How to SANBOX work

dungtn

Hello team.

The Bitdefender Gravityzone Business Security Premium already includes Hyperdetec and Sandbox. However we have some questions about how it works, please help us with good answers.

1. How does Bitdefender identify "suspicious files"? What is the threshold for identifying "suspicious files"?
2. When a "suspicious file" is submitted to the SANBOX cloud. How does Bitdefender delete or archive it after checking it?

Best Regards.

Flexx

https://community.bitdefender.com/en/discussion/100550/how-to-sanbox-work

How Bitdefender Identifies "Suspicious Files"

Bitdefender uses a multi-layered approach to pinpoint suspicious files:

1. Signatures: It compares files against a vast database of known malware signatures. This is the most basic form of detection ( https://www.bitdefender.com/business/infozone/malware-detection-removal.html#:~:text=Signature%2Dbased%20Detection%20Explained&text=These%20signatures%20are%20stored%20in,compared%20against%20the%20signature%20database. )
   
2. Heuristics: It analyzes file behavior for patterns that are typical of malicious software. This is more advanced and can detect new or modified malware variants ( https://www.bitdefender.com/business/support/en/77209-376308-antimalware.html )
   
3. Machine Learning (HyperDetect): It uses complex algorithms to identify files that exhibit unusual or potentially harmful characteristics. This is highly effective against new and emerging threats that haven't been seen before ( https://techzone.bitdefender.com/en/gravityzone-platform/the-power-of-algorithms-and-advanced-machine-learning.html )
   
4. Reputation: It checks the reputation of files based on their prevalence and activity across a vast network of users. Files with a bad reputation are more likely to be malicious ( https://www.bitdefender.com/oem/threat-intelligence-feeds-services.html )
   
5. Sandbox (Advanced Threat Control): When a file is considered particularly risky, it's detonated in a secure sandbox environment to observe its behavior in isolation. This reveals the true nature of the file without risking your system ( https://www.bitdefender.com/business/support/en/77209-376309-advanced-threat-control.html )

Threshold for Identifying "Suspicious Files"

Bitdefender doesn't use a single fixed threshold. It adjusts its sensitivity based on several factors:

• Security Policy: Your chosen policy (e.g., high security vs. balanced) influences how aggressively Bitdefender flags files.
• File Type: Certain file types (e.g., executables, scripts) are inherently riskier than others and are scrutinized more closely.
• Source: Files downloaded from the internet are considered riskier than files originating from local sources.
• Behavior: Files exhibiting unusual behavior (e.g., attempting to modify system files) raise more suspicion.

Sandbox Cloud and File Handling

When a file is sent to the sandbox:

1. Isolation: The file runs in a virtualized environment that mimics a real system.
2. Observation: Bitdefender carefully monitors the file's actions, looking for any malicious activity.
3. Verdict: Based on the analysis, the file is either classified as clean or malicious.

After the Sandbox:

• Clean: The file is released and allowed to run on your system.
• Malicious: The file is blocked and quarantined. It can be deleted or kept for further investigation.

Regards