Dynamic malware analysis
If your enterprise is licensed for the Sandbox module and you selected the Allow and Scan action for large files, you can enable dynamic malware analysis. This feature scans files in a secure sandbox environment that’s isolated from your network. Files are automatically scanned offline or after the file is downloaded. This feature scans files or content that’s up to 64 MB in size.
Unlike static malware analysis that scans file contents, dynamic malware analysis opens and executes the files in an isolated sandbox environment and observes whether harmful actions are detected. Sandbox thoroughly analyzes these files using a number of reverse engineering techniques to test how the files behave.
- Scans files offline (after the file is downloaded).
- Uses advanced detection technology to analyze files and circumvent malware evasion techniques.
- Executes or launches suspicious code within the controlled sandbox environment and observes its behavior.
- Generates a report. Any malicious code and URLs are detailed in a deep scan report that’s available for download in ETP reporting.
- Data from analysis is used to identify malware in real time. This data can be used to identify malware with the same or similar code. For example, dynamic malware analysis can potentially identify zero-day phishing threats.
If you enable dynamic malware analysis to scan files in a sandbox environment, it also scans files as part of inline payload analysis. Even if initial scans from ETP Proxy determine that a file contains no malware, the file is scanned within the sandbox environment.