Skip to main content

Sandbox Analyzer architecture

Bitdefender Sandbox Analyzer provides a powerful layer of protection against advanced threats by performing automatic, in-depth analysis of suspicious files which are not yet signed by Bitdefender antimalware engines.

Sandbox Analyzer contains the following components:

  • Sandbox Analyzer Portal. This component is a hosted communication server used for handling requests between endpoints and the Bitdefender sandbox cluster.

  • Sandbox Analyzer Cluster. This component is the hosted sandbox infrastructure where the sample behavioral analysis occurs. At this level, the submitted files are detonated on virtual machines running Windows 10. The Sandbox Analyzer infrastructure is deployed in Netherlands and United States (Iowa).

GravityZone Control Center operates as management and reporting console, where you configure the security policies, view analysis reports and notifications.

Bitdefender Endpoint Security Tools, the security agent installed on endpoints, acts as a feeding sensor to Sandbox Analyzer.


Once the Sandbox Analyzer service is activated from Control Center on endpoints:

  1. The Bitdefender security agent starts to submit suspicious files that match the protection rules set in the policy.

  2. After the files are analyzed, a response is sent back to the Portal and further to the endpoint.

  3. If a file is detected as dangerous, the user gets notified and a remediation action is taken.

The analysis results are preserved by file hash value in the Sandbox Analyzer database. When a previously analyzed file is submitted from a different endpoint, a response is immediately sent back as the results are already available in the database.