A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, analyzes the collected data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox technology. The suspicious file will be uploaded to the cloud side. The cloud sandbox will collect the actions of this file, analyze the collected data, verify the legality of the file, give the analysis result to the system and deal with the malicious file with the actions set by system.
The Sandbox function contains the following parts:
- Collect and upload the suspicious file: The Sandbox function parses the traffic, and extracts the suspicious file from the traffic.
- If there are no analyze result about this file in the local database, system will upload this file to the cloud intelligence server, and the cloud server intelligence will upload the suspicious file to the cloud sandbox for analysis.
- If this file has been identified as an illegal file in the local database of the Sandbox function, system will generate corresponding threat logs and cloudsandbox logs.
Additionally, you can specify the criteria of the suspicious files by configuring a sandbox profile.
- Check the analysis result returned from the cloud sandbox and take actions: The Sandbox function checks the analysis results of the suspicious file returned from the cloud sandbox, verifies the legality of the file, saves the result to the local database. If this suspicious file is identified as an illegal file, you need to deal with the file according to the actions (reset the connection or report logs) set by system. If it's the first time to find malicious file in local sandbox, system will record threat logs and cloud sandbox logs and cannot stop the malicious link. When malicious file accesses the cached threat information in the local machine, the threat will be effective only by resetting connection.
- Maintain the local database of the Sandbox function: Record the information of the uploaded files, including uploaded time and analysis result. This part is completed by the Sandbox function automatically.
Related Topics: Configuring Sandbox