Cloud-Based Sandboxing

Cloud-based Sandboxing refers to the ability of network security devices such as firewalls to:

  1. Query a database to see if some content traversing the network exhibits a known signature.
  2. Upload unknown suspicious content up to the sand-boxing cloud to see if it misbehaves.

The devil is in the detail..

How frequently is the cloud updated?devil-details

Most vendors do not like to share; they all create their own repository of signatures. If you want evidence on how purely this works submit a bad piece of Malware to Virus Total. You would be lucky to see more than 3 or 4 out of 54 vendors having a pre-existing signature. So, when a vendor tries to sell you their cloud-based sandbox for top dollars ask yourself: “Do I really want to pay for 1/54 of what I could get if a signed up with a signature sharing service such as Virus Total?”. I would not..

Is this really a Sandbox or more like an autopsy?



Some vendors will try to sell you a Cloud-based sandbox for $1000s/year; but if you read the fine print, it will actually say that the processing time is 2 hours or more. This means that if you received an unknown email attachment, you would not know what to do with it for 2 hour or more. Some sand-boxing services are better and would give you an answer within minutes. So be careful what you sign up for..

How is MetaFlows Better?

For starters,we use Virus Total, so when checking for a content signature, you are using ALL Antivirus systems at once;

all 54 not 1.

Why would you rely on one vendor’s database?



Recently, we started our own cloud-based, sand-boxing service. The rationale is that it complements the signature checking system when something is brand new and nobody in the world has seen it before (not even Virus Total!). A best-effort sand-boxing service comes standard with our appliances. Typically the sand-box can execute a sample anywhere from 90 seconds to 10 minutes or so (not 2 hours!). Our customers do not pay for this, because we feed this information back into the community though Virus Total. If we find a new bad email attachment, we notify our customer and block it; but we also help the community by letting the rest of the world know about it (we like sharing).

A paid service guarantees execution within 120 seconds and an on-site, sand-boxing appliance can reduce the time even further to approximately 30-60 seconds. When you pay for these services, we let you decide if you want to share or not; we hope you will share; but it is up to you.