We often hear the question, what is the best sandbox to use out there? Truth be told, most sandboxes have their own strengths and weaknesses when it comes to malware analysis. Some of the things we like to consider ourselves when it comes to selecting a platform or one to build your own are the following:
- Does it help you find related samples? (Read: macroscopic or microscopic view)
- How effective is it at teasing out network information from malicious samples in the categories I’m most interested in knowing about.
- Can it run quickly and will it be detected?
- Can it be scaled to run hundreds of thousands of files and generate useful output (not too verbose, and not too terse)
- Is it still being maintained? How much does it cost compared to the industry average?
- Does it support the platforms I need? (Read: OSX, Android, IOS, etc)
It is entirely possible that a single product will not meet all the requirements and multiple engines may be needed to do the job. A lot like scanning a file with multiple antivirus engines, it may be beneficial to get competing views on what a malware is or does from various sandbox engines.
Following is a brief list of Sandbox Programs we have compiled which we’ve found inspiration from when developing the sandbox at totalhash.com:
- malwr.com – implementation of cuckoo
- cwsandbox - now: threattracksecurity
Certainly others exist that cover the operating systems above, and we’ll surely add them here as they increase in notoriety.
A similar older reference can be found here: