The Redmond giant wanted only cryptographically signed executables, ideally those obtained from the official Windows application store, to run on its hardware.
He built the technology needed to take all executables off the wire, and essentially unpack and run them in a mini-cloud of virtual emulators on a hardware appliance.
They capture samples via honey pots and customer reports, un-package them, reverse engineer the executables so they can see the source code, and try to figure out what the malware is doing.
Their advanced sandbox technology, Deep Discovery, is available as an out-of-band gateway device (Deep Discovery Inspector) to scan all incoming traffic and a stand alone server (Deep Discovery Analyzer) to accept suspicious executables from email gateways and other sources.