Next-Generation Sandbox Offers Comprehensive Detection of Advanced Malware

Next-Generation Sandbox Offers Comprehensive Detection of Advanced Malware

High-Resolution Security Analysis

Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional security systems, such as signature-based detectors (anti-virus engines and intrusion detection systems). To counter such advanced threats, a new class of security vendors has introduced sandboxing technology. Sandboxing works by running code inside a tightly controlled environment, in which one can monitor and analyze the code’s behavior. Since it is not necessary to have seen a specific threat before, sandboxing offers the promise to identify advanced malware and zero-day threats.

But don’t be fooled, not all sandbox technologies provide the same level of detection capabilities.  Let’s take a look.


Virtualization: VM (virtual machine) based sandboxing can look at suspicious programs that are contained within virtual machines. This approach provides the lowest level of visibility into relevant malware behaviors, but it is harder for sophisticated malware to evade detection.

OS Emulation of the operating system provides a high level of visibility into malware behaviors. Unfortunately, this approach is the easiest for advanced malware to detect and evade.

Full System Emulation, where the emulator simulates the physical hardware (including CPU and memory), provides the deepest level of visibility into malware behavior, and it is also the hardest for advanced malware to evade.

For a more detailed technical explanation of Lastline’s high-resolution sandbox, which uses full system emulation, please read How To Build An Effective Sandbox.