Limited Visibility of a Conventional Sandbox
One of the common misconceptions regarding a conventional sandbox is how much it can actually observe when evaluating an object for malicious behavior.
Because a conventional sandbox runs in an isolated virtual machine environment, an object can safely execute without risk of infecting a real machine. That is a strong advantage.
However, a conventional sandbox actually has very limited visibility into the actions of the object it is evaluating. It can monitor the interaction between a program and the operating system, but that is all it can observe.
A legacy sandbox can see operating system calls to open or close a file, execute or download another program, connect to a specific host or IP address, and other requests made to the operating system. These calls to the operating system help determine the behavior of the program being evaluated. Unauthorized or suspicious operating system requests indicate the program may be malicious, and the sandbox will report it as such.
However, a traditional sandbox cannot see what malware is doing internally, nor can it see what the operating system actually does when called upon by the malware. This limited visibility greatly hampers a traditional sandboxes capacity to identify today’s advanced malware.
A conventional sandbox can’t monitor or detect:
- Any malicious code or behavior that hasn’t executed yet
- Any malicious code unless that code executes and calls the operating system
- Any malicious code executed by a root-kit within the operating system
- Stalling evasions not using normal sleep functions
- Evasive code waiting for human action
- Any Evasive code waiting to call command and control centers, inject code into other applications, or move laterally within the network
Lastline uses a very unique approach to sandboxing that provides 100% visibility of what an object is doing. This enables it to detect malicious objects that conventional sandbox technology will miss.
Click here to learn more about Lastline’s unique malware detection capabilities.