1. Support
  2. Glossary
  3. Sandboxing


What is Sandboxing?

Sandboxing is a technique in which you create an isolated test environment, a “sandbox,” in which to execute or “detonate” a suspicious file or URL that is attached to an email or otherwise reaches your network and then observe what happens. If the file or URL displays malicious behavior, then you’ve discovered a new threat. The sandbox must be a secure, virtual environment that accurately emulates the CPU of your production servers.

Sandboxing is particularly effective at defending against zero-day threats. Traditional inbound email filters scan emails for known malicious senders, URLs, and file types. Unfortunately, there are dozens of new (or “zero-day”) threats that appear every single day and are not yet discovered by email filters. Sandboxing, which is a key component of advanced threat protection, provides an added layer of protection in which any email that passes the email filter and still contains unknown URL links, file types, or suspicious senders can be tested before they reach your network or mail server.

Although Sandboxing is an effective and important defense technique, it suffers from two important drawbacks.

  1. Sandboxing is quite time- and resource-intensive. Running all your digital traffic through a sandboxing system is impractical and cost-prohibitive.
  2. Sandboxing can be evaded. As sandboxing became more common, cybercriminals began to design threats with features to help them evade detection. For example, a threat might be programmed to remain dormant until a future date, so that during sandboxing it appears benign. Another effective evasive technique is to make the malware able to detect whether it is in a virtual environment, and to remain dormant until it finds itself in a real desktop or other device.

Why Sandboxing is Important

The quantity and effectiveness of zero-day threats is constantly growing, so you must have a strategy to protect your data and programs from threats that evade traditional email, malware, and virus filters. Sandboxing is among the most full-proof tools for staying one step ahead of hackers. There are cloud-based sandboxing solutions available that provide effective protection without suffering the common drawbacks of degrading your network performance or being easily evaded by clever hackers.

What You Can Do

Barracuda Advanced Threat Protection is a sophisticated cloud-based service that delivers the benefits of sandboxing while eliminating the drawbacks of more traditional, stand-alone sandboxing solutions. Barracuda Advanced Threat Protection applies a multi-layered strategy that uses signature matching, heuristic and behavioral analysis, and static code analysis to pre-filter traffic and identify the vast majority of threats. Finally, it feeds only the small number of remaining suspicious files to a sandbox to definitively identify zero-day threats and block them from reaching your network.

The service scales elastically based on your level of email and network traffic to ensure that it does not negatively impact network or email performance. This makes it far more efficient and cost-effective than a standalone sandboxing solution.

It also employs a variety of techniques to overcome evasion strategies. For example, it detects any attempt by the file being analyzed to query the machine’s registry or memory. It defeats delayed-detonation techniques by advancing its internal clock/calendar. In short, it exposes the suspected malware to all possible environments in which it might activate its malicious behavior — if it has a malicious payload, that payload will be detonated.

And unlike more traditional virtual-machine sandboxing, Barracuda Advanced Threat Protection uses a CPU-emulation sandbox. This makes it indistinguishable from a real desktop machine from the malware’s perspective.

Advanced Threat Protection is available for the following Barracuda products:

Learn More

Contact us to learn more about how to add automatic Sandboxing protection to your organization to stop advanced threats.