Second, a sandbox has to perform monitoring in a fashion that makes it difficult to detect. Otherwise, it might miss relevant activity and cannot make solid deductions about the presence or absence of malicious behaviors. Goals of a dynamic analysis system (sandbox)Ī good malware analysis sandbox has to achieve three goals: Visibility, resistance to detection, and scalability.įirst, a sandbox has to see as much as possible of the execution of a program. The advantage of the approach is clear: It is possible to identify previously unseen (zero day) malware, as the observed activity in the sandbox is used as the basis for detection.įor a high level overview of this topic, please read Next-Generation Sandbox Offers Comprehensive Detection of Advanced Malware. While malware analysis sandbox systems have been used as part of the manual analysis process for a while, they are increasingly used as the core of automated detection processes. Such systems execute an unknown malware program in an instrumented environment and monitor their execution. Automated malware analysis systems (or sandboxes) are one of the latest weapons in the arsenal of security vendors.
