Not All Sandboxes Are Created Equal

Sandbox environments are a common feature of many cybersecurity solutions in their fight against advanced malware. Firewalls, endpoint protection, and even next-generation machine learning systems use sandboxes as one of their lines of defense. However, not all sandboxes are created equal.

Sandboxes can take different approaches towards malware analysis and detection, and some of these approaches are clearly more effective than others. New strains of malware are designed to evade the detection techniques used by older sandboxes, rendering them largely ineffective. In this post, we’ll discuss the different types of sandboxes, their techniques, and their limitations.

How Malware Analysis Sandboxes Differ

In simple terms, a sandbox is a secure, isolated environment in which applications are run or files opened. With such a broad definition, individual sandboxes can be very different from each other. There are four principal ways in which sandboxes may differ: the type of emulation used, version limitations, emulation speed, and the specific technique used to detect malicious files.

Operating System Emulation vs. Full System Emulation

Older sandbox environments generally only replicate the application and operating system layers. This is known as O/S system emulation. There was a time when this was enough to determine if a file could be malicious. The file being analyzed would detect the operating system, determine that it had arrived at a target host, attempt to take malicious actions, and be detected.

Unfortunately, this is no longer an effective method of sandboxing. Modern threats can detect when they are in an O/S system emulation. To defeat these threats, a sandbox solution needs full system emulation. If it does not have it, it’s a lot like being in a staged house with no windows: eventually, the malicious program is going to try to look behind the curtains.

O/S and Application Version Limitations

Some sandboxes (Read more...)