How Sandboxes Detonate-to-Detect Malware and How Malware Evades Sandboxes

Webinar Registration

Sandboxes are a very cool concept: catch files traversing your network boundary and open them up in a carefully isolated sandbox. Watch what the file does, if anything. Does it act like a normal, harmless document, spreadsheet or picture? Or does it miraculously spin up threads, run arbitrary code, open network connections, access the file system or other things that innocent files just don't do?

It's not just a cool concept. Sandbox technology can be extremely effective at catching zero-day attacks because you are observing behavior instead of looking for known-bad signatures.

But security is always an arms race. The bad guys never stand still. They are now building sandbox evasion technology into their malware using very imaginative methods.

One of the simplest ways to evade detection in a sandbox is to simply lie dormant long enough for the sandbox to give up. A sandbox appliance trying to analyze every file traversing an organization's network can only spend so much time observing a suspect file. So some bad guys program their malware to wait 15 minutes before really waking up and pursuing their target.

Of course the good guys have taken notice of this and one way they respond is to time travel. Set the clock ahead inside the virtual environment of the sandbox to make the malware think enough time has gone by for it to safely wake up.

That's not easy to detect so instead the bad guys try to detect if they are running inside a VM in the first place by looking for tell-tale signs such as certain services that run inside virtual machines for enabling management by the hyper visor. And the list goes on.

In this real training for free ™ webinar we will explore the fascinating world of sand box technology and discuss the back-and-forth war between the good guys who make sandboxes and the bad guys that try to evade them. Different sandboxes use different techniques and they tend to take turns in who currently has the lead.

SonicWALL is my sponsor and they are a great fit because their sandbox platform is uniquely architected to be nimble in this war by making it possible to leverage multiple sandbox technologies in order to provide the most up-to-date and comprehensive protection.

Don't miss this real training for free ™ event. Please register now.

First Name:   
Last Name:   
Work Email:  
Phone (area + country code):
Company Name :
Company Size:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources