Kaspersky Anti Targeted Attack Platform
Proven advanced threat detection empowered by machine learning and HuMachine™ intelligence
A sandbox is a system for malware detection that runs a suspicious object in a virtual machine (VM) with a fully-featured OS and detects the object’s malicious activity by analyzing its behavior. If the object performs malicious actions in a VM, the sandbox detects it as malware. VMs are isolated from the real business infrastructure.
Sandboxes analyze the behavior of an object as it executes, which makes them effective against malware that escapes static analysis. At the same time, compared to other behavior analysis designs, a sandbox is safer as it doesn’t risk running a suspicious object in the real business infrastructure.
At Kaspersky Lab, we developed our own sandbox some years ago. In our infrastructure, it is one of the tools for malware analysis, research and creation of antiviral databases. A sandbox is also a part of the Kaspersky Anti-Targeted Attack Platform and the Kaspersky Lab Threat Intelligence platform. It helps to rate files and URLs as malicious or benign and provides information on their activity that is useful for creating detection rules and algorithms.
Sandbox features
Object types that can be executed
Artifacts collected by the sandbox
It is typical for today’s malware to try to detect and evade a sandbox. Once it knows it’s running in a sandbox, it may skip performing any malicious activity, erase itself from disks, terminate itself or use some other evasion technique.
A simpler design of hardware sandbox monitoring (e.g. hooking API functions) would leave traces that indicate that a suspicious process is being watched. So, we implemented other monitoring techniques that are non-intrusive and leave no trace visible to the scanned object. The sandbox controls CPU and RAM, but does not modify process operation, memory, system libraries on disk and in memory, leaving no traces of monitoring.
We also keep track of emerging new evasion techniques and tune our sandbox to counteract them, for example:
Evasion A: The sandbox environment is typical of some known brand sandbox. The malware recognizes it and evades detection.
Counter evasion A: Our sandbox randomizes VM environment prior to VM start.
Evasion B: The malware can detect the sandbox environment through a lack of user activity. For some malware to run, the user needs to enter a password from an email, click through a wizard or do other ‘human’ things. Many sandboxes do not emulate this and therefore do not see the malware detonate.
Counter evasion B: Our sandbox emulates user actions: mouse movements, scrolling documents that it opens. Our sandbox also does many things that users do to activate malware.
Examples of new waves of targeted attacks uncovered with sandboxes in Kaspersky Lab products of infrastructure in 2016-2017: Sofacy (Oct 2017), Zero.T (Oct, Nov 2016, Apr 2017), Enfal (Sep, Oct, Nov 2016), Freakyshelly (Oct 2016), NetTraveller (Aug 2016), CobaltGoblin (Aug 2016), Microcin (Jun 2016) and others.
US 8978141 B2
EP 2819055 A1
US 9147069 B2
US 9230106 B2
US 8978141 B2
EP 2819055 A1
US 9147069 B2
US 9230106 B2
US 8978141 B2
EP 2819055 A1
Expert system Astraea produces detection of malicious objects through processing of big data
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced...
Kaspersky Anti Targeted Attack Platform (KATA) protects against targeted attacks.
The Kaspersky Security Network (KSN) processes cybersecurity-related data and ensures fastest...
Expert system Astraea produces detection of malicious objects through processing of big data
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced...
Kaspersky Anti Targeted Attack Platform (KATA) protects against targeted attacks.
The Kaspersky Security Network (KSN) processes cybersecurity-related data and ensures fastest...
Expert system Astraea produces detection of malicious objects through processing of big data
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced...
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.