Sandboxing — Symantec

: Unlike a simple "block" or "allow" result, the sandbox provides a comprehensive map of the damage a file would have caused. This includes host-based indicators (system file changes) and network indicators (malicious URL requests).

: By using a multi-layered approach (antivirus, file reputation, and then sandboxing), the system only sends the most suspicious files for full detonation. This "tiered" scanning, supported by a robust caching system, ensures that network performance remains fast. symantec sandboxing

A sandbox is a security mechanism for separating running programs. In malware analysis, it is an isolated virtual environment that mimics a real operating system (OS). When a file enters the sandbox, the system monitors its execution to determine if it exhibits malicious behavior (e.g., modifying registry keys, attempting network connections, or encrypting files). : Unlike a simple "block" or "allow" result,

Modern malware authors write code designed to detect sandboxes (a technique known as "sandbox evasion"). Symantec employs specific countermeasures: This "tiered" scanning, supported by a robust caching

Symantec sandboxing is embedded in two primary product lines:

While Windows is the primary target, Symantec’s sandbox supports analysis of: