Sandbox Systems All sandbox devices essentially operate on the same principle. The fundamental principle is based on detecting what changes and capabilities a file can have on a computer when it is run without being triggered by any signature. Hence, it is also known as a "zero day detection system."

April 17, 2024

Variations arise in their operational methods. However, before delving into this, advanced sandbox devices can analyze a file for 30 to 120 seconds. They host virtual operating systems for file analysis, generally ranging from 50 to 100 files for larger devices. Although sandbox systems can scan files in different ways (simulation, emulation, virtualization), the most accurate results come from virtualization. By monitoring the changes made by files running on a virtual machine, sandbox devices can determine whether the file is malicious or not. Sandbox devices can scan files as many as the number of virtual systems they run concurrently. In this context, an average sandbox device can scan a maximum of 75-150 files per minute when running 50-100 virtual systems concurrently. If, for example, our system processes 2000 files per minute, not all files can be scanned by the sandbox. No sandbox device alone is sufficient for large networks due to this limitation. Therefore, a different mechanism is automatically required. Hence, traffic should be pre-filtered through mechanisms such as static code analysis, antivirus, whitelists, etc., before reaching the sandbox; otherwise, the sandbox cannot obtain the required time topologically to perform its function. When selecting sandbox products, the following features provide an advantage: – Ability to manually write pattern signatures – Customization of the operating system – Extension-independent analysis, ability to analyze all file types – Open to integration with antivirus and static code analysis – Support for plug-ins to take action

Sandbox devices should work with api (open integration), icap (web integration), and smtp (integration). Otherwise, a separate sandbox must be used for each vector, increasing costs. Sandboxes operating on a flow-based system (Flow-based firewall, inline network sandbox, span-mirror analysis) cannot actively block. This leads to the first threat entering. It does not seem logical for a product positioned to provide Zero-Day protection to analyze the file after it has passed through. Proxy-based technologies should be used to control the session. Otherwise, effective protection cannot be ensured due to the reasons mentioned above.