It detects typical exploit behavior such as ROP chain usage, heap spraying, stack pivoting, security token changes, suspicious memory protection changes and others. The sandbox provides exploit detection starting from the early phases of exploitation.In suspicious cases, the sandbox goes deeper. The sandbox monitors interaction of the explored process with the OS (about 30 thousands of different APIs are watched).Android OS (x86, ARM processor architecture).Windows OS (all personal computer versions starting from Windows XP, all server versions starting from Windows Server 2003),.The sandbox is based on hardware virtualization, which makes it fast and stable.It helps to rate files and URLs as malicious or benign and provides information on their activity that is useful for creating detection rules and algorithms.
A sandbox is also a part of the Kaspersky Anti-Targeted Attack Platform and the Kaspersky Threat Intelligence platform. In our infrastructure, it is one of the tools for malware analysis, research and creation of antiviral databases. Kaspersky sandboxĪt Kaspersky, we developed our own sandbox some years ago. At the same time, compared to other behavior analysis designs, a sandbox is safer as it doesn’t risk running a suspicious object in the real business infrastructure.
Sandboxes analyze the behavior of an object as it executes, which makes them effective against malware that escapes static analysis.
VMs are isolated from the real business infrastructure. If the object performs malicious actions in a VM, the sandbox detects it as malware. A sandbox is a system for malware detection that runs a suspicious object in a virtual machine (VM) with a fully-featured OS and detects the object’s malicious activity by analyzing its behavior.
0 kommentar(er)
