Content & Malware Analysis

 View Only
  • 1.  On-Box Sandbox capability enhancement

    Posted Aug 05, 2021 03:59 PM
    I am using CAS-S400 with on-Box sandboxing solution using IntelliVM with Windows 10 as profile.

    2. Since the CAS-S400 is deployed in Intranet with no Internet connectivity of any sort, the configuration of dirty-line is set as "Same as backend" with Isolated firewall. However, Symantec does not recommend this as the malware analysis will not be complete in this case.

    3. Therefore, is there any script or solution like FakeNET or InetSim that emulates the Internet envrionment, so that in case where security policy of any organisation does not permit any internet connections of any kind, such solution or script can be installed in CASMA for complete malware analysis and visibility.

  • 2.  RE: On-Box Sandbox capability enhancement

    Broadcom Employee
    Posted Aug 23, 2021 02:00 PM
    Hi Adash,

    Let me clarify that malware analysis will still be completed on the files. Some malicious files remain dormant unless they can successfully reach the internet (ie, specific Command and Control servers) and so detecting those will be hard without internet access. Replicating the behavior that a unique piece of malware is looking in order to become active would be hard to replicate by a script, as different pieces of malware would have different expectations. The patterns subscription does try to keep up with a lot of known malware behavior, but nothing is going to be able to replicate like having a dedicated dirty line with direct access to the internet.

    Hope that helps!