Why Hasn’t Zero-Hour Sandbox Protection Taken Off?

A few years ago, a new technique for catching zero-hour viruses became available. Here, control software emulates a receiving PC and executes file attachments. The emulated PC is monitored for errant behavior.

This appears to be a very useful technique for zero-hour virus control, which can slip by using signature-based methods.

Avinti's iSolation Server is the main illustration. However, it's been slow to take off. Why is this? The main reasons appear to be:

  • The hardware required to run emulations is substantial.
  • Integrating the emulator with other malware control techniques is clumsy and increases TCO. It's much easier and more efficient to apply all the control technology to freshly arriving email in one place, than to route incoming email through a lot of separate malware processing stages.

In the Avinti model, such emulation is done inside a virtual machine (e.g., using VMWare) at a central server. Other vendors instrument the actual desktop machine by intercepting (or "hooking") key Windows APIs.

... David Ferris and Richi Jennings

Post a comment

You must be logged in to post a comment. To comment, first join our community.