In his recent SecurityWeek column, Scott Simkin calls out the efficacy of malware analysis via sandboxing. Attackers have become acutely aware of the methods security teams use to analyze files for malicious activity, including scanning the environment for code used in known malware analysis tools or observing hardware size for amounts of memory typically found in virtual machines.

http://researchcenter.paloaltonetworks.com/2017/04/malware-cant-bear-traps-bare-metal-analysis/