Bitdefender B2B Help Center

Sandbox Analyzer On-premises

To make sure the Sandbox Analyzer On-premises installation goes smoothly, follow these steps:

Prepare for installation

Before installing Sandbox Analyzer On-premises, make sure that:

  • The VMware ESXi hypervisor is installed and configured. For details, refer to the vSphere Installation and Setup documentation, section 2: "Installing and Setting Up ESXi".

  • Bitdefender GravityZone virtual appliance is deployed and configured.

Note

Regarding the VMware ESXi hypervisor, make sure:

  • ESXi version is supported. See Sandbox Analyzer On-premises requirements.

  • VMFS datastore version is 5.

  • SSH is enabled in Startup policy with the Start and stop with host configuration.

  • NTP service is active and configured.

The Sandbox Analyzer On-premises license key controls the number of maximum concurrent detonations. Since each detonation requires a running virtual machine instance, the number of concurrent detonations reflect in the number of virtual machines created. For details about adding license keys in GravityZone Control Center, refer to License management.

Deploy Sandbox Analyzer virtual appliance (Security Appliance Sandbox)

To deploy the Sandbox Analyzer virtual appliance:

  1. Log in to the GravityZone Control Center.

  2. Go to the Network > Packages page.

  3. Select Sandbox Analyzer check box from table.

  4. Click the Download button at the upper-left side of the page. Select the Security Appliance (ESXi standalone) option.

  5. Use your virtualization management tool (for example, vSphere Client) to import the downloaded OVA file into your virtual environment.

    Note

    When deploying the OVA file, configure the networks as follows:

    • Bitdefender Network - this is the network where other Bitdefender components reside. This is the network interface card (NIC) that communicates with the GravityZone environment.

    • Private Detonation Network - this network will be used by Sandbox Analyzer for internal communication. This network must be isolated from any other network segments.

    • Internet Access Network - Sandbox Analyzer will use this network for obtaining the latest updates.

  6. Power on the appliance.

  7. From your virtualization management tool, access the console interface of the Sandbox Analyzer Virtual Appliance.

  8. When prompted for credentials, use root for username and sve for password.

  9. Access the configuration menu by running the following command:

    /opt/bitdefender/bin/sandbox-setup
  10. In the Sandbox configuration menu, make the following settings:

    1. Network configuration. Select this option to configure the management NIC. Sandbox Analyzer will use this network interface to communicate with GravityZone.

      The IP address can be manually specified or automatically through DHCP.

      sandbox-op-appliance.PNG
    2. Internet proxy configuration. For installation to succeed, Sandbox Analyzer requires internet connection. If the case, you can configure Sandbox Analyzer to use a proxy server by specifying these details:

      • Host - IP or FQDN of the proxy server. Use the following syntax: http://<IP/Hostname>:<Port>.

      • User and password - you need to type in the password twice.

      • Domain - the Active Directory domain, if the case.

    3. Communication server configuration. Specify either the IP address or the hostname of the appliance running the Communication Server role.

      Use the following syntax: http://<IP/Hostname>:<Port>. The default port is 8443.

      Note

      As soon as IP address or hostname is specified, and configuration is saved, the Sandbox Analyzer instance will become visible in GravityZone Control Center, in the Sandbox Analyzer > Infrastructure page.

    4. Virtualized host configuration. Sandbox Analyzer uses ESXi server to provision the malware analysis infrastructure. Using Virtualized host configuration, you connect the Sandbox Analyzer appliance to the ESXi host by providing the following information:

      • The ESXi server IP address.

      • Root credentials for accessing the ESXi host.

      • Datastore dedicated to Sandbox Analyzer.

        Type in the datastore name as displayed by ESXi.

      • Name of the folder used on datastore for storing virtual machines images.

        If this folder does not exist, you must create it on the datastore before saving the Sandbox Analyzer configuration.

      sandbox-op-virtualization.png
    5. VM Images. To build detonation virtual machines for Sandbox Analyzer, you need to copy the VMDK files containing the desired images into the Images folder specified in the the Virtualized host configuration menu. For each image, you can do in the VM Images menu the following settings:

      1. In the Image configuration menu, specify the image name (as it will be displayed in GravityZone Control Center) and the operating system.

        Note

        The folder containing the VM images is periodically scanned and new entries are reported to GravityZone. These entries are visible in Control Center, in the Sandbox Analyzer > Infrastructure > Image Management page. For details, refer to this topic.

        In certain situations, when using Sandbox Analyzer, you may encounter issues with the detonation virtual machines. To address these issues, you need to disable the anti-fingerprinting option. For details, refer to Anti-fingerprinting Techniques.

      2. In the DMZ hosts menu, you can whitelist the hostnames that third-party services and components embedded in the virtual machines require to communicate with Sandbox Manager. For details, refer to DMZ Hosts

      3. In the Cleanup menu, you can remove VM images that you do not need anymore.

    6. Bootstrap sandbox. Once you have added the Sandbox Analyzer configuration details, proceed with the installation by selecting this option. The status of the installation will be reflected in GravityZone Control Center, in the Sandbox Analyzer > Infrastructure page.

    After installation, the Sandbox Analyzer virtual appliance will be displayed as Security Appliance Sandbox in the Configuration > Update > Components section of GravityZone Control Center.

During installation, you may encounter errors sometimes. To help you overcome them, refer to: Installation error codes for Sandbox Analyzer On-premises.

Anti-fingerprinting techniques

By default, during the image build process, Sandbox Analyzer will enable various anti-fingerprinting techniques. Certain types of malware are capable to determine whether they are running themselves in a sandbox environment and, if so, they will not activate their malicious routines.

The purpose of the anti-fingerprinting techniques is to simulate various conditions with the purpose of mimicking a real world environment. Due to a virtual eliminated combination of deployed software and environment configuration, a combination that cannot be foreseen in advance or controlled, it is possible that certain techniques will not be compatible with the software installed in the golden image. You can recognize such rare situations by the following symptoms:

  • Errors during the image build process.

  • Errors when trying to run the software inside the image.

  • Failure messages returned when detonating samples.

  • Licensed software no longer working due to invalid license keys.

A quick remedy to such rare occurrences consists in rebuilding the image with the anti-fingerprinting techniques disabled. To do so, follow the steps below:

  1. Log in to GravityZone Control Center and delete the image.

  2. Log in to Sandbox Analyzer appliance and launch the Sandbox Analyzer appliance console by running the following command:

    /opt/bitdefender/bin/sandbox-setup
  3. Go to VM Images > Image Configuration.

  4. Select the image that is causing problems.

  5. Go to Anti-fingerprinting option.

  6. Deselect the corresponding check box to disable anti-fingerprinting techniques.

For the list of errors you may encounter while building VM images, refer to Error codes for image management in Sandbox Analyzer.

Additionally, refer to these topics:

DMZ hosts

During the image building process, a virtual infrastructure will be created to facilitate communication between the Sandbox Manager and the virtual machines. From the network perspective, this translates into an isolated network environment that will contain all the potential communication that a detonated sample might create.

The DMZ servers menu allows to whitelist hostnames that 3rd party services and components embedded in the virtual machines require to communicate with, in order to function properly.

An example for this situation would be the KMS licensing servers used by Windows licensing, if a Volume license is applied on the supplied virtual machines.

What to do next

After installing the Sandbox Analyzer Virtual Appliance, you can take these actions:

Deploy Network Security virtual appliance

This section describes how to deploy Network Security Virtual Appliance, a Sandbox Analyzer component that captures network traffic (PCAP files) and submits suspicious samples for behavioral analysis.

Important

This virtual appliance, which provides the Network Sensor for Sandbox Analyzer On-Premises, should not be confused with the XDR component. For Network Sensor in XDR, refer to this topic.

To deploy the Network Security Virtual Appliance:

  1. Log in to the GravityZone Control Center.

  2. Go to the Network > Packages page.

  3. Select the Network Security Virtual Appliance check box from the table.

  4. Click the Download button at the upper-left side of the page and select the (VMware OVA) option.

  5. Use your virtualization management tool (for example, vSphere Client) to import the downloaded OVA file into your virtual environment.

  6. In the deployment wizard, select the network interface card (NIC) used for communication with GravityZone and the NIC used for capturing traffic.

  7. Power on the appliance.

  8. From your virtualization management tool, access the console interface of GravityZone SVE SVA Network Security Virtual Appliance.

  9. When prompted for credentials, use root for username and sve for password.

  10. Access the configuration menu by running the following command:

    /opt/bitdefender/bin/nsva-setup
    sandbox-op-nsva.png
  11. Go to Communication server configuration menu option.

  12. Specify the IP address or hostname, and the port of a GravityZone Communication Server.

    Use the following syntax: http://<IP/Hostname>:<Port>. The default port is 8443.

  13. Save the configuration.

Configure Network Sensor to detonate PCAP files

The Network Sensor can extract content from network capture files (PCAP) and automatically send it for detonation to the Sandbox Analyzer instance.

To detonate content from PCAP files:

  1. Log in to Network Security virtual appliance.

  2. When prompted for credentials, use root for username and sve for password.

  3. Run the following command:

    /opt/bitdefender/bin/scan-pcap <local pcap path>

    In the above command, <local pcap path> represents the location where the PCAP file is uploaded in the Network Security Virtual Appliance.

The Network Sensor is configurable in the policy. For details, refer to this topic.

After detonation, the resulting reports are available in the Sandbox Analyzer section on the left-side main menu in GravityZone Control Center. For details on how to view and use them, refer to this topic.