Sandbox Analyzer

Bitdefender Sandbox Analyzer provides a powerful layer of protection against advanced threats by performing automatic, in-depth analysis of suspicious files that are not identified by Bitdefender antimalware engines yet. Sandbox Analyzer employs an extensive set of Bitdefender technologies that executes payloads in a contained virtual environment hosted by Bitdefender, analyzes their behavior and reports any subtle system changes that is indicative of malicious intent.

Sandbox Analyzer automatically submits suspicious files residing on the managed endpoints, yet hidden to signature-based antimalware services. Dedicated heuristics embedded in the Antimalware on-access module from Bitdefender Endpoint Security Tools trigger the submission process.

The Sandbox Analyzer service is able to prevent unknown threats from executing on the endpoint. It operates in either monitoring or blocking mode, allowing or denying access to the suspicious file until a verdict is received. Sandbox Analyzer automatically resolves discovered threats according to the remediation actions defined in the security policy for the affected systems.

Additionally, Sandbox Analyzer allows you to manually submit samples directly from Control Center, letting you decide what to do further with them.

Important

The manual submission is available to GravityZone users with Manage Networks right.

Useful topics to get you started:

Components

Sandbox Analyzer is dependent on the following components:

GravityZone Control Center
Security agent (Bitdefender Endpoint Security Tools installed on Windows endpoints)

Make sure that your GravityZone license includes Sandbox Analyzer.

Configure the feature

To use Sandbox Analyzer, you need to assign on endpoints a GravityZone policy with this feature enabled and configured. Follow the steps below:

In GravityZone Control Center, go to the Policies page from the left side menu.
You can either:
- Create a new policy.
- Edit one of your existing policies.
Configure the policy details: name, general settings, modules and roles.
For details on how to configure a policy, refer to Configuring computer and virtual machine policies.
To enable the feature, go to the Sandbox Analyzer > Endpoint Sensor section and select the Automatic sample submission from managed endpoints check box.
In the same section, configure the available options, such as connection settings, analysis mode, remediation actions, and content prefiltering, which includes exceptions from submission and file size limit.
For details on configuring this feature in policy, refer to Sandbox Analyzer.
Save the policy.
Go to the Network page from the left side menu and assign the policy to the target Windows endpoints.
For details, refer to Assigning policies.
If you enabled Sandbox Analyzer in an already assigned policy, the endpoints automatically receive the new settings.

Test out the feature

Here is how you test out Sandbox Analyzer in GravityZone.

After Sandbox Analyzer becomes active on endpoints, the security agent automatically submit any suspicious files that were bypassed by other protection technologies. Analyzing these samples occurs in a process called detonation, which may take several minutes, depending on the complexity.

To view the results, go to the Sandbox Analyzer page in the GravityZone Control Center main menu. All files have dedicated submission cards that display the verdict and various details. For the report that explains all the actions that the infected sample would have taken if it had not been detected, click the View button.

For details on what you can do on the Sandbox Analyzer page, refer to Analyzing threats in sandbox.

If the security agent did not submit samples to Sandbox Analyzer because other protection technologies have most likely already detected them, you can manually send files for detonation. To use manual submission, you do not need to have Sandbox Analyzer enabled in the policy.

To manually submit samples, follow these steps:

In GravityZoneControl Center main menu, go to Sandbox Analyzer > Manual Submission.
On the Upload page, click the Browse button under Files to select the target samples.
Alternately, select the URL option if you want to enter the web location for the sample.
Under Detonation Settings, enter command-line arguments and specify if you want multiple samples to be detonated individually.
On the General Settings page, change the conditions under which the detonation would take place. For example, allocate more minutes for each detonation or increase the number of reruns in case the process fails repeatedly.
After you click Save, the settings on this page apply to the current and all subsequent submissions.
Click Submit.
GravityZone starts analysis immediately after submission and it may take several minutes.
For results, go to the Sandbox Analyzer page from the left side menu. All files have dedicated submission cards that display the verdict and details. For the report that explains all the actions that the infected sample would have taken in your environment, click the View button.

For more details on manual submission procedure and settings, refer to Manual submission.

In this section:

Sandbox Analyzer

Important

Components

Configure the feature

Test out the feature

Search results