Skip to content ↓ | Skip to navigation ↓

Sandbox environments are a common feature of many cybersecurity solutions in their fight against advanced malware. Firewalls, endpoint protection, and even next-generation machine learning systems use sandboxes as one of their lines of defense. However, not all sandboxes are created equal.

Sandboxes can take different approaches towards malware analysis and detection, and some of these approaches are clearly more effective than others. New strains of malware are designed to evade the detection techniques used by older sandboxes, rendering them largely ineffective. In this post, we’ll discuss the different types of sandboxes, their techniques, and their limitations.

How Malware Analysis Sandboxes Differ

In simple terms, a sandbox is a secure, isolated environment in which applications are run or files opened. With such a broad definition, individual sandboxes can be very different from each other. There are four principal ways in which sandboxes may differ: the type of emulation used, version limitations, emulation speed, and the specific technique used to detect malicious files.

Operating System Emulation vs. Full System Emulation

Older sandbox environments generally only replicate the application and operating system layers. This is known as O/S system emulation. There was a time when this was enough to determine if a file could be malicious. The file being analyzed would detect the operating system, determine that it had arrived at a target host, attempt to take malicious actions, and be detected.

Unfortunately, this is no longer an effective method of sandboxing. Modern threats can detect when they are in an O/S system emulation. To defeat these threats, a sandbox solution needs full system emulation. If it does not have it, it’s a lot like being in a staged house with no windows: eventually, the malicious program is going to try to look behind the curtains.

O/S and Application Version Limitations

Some sandboxes can only be effective for a specific version of O/S or application. They may only be able to emulate these solutions or may be only attuned to identify threats for these platforms. If your organization is running a specific version of O/S that the sandbox is tuned to, this may not be an issue. If, however, your organization eventually needs to upgrade or change its infrastructure, this could quickly become a problem. O/S and app version limitations also can limit the usefulness of a sandbox solution across a larger, sprawling network that may have multiple solutions and platforms installed.

Ideally, you want a solution that is able to create sandbox environments without any specific operating system or application version limitations.

Emulation Speed

As emulation becomes more complex, emulation speed becomes more of a factor. Some sandboxes may be able to emulate quite quickly, while others may be quite slow. Some are optimized to consume very minimal resources; others are poorly optimized and may begin to eat up processing time and memory. In order to be effective, a sandbox needs to be run across the entirety of the network. Any issues related to emulation speed are quickly going to compound, potentially slowing down the network as a whole and interfering with productivity.

Next-generation sandbox solutions put a premium on optimization as well as effectiveness, with the knowledge that a network needs to be both secure and functional. Organizations will suffer less from substantial resource usage and overhead when utilizing one of these more advanced platforms.

Signature-based vs. Behavior-based

Once a solution is running in your sandbox, how is malware detected? There are two primary methods of detection: signature-based and behavior-based analysis.

Signature-based detection looks at the program and determines whether it has been identified before. Signature-based solutions maintain large dictionaries of unique identifiers (signatures) created for every malware program or sample. They quickly can identify files that are already known to be malicious by matching the new file’s signature with a signature in their library of known malicious files. Unfortunately, if the file changes at all, the signature will change and the signature-based solution won’t recognize it.

Behavior-based detection looks at the actions that the program is attempting to take. If the sample is trying to do things that appear to be malicious, the behavior-based detection solution will trigger and either the user will be prompted with a notice or the item will be automatically quarantined. Behavior-based sandboxes can detect malware that is programmed to implement minor changes in order to generate a new signature, thereby avoid detection by signature-based systems, as well as detect completely new types of malicious programs that have not been seen before.

Selecting a Malware Sandbox

Advanced malware is smart enough to know when it’s in a sandbox. If it detects that it’s running in a sandbox, it won’t take any malicious action until it’s released into the network. The only way to defeat this type of malicious program is to use a technologically advanced sandbox solution. It’s only by emulating an entire host environment – from memory up through the application layer – that a sandbox can outsmart advanced malware.

Emulating an entire environment creates a sandbox that is essentially identical to a real environment, making it impossible for the malicious program to evade detection. Next-generation malware detection solutions can emulate all aspects of an environment, not only the application and operating system levels.

But here is the problem: malware analysis sandboxes are generally included as a part of other cybersecurity solution, such as firewalls or endpoint protection systems. As a result, sandboxes are seen as line items for a solution, something that you get “for free” without much thought given to it. Since not all sandbox environments are created equal, however, simply having a malware sandbox may not be enough to protect your data from advanced threats.

When selecting any enterprise security solution, be sure to give special consideration to the sandbox. Does it provide full system emulation? Does it look at behavior instead of just relying on signatures? Is it able to replicate any type of O/S or application, regardless of the version? If it doesn’t meet these criteria, you may need to supplement the purchase with a sandbox with sufficient capabilities to detect today’s sophisticated, evasive malware.

A sandbox is an essential component of an effective cybersecurity solution, and if it isn’t able to properly contain a malware strain, then the solution itself is ineffective. If you’re interested in upgrading your malware detection solution – or want to learn more about malware detection ­– it’s time to learn more about Tripwire Malware Detection. Click here for more information.


Bert Rankin About the Author: Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.