Start a conversation

How the Sandbox Works

Attachment Sandboxing uses a combination of rules and actions to send mail attachments to a sandbox for analysis. This article explains more about how the sandbox inspects files to provide and end result of No Risk Found, Suspect, or Malicious.

What is a sandbox, exactly?

VIPRE’s sandbox is an automated and dynamic malware analysis tool. It tracks system activity — including changed files, registry keys, and network activity — to provide a comprehensive determination from within a secure and monitored environment.

By combining this real-time execution and analysis of never-seen-before (unknown) files with a vast back catalog of threat intelligence, a VIPRE sandbox can quickly make smart determinations regarding a file’s malicious or benign nature.

How does the sandbox inspect attachments?

Files are hashed to check for previous encounters

The first thing a sandbox does is confirm if it has seen a file before. Does it know what it is? Has it been encountered in the wild, and tested before?

By using unique identifiers (MD5 hashing), a sandbox can immediately identify if a file attachment has been seen before. In simpler terms, a hash is just a record number. A hash does not contain any personally identifiable information or file content.

Using the hash lookup, the sandbox can cross-reference years and years of malware samples to see if a file has been analyzed before, and what the outcome was. These hashes are shared with our other security products (such as antivirus). Therefore, a file identified as malicious by the sandbox is already flagged as malicious when a different security product encounters it later on.

New files are fully analyzed

If the file is indeed unique, the sandbox then goes to work, performing its robust testing process to determine the nature of the file.

When a file needs to be tested, a brand new VM is deployed. This VM is configured to match common Windows configurations in their "most vulnerable" and unpatched state, including many frequently used applications and settings.

The file is loaded into the sandbox, and an associated application or system process executes or opens the file. The resulting behavior is logged and analyzed.

The sandbox activity reveals how malicious code might act in actual Windows systems. The analysis data that is generated provides a storyline of activities performed when the application is executed or opened. Using advanced intelligence and the VIPRE determination engine, the file’s activity and end result is classified as MaliciousSuspect, or No Risk Found. The details of the analysis are sent to the Sandbox Logs.

A full reset after each test

When a sandbox has completed its analysis and report generation, the contents of the sandbox are automatically destroyed and the VM is reverted to a clean state, ready for the next test. Because of this, all traces of each file attachment (and any personal information in those files) are also deleted.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted

Comments