Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Malware-detecting 'sandboxing' technology no silver bullet

Ellen Messmer | March 27, 2013
The security technology called "sandboxing" aims at detecting malware code by subjecting it to run in a computer-based system of one type of another to analyze it for behavior and traits indicative of malware. Sandboxing -- one alternative to traditional signature-based malware defense -- is seen as a way to spot zero-day malware and stealthy attacks in particular. While this technique often effective, it's hardly foolproof, warns a security researcher who helped establish the sandboxing technology used by startup Lastline.

Another evasive method is done through environmental checks, Lastline points out.

- Malware authors can add novel, zero-day "environmental checks" related to the operating system and "manipulate the return value" as an evasive maneuver that forces vendors to "patch" their sandbox to catch it, according to Lastline.

Lastline seeks to address these sandbox-evasion tricks in its Previct appliance it offers, but Kruegel acknowledges "there is no 100% security."

Some information-security managers say they appreciate sandboxing as a defensive technology but don't seem to have any illusions that it is going to be perfect in detecting and stopping malware.

"Sandboxing will get some of it," says Brad Stroeh, senior network security engineer at First Financial Bank, a Sourcefire customer, in discussing a wide variety of security approaches and the credence he places in them. It's worthwhile subjecting malware when possible to a sandbox test, and using it as part of the overall defensive process. But since malware could bypass sandbox checks, it only makes sense to use other malware-detection methods as well.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.