Attachment Sandboxing uses a combination of rules and actions to send mail attachments to a sandbox for analysis. This article explains more about how the sandbox inspects files to provide an end result of No Risk Found, Suspect, or Malicious.
What is a sandbox, exactly?
VIPRE’s Attachment Sandboxing is an automated and dynamic malware analysis tool. It tracks system activity — including changed files, registry keys, and network activity — to provide a comprehensive determination from within a secure and monitored environment.
By combining this real-time execution and analysis of never-seen-before (unknown) files with a vast back catalog of threat intelligence, a VIPRE sandbox can quickly make smart determinations regarding a file’s malicious or benign nature.
How does the sandbox inspect attachments?
Files are hashed to check for previous encounters
The first thing a sandbox does is confirm if it has seen a file before. Does it know what it is? Has it already been encountered in the wild, and tested?
By using unique identifiers (MD5 hashing), a sandbox can immediately identify if a file attachment has been seen before. In simpler terms, a hash is just a record number. A hash does not contain any personally identifiable information or file content.
Using the hash lookup, the sandbox can cross-reference years and years of malware samples to see if a file has been analyzed before, and what the outcome was. These hashes are shared with our other security products (such as antivirus). Therefore, a file identified as malicious by the sandbox is already flagged as malicious when a different security product encounters it later on.
New files are fully analyzed
If the file is indeed unique, the sandbox then goes to work, performing its robust testing process to determine the nature of the file.
When a file needs to be tested, the sandbox deploys a brand new VM. This VM is configured to match common Windows configurations in their "most vulnerable" and unpatched state, including many frequently used applications and settings.
The sandbox loads the file into the VM, and an associated application or system process executes or opens the file. The resulting behavior is logged and analyzed.
The sandbox activity reveals how malicious code might act in actual Windows systems. The analysis data it generates provides a storyline of the activities performed when the application is executed or opened. Using advanced intelligence and the VIPRE determination engine, the file’s activity, and end result is classified as Malicious, Suspect, or No Risk Found. The details of the analysis are sent to the Sandbox Logs.
A full reset after each test
When a sandbox has completed its analysis and report generation, the contents of the sandbox are automatically destroyed and the VM is reverted to a clean state, ready for the next test. Because of this, all traces of each file attachment (and any personal information in those files) are also deleted.