Skip to main content

Sandbox Analyzer architecture

Bitdefender Sandbox Analyzer provides a powerful layer of protection against advanced threats by performing automatic, in-depth analysis of suspicious files which are not yet signed by Bitdefender antimalware engines.

To use this module with GravityZone, you need to install Sandbox Analyzer On-premises.

Sandbox Analyzer is available in two variants:

  • Sandbox Analyzer Cloud, hosted by Bitdefender.

  • Sandbox Analyzer On-premises, available as a virtual appliance that can be deployed locally.

Sandbox Analyzer Cloud

Sandbox Analyzer Cloud contains the following components:

  • Sandbox Analyzer Portal – a hosted communication server used for handling requests between endpoints and the Bitdefender sandbox cluster.

  • Sandbox Analyzer Cluster – the hosted sandbox infrastructure where the sample behavioral analysis occurs. At this level, the submitted files are detonated on virtual machines running Windows 7.

GravityZone Control Center operates as management and reporting console, where you configure the security policies, view analysis reports and notifications.

Bitdefender Endpoint Security Tools, the security agent installed on endpoints, acts as a feeding sensor to Sandbox Analyzer.

Sandbox Analyzer On-premises

Sandbox Analyzer On-premises is delivered as a Linux Ubuntu virtual appliance, embedded into a virtual machine image, easy to install and configure through a command-line interface (CLI). Sandbox Analyzer On-premises is available in OVA format, deployable on VMware ESXi.

A Sandbox Analyzer On-premises instance contains the following components:

  • Sandbox Manager. This component is the sandbox orchestrator. Sandbox Manager connects to the ESXi hypervisor via API and uses its hardware resources to build and operate the malware analysis environment.

  • Detonation virtual machines. This component consists of virtual machines leveraged by Sandbox Analyzer to execute files and analyze their behavior. The detonation virtual machines can run Windows 7 and Windows 10 64-bit operating systems.

GravityZone Control Center operates as management and reporting console, where you configure security policies and view analysis reports and notifications.

Sandbox Analyzer On-premises operates the following feeding sensors:

  • Endpoint sensor. Bitdefender Endpoint Security Tools for Windows acts as feeding sensor installed on endpoints. The Bitdefender agent uses advanced machine learning and neural network algorithms to determine suspicious content and to submit it to Sandbox Analyzer, including objects from centralized quarantine.

  • Network sensor. Network Security Virtual Appliance (NSVA) is a virtual appliance deployable in the same virtualized ESXi environment as the Sandbox Analyzer instance. Network sensor extracts content from network streams and submits it to Sandbox Analyzer.

  • ICAP sensor. Deployed on network attached storage (NAS) devices using ICAP protocol, Bitdefender Security Server supports content submission to Sandbox Analyzer.

In addition to these sensors, Sandbox Analyzer On-premises supports manual submission and through API.