Here at Cybergate Defense, we use the latest technology in the Cyber Security industry to help secure IT infrastructure for businesses across the UAE.
Sandboxes are very good at detecting malware. However, some sandbox architectures are significantly more effective than others when it comes to identifying the more advanced strains of malware.
The idea behind a sandbox is simple—it’s an isolated, secure environment to open a file and determine if it is either benign or malicious by monitoring and analyzing its behavior. The sandbox allows the program to execute and perform all of its operations, which are monitored and recorded by the sandbox. After a specific period of time, the sandbox stops the program and analyzes its behaviors for malicious activities and patterns.
Since sandboxes do not rely on signatures, it is even possible to detect zero-day or highly targeted malware that security researchers and AV tools have not yet seen or evaluated.
Not all sandboxes are created equal, however. When developing a sandbox, vendors use one of three architecture types: virtualization, operating system (OS) emulation, and hardware (full system) emulation. Here’s a quick look at each.
Most sandbox products use virtualization. These products typically run on virtual machines to optimize the volume of files a single piece of hardware can analyze, using a “hypervisor” to control the execution of different virtual environments. During the timeframe when the hypervisor relinquishes control to the malware for execution, the malware and operating system run directly on the system hardware. Performance is essentially the same as though it were executed on a prospective victim’s machine.
Some sandboxes emulate the operating system. The idea is that by emulating the operating system, the sandbox has greater visibility into what the malware is doing. This provides a number of advantages over the limited view of virtualization-based technologies. So, in theory, this seems like a sound approach.
HARDWARE OR FULL SYSTEM EMULATION
The third and most advanced sandboxing approach emulates the entire hardware system, including the CPU, memory, and I/O devices. Because this method doesn’t introduce any artifacts, it is much harder to detect than either virtualization or OS emulation. It’s also the only approach that provides Deep Content Inspection, which allows the sandbox to view everything that the malware does, including its use of the CPU, memory, and I/O devices.