PT Sandbox

Main article: Security Information and Event Management (SIEM)

PT Sandbox is designed to protect corporate mail, user traffic and file storage, as well as selective object verification.

2024

Compatibility with VBA32

For analysis malicious code , the PT Sandbox sandbox implements the functionality of a multiscaner, which uses both Positive Technologies' own expertise and third-party expertise. antivirus The antivirus VBA32 Belarusian of the vendor "" became updated in the package of the sandbox. VIRUSBLOKADA Thus, PT Sandbox has become a sandbox in which more than two of means of protection the malware are used out of the box. This means that the product, using the expertise of several vendors, receives from different sources even more information about those appearing. cyber threats On September 18, 2024, representatives of the company reported. Positive Technologies More. here

Sandbox PT Sandbox is marked in the register of domestic software as a product using AI

The PT Sandbox was noted in the unified register of Russian programs as a product using artificial intelligence technologies. The product is designed to protect against targeted and massive attacks that use malware. Positive Technologies reported this on April 5, 2024.

Attackers are constantly improving malware, ON striving to make it invisible to classic defenses, "said Sergey Osipov, head of malware protection at Positive Technologies. - sandbox PT Sandbox detects such programs in. files The product conducts comprehensive and deep checks, including using ML a -system that implements behavioral analysis of process paths and detects malicious and atypical software in them. An entry in the registry Russian software officially recognizes that the product contains technologies. artificial intelligence This confirmation will be important primarily for those companies for which the presence of AI technologies in the product is a prerequisite.

The PT Sandbox ML system analyzes more than 8500 signs of object behavior in terms of the processes they start. Processes, in turn, create system calls, we take into account their sequence and some patterns. This comprehensive analysis improves the accuracy of identifying unknown targeted threats. For example, on one of the Standoff cyberbits, the attackers launched a malicious program, which, before starting its activity, created a chain of 100 sub-processes. The ML solution noticed this anomaly, while there was no classic signature to detect it in the product. So the algorithm, among other things, helps to expand the expertise used in PT Sandbox. Experts continue to test the model on new data, increasing the accuracy of threat detection, as well as training it taking into account the characteristics of the customer's IT infrastructure.

2023

Integration with Continent 4

The PT Sandbox from Positive Technologies and the Continent 4 firewall from Security Code have passed technological compatibility tests and can now provide layered protection of companies against complex cyber threats: ransomware, wipers, zero-day threats, rootkits, bootkits. Positive Technologies announced this on September 20, 2023.

At the request of the Presidential Decree of 30.03.2022 No. 166, companies with state participation must switch to domestic software by January 1, 2025, so many of them are actively looking for a replacement for the solutions of foreign vendors. In order to ensure the effective protection of Russian companies from complex cyber threats, it is necessary that vendor solutions integrate efficiently and seamlessly with each other. An example of such integration was the interaction of two products from information security vendors Positive Technologies and Security Code - PT Sandbox and Continent 4.

One of the distinguishing features of the PT Sandbox is that it can connect to almost any source: files mail gateways, NTA systems, file storage, firewalls and other information systems, "said Sergey Osipov, head of malware protection at ON Positive Technologies. - I would like to emphasize that cooperation with the "Security Code" will allow us to ensure maximum protection of customers with minimal influence on. business processes

Positive Technologies specialists tested the work of PT Sandbox and Continent 4. According to the results, the integration of the two products allows you to implement an advanced degree of protection against targeted attacks, complex malware and threats from APT groups.

NGFW class devices are the basic security component. IT infrastructures Multilevel malware protection ON is one of the key challenges facing NGFW. By integrating Continent 4 and PT Sandbox, it provides not only detection of known threats, but also protection against targeted attacks using previously unknown instances of malware, "said the Pavel Korostelev head of the Security Code product promotion department.

Red OS Compatibility

As part of technological the partnership, the developer of solutions for effective cyber security Positive Technologies and the developer of system "" software RED SOFT tested software products for compatibility. According to the results test , the sandbox for protection target and mass PT attacks Sandbox detects code harmful in packages for installing "." applications domestic operating system RED OS This was announced on August 3, 2023 by representatives of the RED SOFT company.

The joint solution is designed to work state in departments, entities CUES and other the Russian organizations to identify complex attacks using malware a specially designed for them. infrastructure

The experience of investigating attacks safety by the Positive Technologies Expert Security Center (PT ESC ) shows that public sector CII objects are one of the most desirable goals. In malefactors connection with the transition of domestic companies to Russian software many organizations vulnerable , they can become especially for, cyber threats since not everyone producers means of protection information pays due attention to supporting Russian ones. OS A sandbox will help to ensure full protection, including from all types of HPE, which contains environments not virtual only with common Windows systems, but also with RED OS, which is in demand by Russian companies, operating system commented Sergey Osipov, head of malware protection at Positive Technologies.

Positive Technologies specialists tested the operation of the RED OS operating system in the virtual infrastructure of the PT Sandbox solution. The sandbox conducts behavioral analysis of installation RPM packages so that users can work with. safe files

Ensuring security in the RED OS operating system environment is a priority for us. To this end, we are developing a technological partnership with market experts in the field of cybersecurity and creating comprehensive solutions for customers interested in switching to Russian software. Thanks to joint work, users, including government authorities and CII entities, can migrate the IT infrastructure in accordance with information security requirements and be confident in protection against malware and hacker attacks, told the Deputy General Director of RED SOFT Rustam Rustamov.

PT Sandbox 5.0 Release

Positive Technologies On April 18, 2023, it introduced the fifth version of the sandbox for protection target and mass attacks applications - harmful ON PT Sandbox. The capabilities of the updated product will be especially relevant for the Russian companies already using or domestic software switching to it. Among the important changes are installation on, Astra Linux as well as the addition of environments virtual with support for Russian Astra operating systems Linux and "."RED OS

By supporting the RED OS virtual environment, PT Sandbox 5.0 has expanded the ability to simulate real infrastructure. In addition, the sandbox can play the Astra Linux operating system, the environment of which was added in a previous release. In this version of the product, Positive Technologies specialists have filled these virtual environments with customized decoys that help detect malware directed at Astra Linux and RED OS and detect attacks on the company's infrastructure in time. Lures mimic files and processes specific to government organizations. In addition, the Positive Technologies sandbox, using behavioral analysis, now detects malicious code in the DEB and RPM installation packages. Thus, PT Sandbox 5.0 allows government agencies, entities CUES and other domestic organizations to identify complex attacks using malicious, ON specially designed for their infrastructure.

One of the key changes in the sandbox was to reduce hardware requirements by up to 30% (based on to data testings Positive Technologies results) and achieve, vendor independence which allows companies to reduce the cost of purchasing equipment. Now PT Sandbox can be deployed on servers firmware or BIOS UEFI. In addition, the Positive Technologies sandbox can be installed on the Russian operating system Astra Linux 1.7, and previously obtained certificate compliance FSTEC allows it to be used until state information systems  the first class. securities

The development team has done a great job to maximize the regulatory requirements that organizations are required to comply with when switching to domestic software. The release includes updates that allow PT Sandbox to recognize malware and hacker tools created by attackers specifically for attacks on Russian companies. This approach allows you to build more effective and personalized protection against current cyber threats, commented Sergey Osipov, Head of Malware Protection, Positive Technologies.

According to the results of pilot projects to implement PT Sandbox, the most malware (49%) was found in mail traffic. To prevent malware from entering the corporate network, PT Sandbox neutralizes emails with a malicious attachment. If the attachment poses a risk, the system deletes the attached file itself. At the same time, secure messages come without delay so that the sandbox does not slow down business processes.

Also in PT Sandbox there was an automatic check of hyperlinks in emails. Phishing links that trigger the download of a malicious attachment are a classic element of a targeted attack on a company through its employees. According to Positive Technologies statistics, in 2022, attackers delivered malware to organizations through emails 42% of the time.

PT Sandbox regularly receives information about updated malware. To do this, specialists from the Positive Technologies Security Center (PT Expert Security Center) constantly monitor the activity of hacker groups, analyze current cyber threats and develop ways to detect them, which are then transmitted to products. Expertise allows you to identify and prevent attacks in the early stages.

PT Sandbox in almost 100% of cases detects common threats using special extensions that do not require continuous updating. This was made possible by the unification and optimization of advanced detection modules. At the same time, together with the threat intelligence command, you can see how the attackers' tools are changing, so they created a mechanism for delivering expert packages to PT Sandbox within 2.5 hours. This allows you to close the remaining shares of threats that require an immediate response. It is important that the rapid release of expert packages does not adversely affect the quality of detection or product performance, and maximizes the ability to protect customers from incoming threats. told Alexey Vishnyakov, head of malware detection at the Positive Technologies Security Center (PT Expert Security Center).

The updated version of PT Sandbox contains updates to facilitate the work of information security specialists and accelerate the response to cyber threats. The results of behavioral analysis of potentially dangerous files are compared with tactics and techniques from the MITRE ATT&CK matrix for Linux systems (the sandbox also covers a similar matrix for Windows operating systems) - this helps operators understand what stage of the attack the attackers are at and take preventive or compensatory protection measures. In order for information security analysts to have all the data necessary for an investigation, in particular, about what damage the malware could have caused to the infrastructure, PT Sandbox defines its class - a special field has been added to the object card with a brief description of the type of malware and its functions. An important update for companies that use PT Sandbox to protect not only the corporate, but also technological the segment. The industrial version of the sandbox, part of the PT Industrial Cybersecurity Suite, received an image virtual machine to analyze the behavior of files in industrial IT the -infrastructure. This image reproduces the workstation of the operator, engineer APCS and contains specialized programs,,. Siemens TRACE MODE Wonderware

In addition, PT Sandbox has been expanded integration with other Positive Technologies products: for example, now the sandbox can transfer MaxPatrol SIEM information to not only about verified files, but also about links. In addition, from the PT Sandbox interface, you can go to the session card in one click, PT Network Attack Discovery in time which a suspicious file was found and sent for analysis.

2022

Troubleshooting Malware

Specialists from the Positive Technologies Security Center (PT Expert Security Center) have identified malware that, when checking where it runs - in a virtual environment or on a user's real computer, was configured to recognize older versions of the PT sandbox sandbox Sandbox. PT announced this on October 17, 2022.

The sandbox PT Sandbox is used by companies public sector- creditfinancial spheres,. In the Positive industries Technologies sales structure, the PT Sandbox demonstrates high growth rates: in the first half of 2022, they grew by 22% compared to the same period in 2021.

In early October 2022, specialists from the PT Expert Security Center malware detection department met a file with the current name Povestka_26-09-2022.wsf during daily monitoring of cyber threats. Examining it, experts found that the sample is a WSF file with obfuscated JavaScript code. Its task is to check for the presence of virtual machines, sandboxes, as well as antivirus programs and, if they are not available, run the main payload. If the malware misses the security tools installed in the company, attackers will get the starting point of consolidation in the infrastructure and will be able to develop an attack inside the organization's infrastructure.

It is important for attackers to understand that they have gained access to a real workstation in the company's infrastructure, and not to an isolated virtual environment designed to analyze the behavior of executable files. To do this, malware includes features for detecting and bypassing security and virtualization tools. According to Positive Technologies, most often, to identify network sandboxes, attackers send WMI requests (25% of HVEs) or implement other environment checks (33%), and also check the list of running processes (19%). The malware studied by the company's specialists has an interesting way to detect virtual environments, sharpened specifically under PT Sandbox.

This is the first case we know of an attempt to evade malware from detecting PT Sandbox. The malware is looking for a special folder, which, according to attackers, can indirectly indicate the fact of execution in the environment of our sandbox. If the result of the test is positive, the sample will exit. Such a scenario was possible only for older versions of PT Sandbox and as of October 17, 2022 is no longer relevant, - comments Alexander Tyukov, specialist of the PT Expert Security Center HPE detection department. - PT Sandbox knows how to hide its presence well in order to prevent malware from prematurely stopping its work and allow the sandbox to collect as much information as possible to respond to cyber threats and subsequent investigations.

PT Sandbox supports flexible configuration of virtual environments taking into account the peculiarities of real workstations and takes into account sandbox traversal techniques: with each release, the product is replenished with new mechanisms that allow detecting, among other things, intelligence conducted by malware. For example, PT Sandbox supports deception technologies aimed at creating malware traps. Decoys that mimic real files, processes, or data in a virtual environment provoke malware to take action and thereby help reveal the presence of attackers.

PT Sandbox 4.3 Release

September 27, 2022 Positive Technologies announced the release of an updated version of the sandbox for - risk-oriented protection PT Sandbox 4.3. The main thing in the release is the addition of a customized environment, operating system Astra Linux thanks to which the sandbox is detected attacks using a specific, malware tailored for this, OS as well as the detection of another class of VPO - bootkits that are gaining fame. malefactors Russian In the network sandboxes market, protection against this kind cyber threats of protection is presented for the first time, Positive Technologies said.

PT Sandbox 4.3 received support for OS Astra - Linux domestic the Linux distribution, which, according to reports, MEDIA is being switched to, and state bodies state corporations companies with state participation. This ability to customize the environment virtual for analyzing behavior files allows to public sector domestic organizations, both already using this one and software planning to install it within the framework, to identify import substitution complex attacks using current malicious, specially ON tailored for them and workstations infrastructure.

According to research, the public sector annually tops the ranking of the most frequently attacked industries. Years of experience and expertise from Positive Technologies show that attackers always attack through the software that their potential victims use. This means that in the near future we can expect the appearance of malware and hacker tools developed for domestic operating systems, in particular Astra Linux. Malware aimed at this OS has a completely different behavior than those used to attack Windows systems and are well recognized by this sandbox. In order to ensure the security of domestic departments and organizations in these conditions, experts wrote special rules for PT Sandbox that detect malicious activity in Astra Linux and cover real techniques from the MITRE ATT&CK matrix used by cybercriminals to bypass network sandboxes. commented Sergey Osipov, head of malware protection at Positive Technologies.

Starting with version 4.3, PT Sandbox detects another dangerous class of malware - bootkits. A Positive Technologies study of this type of malware showed that bootkits are gaining fame: cybercriminals, including APT groups such as Careto,  Winnti (APT41) and FIN1, are increasingly using them in targeted and massive attacks. Bootkits are implemented before loading the operating system and help other malware to quietly gain a foothold in it before launch. To identify them, specialists from the Positive Technologies Security Center ( PT Expert Security Center) have developed the technology. A special bootkitmon plugin in PT Sandbox detects both old-style bootkits (designed for BIOS) and current ones (focused on UEFI firmware, for example Mosaic Regressor, TrickBoot  and FinSpy) at all stages of their work.

Regular occurrence of vulnerabilities in firmware gives attackers vectors for attacks. It also spurs the development of bootkits that help attackers reliably and for as long as possible to hide in the infrastructure of compromised companies. PT Sandbox implements a mechanism for detecting bootkits not only at the initial stage of infection, but also at the stage of rebooting the OS, when, after loading the computer, the malware begins to act. The system reboot analysis mode allows users of the Positive Technologies sandbox to continue monitoring this stage and, if the bootkit previously managed to quietly perform an infection, obtain detailed information about its behavior. This will help to stop the threat in a timely manner, said Alexey Vishnyakov, head of malware detection at Positive Technologies.

PT Sandbox 4.0 Release

On April 28, 2022, Positive Technologies announced that it had released the next version of the sandbox to protect against targeted and massive attacks - PT Sandbox 4.0. The updated product enhances proactive threat hunting with flexible search and customizable filtering options. In addition, PT Sandbox now supports Microsoft Server Operating Systems (OS) - Windows Server 2016 and Windows Server 2019. This allows you to play the corresponding virtual machines in the sandbox and detect attacks aimed at these types of OS.

PT Sandbox 4.0 introduced a flexible search mechanism that helps information security analytics search for traces of compromise and test hypotheses put forward as part of threat hunting. Sandbox users can create complex queries to select tasks for file analysis. Possible criteria include file names and formats, network indicators, hash sums, hash sum names, email sender and recipient addresses, threat classes, and other text substrings. This allows, for example, to find certain malicious behavior in retrospect and link disparate, at first glance, incidents into a single chain of attack.

"PT Sandbox will help build threat hunting for companies that do not currently have other monitoring tools that have functionality for threat hunting, such as traffic analysis systems. Knowing the signs of malware attacking a particular industry, business type, or country, sandbox users can set up a repeated refined search to detect this cyber threat, "- comments Alexey Vishnyakov, head of the malware detection department of the Positive Technologies security expert center.

To expand the capabilities of imitating the company's real infrastructure, PT Sandbox has added support for Windows Server 2016 and Windows Server 2019.

"We are expanding the capabilities of our sandbox and now reproduce not only user workstations, but also server machines in virtual environments. This allows PT Sandbox to detect attacks sharpened for server operating systems, "- says Olga Tikhonova, development manager at PT Sandbox.

Making working with PT Sandbox even more convenient for users allowed current storage system events. At the end of April 2022, the product interface time real-time displays the status of each task and updates it based on data the results of static and dynamic file analysis. Even before the scan is complete, the information security specialist can track the status of tasks and check them by checking the rules of the Positive Technologies PT Expert Security Center (PT ESC).

2021

PT Sandbox 2.4 Release

On October 20, 2021, the company Positive Technologies announced that it had released the next version of the sandbox for the risk-oriented protection PT Sandbox - 2.4. The product release supports the technology of proactive and latent rootkits detection both at the stage of their installation and during operation. Developed by specialists from the PT safety Expert Security Center, the plugin allows you to detect the presence malware and illegitimate activity in the system, which hackers are usually masked using programs called rootkits.

Rootkits do not allow detection of malicious activity by means of protection and carry a threat, since, as a rule, they are part of a multifunctional malicious one. ON Due to the complexity of development malwares , groups with sufficient technical qualifications or financial capabilities are most often used. With their help, they mask obtaining remote access to compromised nodes, intercepting network traffic, for espionage users, stealing information for or authentications conducting. DDoS-attacks According to a study conducted by Positive Technologies of rootkits used over the cybercriminals past 10 years, the five attacked industries include (44%), (public sector 38%), (25 science and education %), (19% telecom) and (19 industry %). financial sector

"Stealth and efficiency are parameters that distinguish the rootkit detection technology we have developed from others. Existing countermeasures are based on running an anti-viral tool inside the OS. If the rootkit is made with high quality and is already installed in the OS, it is generally impossible to detect malware in this way - it blocks any possibility of self-detection. The main feature of Positive Technologies technology is that it is located outside the OS, that is, it works agentlessly. This allows PT Sandox to detect rootkits not only at the installation stage, when attackers perform a number of malicious or at least suspicious actions, but also after infecting the system. This approach has no analogues in the Russian market of network sandboxes, "- says Alexey Vishnyakov, head of malware detection at the Positive Technologies security expert center.

It is important to note that with agentless analysis, rootkits cannot prevent their detection. In addition, this technology allows the Positive Technologies sandbox to remain unnoticed by malware.

"There are classic approaches to signature and behavioral analysis, with the help of which already known families of rootkits and their installers are discovered. Thanks to a proactive protection method, PT Sandbox detects a threat at the moment when it is already performing its dangerous actions at the OS kernel level. In addition, unlike similar solutions, our sandbox does not interfere with the work of the rootkit: its installation and functioning take place without intervention, and during checks for the presence of protective equipment, it is not detected. Thus, intruders do not suspect that they were revealed, "- adds Pavel Maksyutin, specialist in the malware detection department of the Positive Technologies security expert center.

The option of proactive and invisible detection of rootkits is available to users of PT Sandbox 2.4 and subsequent versions. Current users must upgrade to version 2.4 in order to use this feature.

PT Sandbox is a sandbox for protection against targeted and massive attacks malware. It supports flexible configuration virtual of environments according to real workstations and is protected from sandbox traversal techniques. The product provides comprehensive analysis files of traffic and traffic, including, encrypted as well as identifying hidden and current threats using regular retrospective analysis.

PT Sandbox supports integration with other Positive Technologies products (PT Network Attack Discovery,  PT Application Firewall,  MaxPatrol SIEM) and enriches them with information about malware threats.

Adding decoy provocateurs to PT Sandbox 2.2

In the latest version of PT Sandbox, provocateur decoys have appeared to help uncover intruders. This was announced on April 14, 2021 by Positive Technologies.

The sandbox now supports deception technologies aimed at creating traps for. malware Decoys that simulate real files, processes or in an isolated virtual environment data provoke malicious ON interaction and thereby help identify the presence hackers in the infrastructure.

A key change in PT Sandbox 2.2 has become decoys that can provoke the cracker's tools to prove themselves. In particular, these are decoy files containing fake user accounts, configuration files or other confidential information that is potentially interesting to the attacker. When trying to steal such data, PT Sandbox will quickly identify the threat. Decoy processes also work in much the same way: they simulate the work of banking applications, developer software or regular user activity, and the product detects attempts by attackers to intervene in them.

The effectiveness of the sandbox depends, on the one hand, on the ability to remain unnoticed for malware, and on the other, on the environment that should be as similar as possible to the user's usual environment, "says Alexey Vishnyakov, head of malware detection at the Positive Technologies security expert center (PT Expert Security Center). - Malware most often look for files that are interesting to them, processes that work, changes in the clipboard. Attackers need this to steal confidential information, and in sandboxes it is used as a kind of trigger. If there are few processes in the system, there are no necessary files and other signs of the user's work, then the HVE simply will not do anything, considering the system uninteresting. By developing deception technologies in our sandbox, we encourage malware to take action and thereby help to identify them in a timely manner, improving the quality of protection.

Also, deception technologies in PT Sandbox 2.2 are implemented in fake but correct private data in format: for example, passwords or card numbers are placed in the form of bait on the user's clipboard, which is so fond of intercepting spy Trojans.

The company should build protection based on what risks it considers the most priority, - comments Ksenia Kirillova, product marketing manager at Positive Technologies. - The key set of decoys that our experts have formed by researching the activities of hacker groups is available to our customers out of the box. However, if necessary, we can add additional lures to PT Sandbox at the customer's request. This will make protection more personalized and allow the company to mitigate threats directed at systems that are critical to a particular business.

To more accurately simulate the user's work, additional programs were added to the PT Sandbox virtual environments: video player, system optimizer, video communication platform, intermediate code emulators. Also, the product now covers even more existing vulnerabilities in office and other applications - this was achieved by expanding the number of software versions installed in the sandbox.

2020

Inclusion in the unified register of Russian software

PT Sandbox is included in the unified register of Russian software. This was announced on February 3, 2021 by Positive Technologies.

In accordance with the order of the Ministry of Communications of the Russian Federation dated December 31, 2020, the product is included in the software class, which includes the information security tools of the enterprise.

PT Sandbox is designed to protect against targeted and massive attacks using unknown malware and zero-day threats. The product allows you to detect all the main vectors of penetration of malicious files into the organization's network: it detects threats in e-mail, checks documents in file storage, and also analyzes files downloaded to corporate sites and downloaded from the Internet.

Products entered in the register are recommended for purchase by government agencies and companies with a significant share of state participation.

According to us, to data government agencies have long been the most popular target of attackers, ON and malicious is used in 56% of all attacks, - comments, Ksenia Kirillova product manager of to marketing Positive Technologies. - PT Sandbox identifies threats, including with the help of knowledge gained by our experts during the study of the activities of hacker groups that actively manifest themselves in the territory and. RUSSIAN FEDERATION CIS A product with such expertise is really relevant for customers from the public sector.

Earlier, the PT Sandbox, along with other Positive Technologies products, received an update to detect the use of FireEye pentester tools stolen by hackers.

The ability to receive weekly updates to the rule base for behavioral file analysis

The PT Sandbox has advanced capabilities to identify targeted attacks. Positive Technologies announced this on October 15, 2020.

The PT Sandbox now receives weekly bases rule updates for behavioral file analysis. These rules, created by the PT Expert Security Center (PT ESC) as part of information security the threat intelligence and incident investigations, will better identify the most relevant Russian market risks.

Each update will contain rules for identifying attacker or family techniques. harmful software This will allow you to quickly respond to the actions of attackers who often change the methods, tactics and tools for implementing attacks.

One of the most powerful aspects of PT Sandbox is the use of expert knowledge to detect threats, - comments Ksenia Kirillova, product marketing manager at Positive Technologies. - PT Expert Security Center specialists constantly monitor the activity of the main hacker groups operating in Russia and the CIS countries, and investigate incidents in large companies. The threat data they receive is regularly transmitted to the product. This is knowledge that is as relevant as possible for the Russian market and is able to help our customers prevent both massive and complex targeted attacks.

The expert rule update from PT ESC is available to all PT Sandbox users and is done automatically.

PT Sandbox Presentation

On March 16, 2020 Positive Technologies , she introduced a sandbox for identifying targeted and mass attacks ones using. harmful ON

The sandbox allows you to simulate the exact profiles of user workstations - up to the version of the operating system and browser. This makes it possible in a secure virtual environment to detect malware that is written for a certain environment and does not manifest itself in another (for example, during a targeted attack).

Attackers constantly develop malware so that, antiviruses, and firewalls IPS the gateways do not see it. A similar HVE can only be found in the sandbox. But most sandboxes on the market offer virtual environments with a typical set of software, often irrelevant. For example, only is installed in the sandbox, and Internet Explorer the user exits Internet through. Google Chrome A malicious file that only works if Chrome is present Google does not "detonate" in such a sandbox. Even the coincidence of software versions is important, says Alexey Danilin, Head of Business Development at Positive Technologies

The flexible customization mechanism in PT Sandbox allows you to solve such problems. The system makes it possible to quickly create a set of virtual environments, taking into account differences in software sets, for example, from an accountant and a developer.

Attackers use various ways to bypass sandboxes. For example, malware recognizes being in a special environment (by the absence of mouse movements, physical CPU) and does not show its malicious activity. According to Positive Technologies, 40% of APT groups perform a similar check during targeted attacks. PT Sandbox avoids detection by more than 20 techniques and forces a malware to launch that tries to hide.

Even before opening a suspicious file in the sandbox environment, PT Sandbox prefilters using several pre-installed antiviruses. This reduces sandbox load and speeds up file scanning, even under high load. In addition, PT Sandbox has a retrospective analysis mechanism and rechecks files after updating knowledge bases. By default, the file is rechecked with fresh databases if more than 24 hours have passed since the last scan, but the user can configure the frequency himself. So, if yesterday the file did not seem suspicious, although it contained elements of the previously unidentified malicious code, then with the update of the signatures, PT Sandbox will immediately inform the user about it.

Due to the fact that the sandbox analyzes not only the object itself, but also the traffic and files it creates during the verification process, you can track malicious activity that is not externally related to the malware itself. The sandbox can detect threats even in encrypted traffic.

PT Sandbox supports integration with other Positive Technologies products - PT Network Attack Discovery, PT Application Firewall, MaxPatrol SIEM - and enriches them with knowledge of malware threats.