandbox testing.
展开▼