This document discusses building a transparent sandbox for malware analysis using virtual machines (VMs). It describes how malware can detect security utilities running in the same VM environment. The document proposes monitoring malware behavior from outside the VM using virtual machine introspection techniques on emulation-based and virtualization-based VMs. It also discusses using behavior comparison across multiple VM systems to detect malware that checks for virtual machine environments.