Understanding Sandboxing
and Types of Sandboxes

Cybersecurity Sandboxes: Learn the fundamentals and types, including cutting-edge hypervisor-based technology for threat analysis.

In the realm of cybersecurity, where threats continually evolve in sophistication and scale, the need for robust defense mechanisms has never been more critical. One such indispensable tool in the cybersecurity arsenal is the sandbox. But what exactly is a sandbox, and why is it crucial in today’s threat landscape?

What is a sandbox: The definition

A sandbox is, essentially, a controlled and isolated environment where potentially malicious files or URLs are executed and analyzed. Picture it as a digital playground where the security system carefully observes the activities of these entities to determine whether they exhibit any malicious behavior. This surveillance is meticulous, logging every detail of the file’s actions.

At its core, the concept is straightforward: you take a suspicious file, in various formats, and place it within the sandbox. The sandbox then automatically interacts with the file, following links in the case of a phishing URL, until it potentially uncovers something malicious. Throughout this process, it monitors the file’s behavior meticulously, logging every move it makes. Once the analysis is complete, a comprehensive report is generated.

Why do we need sandboxes?

Sandboxes serve as a last line of defense against malware threats that have learned to evade traditional security controls, such as perimeter firewalls and desktop antivirus solutions. These traditional solutions often rely on a combination of reputational, static, and heuristic analysis to detect threats. Unfortunately, malware authors have grown adept at circumventing these methods.

Static detection signatures filter out known threats, while heuristic engines flag known malicious patterns in previously unknown malware. However, these approaches are not infallible, as cybercriminals continuously modify their creations to elude existing detection techniques.

So, the only surefire way to identify unknown malware is by executing it in a controlled environment—a malware sandbox. Here, the malware’s actions are analyzed, and indicators of compromise (IOCs) are extracted. These IOCs subsequently inform the creation of signatures for future detection and the enhancement of protective measures, such as firewalls and intrusion detection systems.

Types of Sandboxes

Now that we’ve grasped the fundamental concept of sandboxes and their significance let’s explore the different types of sandboxing approaches. These approaches vary in architecture and implementation, each with its strengths and weaknesses. It’s crucial to understand these distinctions to choose the right sandbox technology for your organization.

Emulation-Based Sandboxes (First-Generation)

Historically, the first-generation sandboxes employed emulation-based techniques. While they played a role in early threat analysis, they are now largely outdated. These sandboxes attempt to mimic the execution environment of a potentially malicious file. However, they tend to fall short when dealing with evasive threats, as they often leave traces that the malware can detect.

Hooking or Kernel-Mode Sandboxes (Second-Generation)

The second-generation sandboxes utilize techniques like hooking or kernel-mode analysis. While an improvement over emulation-based methods, these still face challenges when detecting highly evasive malware. Malware can sometimes identify specific indicators within the analysis environment, allowing it to evade detection.

Hypervisor-Based Sandboxes (Third-Generation)

Today’s superior approach to sandboxing is hypervisor-based technology. Here, the malware is executed within a virtualized environment, the hypervisor, with its monitoring technology running outside the detonation environment. This architecture prevents malware from detecting any indicators that might suggest monitoring, thereby tricking it into revealing its true behavior.

In the realm of hypervisor-based sandboxing, VMRay stands as a pioneer. VMRay leverages microprocessors designed for cloud computing, which makes its hypervisor approach exceptionally fast, scalable, and resistant to evasion techniques. In this approach, malware samples are detonated within a secure sandbox environment, with their behavior meticulously monitored from the outside. This allows for the comprehensive analysis of the malware’s actions, even without its knowledge, mimicking real-world victim systems.

VMRay’s Intelligent Monitoring further enhances this process, providing unadulterated visibility into the actions of malware or phishing samples during and after detonation. The observed behavior is then subjected to in-depth analysis using over 30 different analysis technologies.

In summary, understanding what a sandbox is, why it’s essential, and the various types of sandboxing approaches is fundamental in the realm of cybersecurity. In the chapters that follow, we will delve deeper into the fascinating world of sandbox evasion and its impact on security automation.

Combating sandbox evasion for a more effective security automation

Chapter 2: 
Unveiling the motive: Why adversaries seek to evade sandboxes

Table of Contents

See VMRay in action.
Detect and analyze even the most evasive malware and phishing threats.

Further resources


Single source of truth for effective security automation


Checkmate: How sandbox evasion can stall automation

Watch our webinar from at SANS EDR / XDR Solutions Forum


The most advanced malware and phishing sandbox

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator