Why do you need a malware sandbox? What is a malware sandbox? Malware sandbox is an established class of solutions on the market. The main task of a sandbox is to check the objects placed in it, collect events in the network for further analysis, as well as process the collected data. Each event is verified according to configured policies. A sandbox is an isolated environment where an object, such as a suspicious file, is sent for analysis. The sandbox collects as much telemetry and context as possible from the pre-configured sensors in the network. The sensors can be any existing device or application: a mail gateway, workstation agents, or a firewall that sends files to the sandbox for inspection. Or a malware analyst can upload a file or submit a link for further research by themselves. It is important to check malware in different circumstances. And almost all operating systems are supported by a sandbox to reveal malware behavior. A customized sandbox is already a tool against targeted attacks. Customization, as always, depends on the user’s priorities. Why do you need a malware sandbox? It is not always possible to detect malicious code in static analysis. The sandbox allows you to deploy a sample, examine its work and behavior in dynamics. The tool helps to build protection against any malicious objects: backdoors, downloaders, bankers, ransomware, etc. Websites, applications, and operating systems – the service landscape is huge. The sandbox is often placed in the DMZ segment, between the perimeter firewall and the core. What is the difference between a sandbox and an antivirus? A malware sandbox dynamically analyzes objects in an isolated network environment that has no connection to the company’s network and allows the object to reveal itself as much as possible. Host-based antivirus works another way around, it aims to block malware and its actions. Antivirus or EDR is the next tier of protection. Most importantly, the malicious object should not reach the workstation. What types of objects are handled by the sandbox? It can be links, binaries, word or excel files, images, any customer objects. It is worth mentioning that there is no sense in analyzing files larger than 300 MB. There are separate specific solutions for analyzing large files, this is very rarely needed. Malicious objects get to sandbox from several sources like Firewalls, mail gateway, WAF. And many standard protocols are supported for the exchange: Syslog, ICAP, SMTP, NFS. You can integrate the sandbox via To solve the problem of identifying previously unknown malware samples help malware sandboxes – protection systems that allow you to evaluate the security of software by running and analyzing it in an isolated virtual environment. This article will lead you through all the details of what it is and why any organization needs this service. Company: ANY.RUN. Email: [email protected] an API into almost any environment, so all kinds of organizations can benefit from this tool. Does the sandbox help protect against an APT attack? Yes, the sandbox helps in defending against advanced persistent threats, APT attacks because it allows you to analyze events in depth. A malicious object can have different signatures and bypass the antivirus, but the behavior stays about the same, which the sandbox shows. One of the main goals is to make the sandbox the most attractive for malware so that it can expose itself as much as possible in a controlled, secure environment. For example, the interactive approach of ANY.RUN sandbox triggers malware that requires direct human actions. Drag a mouse, tap keys, create specific files and folders, open documents – do everything to trick malware. Of course, you can create your own isolated environment for malware analysis from scratch. But it takes a lot of effort and time in preparation. And still, there is a chance that your sandbox will not be secure enough, invisible for malware, and provide the necessary information. To speed up the process we recommend using ready-made solutions like ANY. RUN. It is an online service, so you can run a sample from anywhere and get results right away.
RkJQdWJsaXNoZXIy MTQxNTg3MQ==