Tuesday, August 28, 2018

Empowering Joe Sandbox Cloud with Avira URL Cloud



Today we bring you exciting news. We have enhanced the Joe Sandbox Cloud URL reputation with Avira URL Cloud. Avira is a renowned German antivirus software, known to provide excellent malware detection rates!

To enable URL checks, go to the Submission Tab - Intelligence and select "Use third-party URL reputation lookup":


High-Value Reputation Checks for URLs from any source


How does Joe Sandbox Cloud's URL reputation work? Users (manually or via our extensive RestFul Web API) submit samples to Joe Sandbox Cloud. A sample can be either a URL or a binary file:




Joe Sandbox dynamically analyzes the file by executing it in a sandbox. During analysis, Joe Sandbox extracts URLs from several different sources, including:


Network Traffic


Joe Sandbox captures the complete network behavior of the sample. For HTTP and HTTPS (with SSL inspection) URLs are automatically extracted. 





Command Line Arguments



Often malware includes a list of several C&C URLs which are passed via command line. However, only the first URL is contacted during the execution. To get a deeper analysis it is important to also extract URLs from command line arguments.




Memory and Binaries Data


Another very good source to look for URLs is the memory as well as binaries which for instance have been dropped by the malware. Joe Sandbox captures memory dumps at various execution points to detect unpacking and decryption. In addition, any dropped or touched file is preserved and scanned for URLs:






Hybrid Code Analysis


Finally, Joe Sandbox performs extensive static code analysis on captured memory dumps. Disassembly often includes hidden strings which can be valid URLs:




All the extracted URLs are sent to reputation engines that Joe Sandbox Cloud Pro integrates with so far:



Each reputation engine provides a verdict. The verdict is being used for various purposes, such as detecting more malware, lowering false positive as well as providing insights for analysts. Below you can find a few excerpts from reports including reputation data:




Joe Sandbox Cloud more powerful than ever


Thanks to Avira URL Cloud integration, Joe Sandbox Cloud Pro customers benefit from a high-value third-party reputation engine. This without any price change!

In contrast to many other vendors, Joe Sandbox extracts URLs from many sources and checks URLs against a row of five different reputation engines.

A lot of data combined with high-value reputation engines greatly increase the virus detection efficiency of Joe Sandbox!

Interested in trying out Joe Sandbox Cloud Pro? Register for a free trial today!