Network Security

Network Sandbox: Handle Zero-day Attacks & Unknown Malware


Network Sandbox is a technology that enables organizations to analyze, identify and block zero-day attacks and unknown malware, even before a signature is created for them. Most protection methods depend on signatures and hence may not be able to catch newer types of malware.

A network sandbox is a safe and isolated environment that is on the constant lookout for executable files and other file types (pdf, MS Office, zip, etc.) that enter the network. Malicious code in these files are commonly used by attackers to drop malware, or connect to sources hosting the malware, to penetrate the systems of an organization.

These suspicious files, that have passed successfully through other defense mechanisms like Anti-Virus, IPS, Firewall, etc., are allowed to execute in a Virtual Machine or emulator, in the sandbox. Their activities are monitored and their actions are recorded.

The sandbox resembles a real computer (with OS, applications, software licenses, etc.) on the network, but is safely isolated from the production network.

Network sandbox monitors for generic malware activity like keystroke logging, anti-debugging, accessing registry keys, system files or dynamically linked libraries. It also monitors how these files execute in the system, what files it downloads, what URLs it tries to connect to. Based on this and other info it gathers, Network Sandbox tries to determine whether the files are malware or not.

Network sandbox can be an appliance, a cloud service, or a hybrid service. It can be a stand-alone product, or can be combined with other security products like Firewall/UTM and email/web security gateways.

Generally the malware threat intelligence is in the cloud, managed by a security team at the network sandbox service provider’s side. Customers may pay a yearly fee or an incident-based fee to access this intelligence/expertise.


  • Sandbox only detects the presence of anomalies, it doesn’t contain them, or has limited prevention features.
  • Service providers will create a signature for the malware identified by the network sandbox, but that will take some time.
  • There is no guarantee that a sandbox will work. Its effectiveness depends on its capabilities and the malware writers’ capabilities.
  • Hackers program the malware to wait for many minutes or look for mouse movements before executing its payload. This is done to check for, and deceive, sandboxes.
  • Sandbox needs to work with other security technologies to effectively block/contain threats.

References: Exposing the Unknown: How Sandboxing technology fights modern threats (Checkpoint); Cisco Advanced Malware Protection Sandboxing Capabilities (Cisco, pdf).

You could stay up to date on Computer Networking/IT by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.