Dynamic malware analysis

If your enterprise is licensed for the Sandbox module and you selected the Allow and Scan action for large files, you can enable dynamic malware analysis. This feature scans files in a secure sandbox environment that’s isolated from your network. Files are automatically scanned offline or after the file is downloaded. This feature scans files or content that’s up to 64 MB in size.

Unlike static malware analysis that scans file contents, dynamic malware analysis opens and executes the files in an isolated sandbox environment and observes whether harmful actions are detected. Sandbox thoroughly analyzes these files using a number of reverse engineering techniques to test how the files behave.

The sandbox environment:
  • Scans files offline (after the file is downloaded).
  • Uses advanced detection technology to analyze files and circumvent malware evasion techniques.
  • Executes or launches suspicious code within the controlled sandbox environment and observes its behavior.
  • Generates a report. Any malicious code and URLs are detailed in a deep scan report that’s available for download in ETP reporting.
  • Data from analysis is used to identify malware in real time. This data can be used to identify malware with the same or similar code. For example, dynamic malware analysis can potentially identify zero-day phishing threats.
Note: This feature is available to organizations that are licensed for the Advanced Sandbox module.

If you enable dynamic malware analysis to scan files in a sandbox environment, it also scans files as part of inline payload analysis. Even if initial scans from ETP Proxy determine that a file contains no malware, the file is scanned within the sandbox environment.

If a threat is detected in the sandbox environment, a deep scan report with test and scan results is available with the associated threat event. You can download the report in PDF format. For more information, see Deep scan report for dynamic malware analysis.
Note: If scanned content uses a one-time token or a one-time URL, the token or URL may expire, or it may be used in the sandbox environment. As a result, a user’s experience is interrupted when they attempt to access this content. To resolve this issue, the end user can initiate the request or download again. An ETP administrator can also add the domains for these requests to an exception list.