Sandboxing: Advanced Malware Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Antivirus protection isn’t enough to protect against today’s advanced threats. To fill this gap and aid in the analysis, detection, and testing of malware, sandboxing is widely used to give organizations the setting, isolation, and security tools needed to preserve the integrity of the host network.

In 2021, sandboxes are now a fundamental part of an organization’s cybersecurity architecture. We look at what a sandbox is, why sandboxing is important, and what to consider for implementation or purchase of sandbox software.

While sandboxing can help isolate threats before they do damage, it’s best to harden devices to minimize those threats in the first place. Kolide — this article’s sponsor — works with Okta to ensure that only secure devices can access company resources, guiding users to make their own fixes and updates. The end result is more secure devices and fewer threats to company resources without creating more work for IT.

Also Read: 3 Facts about Sandbox-based Gateway Appliances

What is a sandbox?

A sandbox is an isolated environment where users can safely test suspicious code without risk to the device or network. Another term used to describe a sandbox is an automated malware analysis solution and it is a widely employed method of threat and breach detection.

Sandboxes most often come in the form of a software application, though, hardware alternatives do exist. Methods for implementation include third-party software, virtual machines, embedded software, or browser plug-ins. A number of computer manufacturers and cloud service providers have deployed sandboxes for regular use by clients.

As cybersecurity vendors consolidate tools into comprehensive solutions for SMB and enterprise organizations of the future, sandboxing isn’t missing the party. Naturally, some of the most reputable sandboxes today exist on endpoint and detection response (EDR) platforms.

Also Read: Top Endpoint Detection & Response (EDR) Solutions

Sandbox Features

Sandbox solutions today are compared today by their set of features to aid advanced malware analysis. Most include common security tools like:

  • Threat analysis
  • Pre-filtering
  • Time to detection
  • Reporting
  • Automation
  • Roadmap

Also Read: 2021’s Best Vulnerability Scanning Tools

Sandboxes vs. Virtual Machines (VMs)

Virtual machines (VMs) have been a critical development for advanced computing and often get mentioned as similar environments for anti-malware analysis and testing. The truth is the line grows thin, but there remains a critical difference.

VMs: Vulnerability to host

Virtual machines are computers that can be installed within a host computer system like any other application. This presents the starkest difference between VMs and sandboxes because virtual machines aren’t inherently designed for malware analysis. Depending on the security features of the VM and hypervisor, a malicious program executed on a VM could communicate within the VM’s OS and beyond to the host’s hard disk.

Sandboxing: Designed to be isolated

Sandboxes, by comparison, are designed to be completely isolated from the host. As touched on, a sandbox should resemble a user’s OS and applications, but only to bypass the malware’s potential anti-analysis capabilities.

Also Read: How VMI Can Improve Cloud Security

Why should you use sandboxing?

Sandboxing can detect the newest and most critical threats, foster collaboration, minimize risks, and facilitate IT governance.

Malware isn’t going away and even advanced monitoring and antivirus software can’t always catch what a malicious program will do when executed. Antivirus software is notable for its ability to scan programs being transferred, downloaded, and stored. However, a general scan of a program’s binary only tells so much. By processing programs in a sandbox environment, we fill the security gap that existing solutions miss.

Also Read: Types of Malware & Best Malware Protection Practices

Antivirus Coverage Isn’t Enough

Malware today is so advanced that security precautions taken just a few years ago won’t be enough. One reason why sandboxing is a needed tool is because antivirus solutions proved to be ineffective against advanced malware strains.

Depending on the antivirus software, and the possibility of a zero-day threat, the malware can pass every scan and appear like any other file. Even in instances where the malware isn’t executed by the user, the lingering presence could be a detriment to the device or network.

Anti-Analysis Features Grow

Advanced malware can now detect if it’s being analyzed in a sandbox environment. Luckily, this anti-analysis feature is resolvable by ensuring the sandbox environment resembles a typical computer system. This means configuring the sandbox to contain faux programs and files that won’t be missed if corrupted in the process.

Also Read: Advanced Threat Detection Buying Guide

Sandbox use cases

Sandboxes are especially important to cybersecurity and software development. Sandboxing is a critical technique for analyzing the suspicious code of the world. Not testing software before downloading, executing, and deploying is a recipe for disaster. Generally, testing existing software from time to time to analyze potential changes is also a prudent decision.

Sandbox  Description
Development Simplest environment for testing implementations
Project integration Environment for collaboration between developers
Demo Environment for stakeholders to test the software
Testing environment Simulates production environment and tests software
Production environment The actual system where the program will be deployed

Policy control for sandboxing

When personnel rely on sandbox technology for security, collaboration, and more, there needs to be appropriate policies surrounding use. For their own sandbox environments, AWS encourages organizations to cover five areas of usage:

  1. Data classification: What data classifications are allowed in sandbox environments?
  2. Network connectivity: Can the sandbox connect with other network environments?
  3. Access control: Who has access to the sandbox environment?
  4. Tagging policy: Are you tagging resources for automated identification and allocation?
  5. Resource lifecycle policy: How long can a resource stay in a sandbox environment?

When employed for cybersecurity, sandbox management is yet another segment of the organization that needs checks and balances. The risk of leaking the virus to the home network or placing PII in a sandbox by accident is too great to play loose.

Network sandboxing market

According to MarketWatch, the global network sandbox market is expected to grow at CAGR of 14.4%, jumping from $2.97B in 2019 to near $5.1B by 2025. As malware adapts to more robust security, sandbox technology for anti-malware analysis will only become more important.

Also Read: BigID Wins RSA Innovation Sandbox 2018 Contest

Sandbox Vendors

Enterprise sandbox solutions

Vendor Product Established
Crowdstrike Falcon Sandbox 2011
FireEye Malware Analysis 2004
Fortinet FortiSandbox Cloud 2000
McAfee Advanced Threat Defense 1987
Palo Alto Networks WildFire 2016
Proofpoint Targeted Attack Prevention 2002
Trend Micro Deep Discovery Analyzer 1988
Zscaler Cloud Sandbox 2007

Also Read: 10 Vendors Set to Innovate at RSA Conference 2019

Free sandbox solutions

There are also a number of free sandbox solutions that may not offer all the features and integration of an enterprise solution.

  • Avast Internet Security
  • Cameyo
  • Comodo Internet Security
  • Evalaze
  • Malwarebytes
  • Sandboxie
  • Shade Sandbox
  • Time Freeze
  • VMWare or VirtualBox

Sandboxing: Malware’s Worst Enemy

Cybersecurity is a constant cat-and-mouse game between threat actors attempting to break in and security staff and solutions ensuring they stay out. Over the years, identified malware and system vulnerabilities have informed the industry cybersecurity brain trust on how best to defend against future attacks, but how do we guard against advanced and unknown threats?

There is no easy fix and a holistic approach to cybersecurity remains the most reliable path to staying protected–including the use of a sandbox solution. Sandboxes offer the necessary tools and isolation to give suspicious programs the attention they deserve before deploying on the production environment. By testing potential malware in a pseudo-production environment, network analysts obtain more visibility into how a program can operate and rest assured knowing how it will impact the network and other applications.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Sam Ingalls Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis