What is Sandboxing?

Defining Sandboxing

Sandboxing is often used as a threat detection method to execute suspicious objects detected on the network or on a host machine, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or Operating System. By observing execution behaviors of suspicious objects, the Sandbox detects malware that is difficult to find using only static analysis. Sandboxing solutions can be implemented on-premise or in the cloud.

Why is Sandboxing Important?

With attacks coming from all angles, multiple detection methods are required for a sound defense. Sandboxing provides a key detection layer for malware that is difficult to identify through static analysis. By detonating suspicious objects in an isolated virtual environment, the user can determine if it is malicious and gain critical information on the code including IOCs that can be applied to other detection and prevention methods throughout the environment – all without risk.

Sandboxing, One of Many Methods for Threat Detection

Learn More

What are the Key Aspects of a Sandboxing Solution?

A sandboxing solution should be embedded within your threat detection capabilities and provide another layer of detection to:

  • Observe malware execution in mutex, registry, API call, file system access, network behavior and artifacts
  • Understand malware behavior by observing malware’s Internet access behavior in its full life cycle or simulating interaction with malware execution and recording the network behavior
  • Identify malware evasion behaviors such as delayed execution, environment diagnostics and checking human interaction
  • Share malware forensics with other security components for immediate prevention and used to protect against future attacks