Given the opportunity to execute within our live network, malware-infected files can rapidly access sensitive information from within our systems, make changes to our systems, and/or even establish external connections with servers operated by remote threat actors.

While our primary objective in cybersecurity is simple – to quickly detect and remove these malware-infected files before disaster strikes – the path to accomplishing that goal in an increasingly innovative & diversified threat landscape is more complex. It requires thoroughly analyzing both the properties and the behaviors of these suspicious files, which entails careful observation of how suspicious files operate in order to truly determine their intentions. Since we obviously can’t allow malware to execute within a live network environment, we can execute suspicious content within a controlled & fundamentally limited environment – commonly referred to as a sandbox – instead.

How does sandboxing typically work?

The goal of a sandbox environment is to isolate potentially malicious files, check those files’ signatures against databases of known threats, and perform various analytical techniques to detect malicious behaviors which might indicate unknown (zero-day) threats.

The process of sandboxing usually starts with separating the suspicious file from an environment where it can cause harm and placing it within a controlled environment. Within that environment, the file can be subsequently executed, and cybersecurity analysts – or fully automated cybersecurity tools, in the case of endpoint security solutions – can analyze how the file interacts with the sandbox environment to detect malicious behaviors. Various techniques can be used to flag malicious content, including a combination of machine-learning algorithms, heuristics, file hashing, whitelisting policies, bytecode analysis, certificate analysis, and more. File signatures can be extracted and compared against databases of known threats to determine if the suspicious file lands within a known malware family. Once sandboxing analysis is complete, appropriate actions can be taken against clean or malicious files, such as quarantining or deleting files which demonstrated malicious behaviors or returning clean files to the live environment.

Sandboxing & the Cloudmersive Virus Scan API

The Cloudmersive Virus Scan API scans files for viruses, malware, and other threats within a sandbox environment. When files are loaded into memory, they undergo a rigorous multi-dimensional check including file hashing, signal extraction, pattern matching, heuristics, whitelisting, bytecode analysis, and certificate analysis. All files are scanned in-memory, ensuring the process is both fast (sub-second typical response times) and extremely safe (all file data is released upon scan completion).

The advanced iteration of the Cloudmersive Virus Scan API additionally incorporates 360-degree content verification, allowing custom rules to be set against unwanted & commonly threatening file types. Through this feature, it’s possible to categorically block file types including executables, scripts, HTML, invalid files, password-protected files, unsafe archives (e.g., zip bombs), and more on top of the baseline multi-dimensional scan service. It’s also possible to designate a custom, comma-separated whitelist of acceptable file extensions to significantly limit threat potential.

For more information on the Cloudmersive Virus Scan API, please do not hesitate to reach out to a member of our sales team.