What is Sandboxing?

New ways to steal data or install malware appear every day. Criminals can gain access to a network by with the use of fake URLs, attachments, and files in phishing emails or misleading links. All these methods have one thing in common: they gain their illicit access deceitfully. That is, by appearing harmless, or by stealth. All these malicious applications, links, and downloads could potentially gain endless access to a network’s data and do astounding damage. Sandboxing is a method of exposing and isolating these unsavory, uninvited parcels in a safe environment where they can’t harm anything. Enter Sandboxing.

Now, many vendors have Sandboxing products. Sophos calls theirs Sandstorm, Fortinet’s is FortiSandbox, Check Point has Sandblast, and so on. And, they all operate on the same basic principle.

Shall I compare sandboxing to…

Basically, a sandbox is a replica of a computer’s operating area, only without access to the rest of the network. Basically, it’s the imitation of your entire computer’s system. It will accept a program and execute it to understand its purpose. If it’s suspicious, you’ll still be able to work on the program in the sandbox. But with the separation, it won’t have the chance to harm your system or any other part of the computer.

In more technical terms, a sandbox is an environment where a suspicious, potentially harmful file is uploaded to in order to be ‘detonated.’ Then, its behavior is analyzed to decide if it contains malware. So, these unknown guests are opened in a sort of isolation, without endangering the device they’re on.

What sort of things might end up in the Sandbox?

EXE files and MSIs are two pretty major examples of the kinds of files that might get sandboxed.

An executable file (EXE) is a type of computer file that runs a program when it opens. In other words, it executes code or a series of instructions in the file. We’ve all experienced these any time we install or update anything. And, since they run code when opened, you should not open unknown EXE files, especially if when they come as email attachments.

An MSI is similar. Basically, it’s another thingy that installs something on your computer when you double-click on it. It just does it in a different way. Of course, both of these kinds of files have legitimate uses.

So anyway, these and other sometimes-dodgy characters get installed, ZIP files are extracted and executables are executed and so on. Only it’s done in the safe environment of a sandbox, rather than into your PC’s hard drive.

How about another word picture?

It’s sort of like if you got a box delivered to your home via FedEx, and you notice it’s ticking. You might decide to take it out and open it in a safe, remote area rather than on your kitchen table (actually, you’d probably call the cops, but that’s beside the point).

One important thing to understand about Sandboxing is, it is behavior-based, rather than signature-based. Malware detection that is signature-based looks at the suspicious critter and compares it against a comprehensive, (hopefully up-to-date) list of known malwares. Behavioral analysis detonates the little sucker to see what it does. So, sandboxing shifts malware detection from being signature based, to being based on behavioral analysis.

And of course, in sandboxing the quality of the system emulation and analysis is hugely important. Corporate Armor has a number of different such options to choose from, and we would love a chance to talk to you more about them. So please email us, or call Corporate Armor at 877-449-0458. Thanks for reading!